Online Privacy Issues Overview
Download
Report
Transcript Online Privacy Issues Overview
Privacy
Week 9 - March 15, 17
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
1
Privacy policies
Policies let consumers know about site’s
privacy practices
Consumers can decide whether practices
are acceptable, when to opt-out
Presence increases consumer trust
Make companies subject to FTC privacyrelated enforcement
Rapid adoption 1998-2001*
* G.R. Milne and M.J. Culnan 2002. Using the Content of Online Privacy Notices to
Inform Public Policy: A Longitudinal Analysis of the 1998-2002 US Web Surveys.
The Information Society 18, 5, 245-359.
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
2
Privacy policy problems
BUT policies are often
difficult to understand
hard to find
take a long time to read
change without notice
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
3
Privacy policy components
Identification of site, scope,
contact info
Security assurances
Types of information collected
Children’s privacy
Including information about
cookies
How information is used
Conditions under which
information might be shared
Information about opt-in/opt-out
Information about access
Information about data retention
policies
There is lots of information
to conveys -- but policy
should be brief and
easy-to-read too!
Information about seal programs
What is opt-in? What is opt-out?
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
4
How are online privacy concerns
different from offline privacy
concerns?
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
5
Web privacy concerns
Data is often collected silently
Web allows large quantities of data to be collected inexpensively
and unobtrusively
Data from multiple sources may be merged
Non-identifiable information can become identifiable when
merged
Data collected for business purposes may be used in civil
and criminal proceedings
Users given no meaningful choice
Few sites offer alternatives
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
6
Browser Chatter
Browsers chatter
about
IP address, domain
name, organization,
Referring page
Platform: O/S,
browser
What information is
requested
• URLs and search terms
Cookies
To anyone who might
be listening
End servers
System administrators
Internet Service
Providers
Other third parties
• Advertising networks
Anyone who might
subpoena log files
later
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
7
Typical HTTP request with cookie
GET /retail/searchresults.asp?qu=beer HTTP/1.0
Referer: http://www.us.buy.com/default.asp
User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD 1.5_ALPHA
i386)
Host: www.us.buy.com
Accept: image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en
Cookie: buycountry=us; dcLocName=Basket;
dcCatID=6773; dcLocID=6773; dcAd=buybasket; loc=;
parentLocName=Basket; parentLoc=6773;
ShopperManager%2F=ShopperManager%2F=66FUQULL0
QBT8MMTVSC5MMNKBJFWDVH7; Store=107;
Category=0
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
8
Referer log problems
GET methods result in values in URL
These URLs are sent in the referer
header to next host
Example:
http://www.merchant.com/cgi_bin/o
rder?name=Tom+Jones&address=here
+there&credit+card=234876923234&
PIN=1234&->index.html
Access log example
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
9
Cookies
What are cookies?
What are people concerned about cookies?
What useful purposes do cookies serve?
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
10
Cookies 101
Cookies can be useful
Used like a staple to attach multiple parts of
a form together
Used to identify you when you return to a
web site so you don’t have to remember a
password
Used to help web sites understand how
people use them
Cookies can do unexpected things
Used to profile users and track their
activities, especially across web sites
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
11
How cookies work – the basics
A cookie stores a small string of characters
A web site asks your browser to “set” a cookie
Whenever you return to that site your browser sends the
cookie back automatically
Please store
cookie xyzzy
site
Here is cookie
xyzzy
browser
First visit to site
site
browser
Later visits
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
12
How cookies work – advanced
Cookies are only sent back to
the “site” that set them – but
this may be any host in domain
Sites setting cookies indicate
path, domain, and expiration
for cookies
Send
me with
any
request
to x.com
until
2008
Send me
with requests
for
index.html
on y.x.com
for this
session only
Cookies can store user info or a
database key that is used to
look up user info – either way
the cookie enables info to be
linked to the current browsing
session
User=Joe
Email=
Joe@
x.com
Visits=13
Database
Users …
Email …
Visits …
User=4576
904309
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
13
Cookie terminology
Cookie Replay – sending a cookie back to a site
Session cookie – cookie replayed only during current
browsing session
Persistent cookie – cookie replayed until expiration date
First-party cookie – cookie associated with the site the
user requested
Third-party cookie – cookie associated with an image,
ad, frame, or other content from a site with a different
domain name that is embedded in the site the user
requested
Browser interprets third-party cookie based on domain name,
even if both domains are owned by the same company
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
14
Web bugs
Invisible “images” (1-by-1 pixels, transparent)
embedded in web pages and cause referer info and
cookies to be transferred
Also called web beacons, clear gifs, tracker gifs,etc.
Work just like banner ads from ad networks, but you
can’t see them unless you look at the code behind a web
page
Also embedded in HTML formatted email messages, MS
Word documents, etc.
For software to detect web bugs see:
http://www.bugnosis.org
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
15
How data can be linked
Every time the same cookie is replayed to a site,
the site may add information to the record
associated with that cookie
Number of times you visit a link, time, date
What page you visit
What page you visited last
Information you type into a web form
If multiple cookies are replayed together, they
are usually logged together, effectively linking
their data
Narrow scoped cookie might get logged with broad
scoped cookie
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
16
Ad networks
search for
medical
information
buy CD
set cookie
replay cookie
Ad
Ad
Search Service
Ad company
can get your
name and
address from
CD order and
link them to
your search
CD Store
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
17
What ad networks may know…
Personal data:
Email address
Full name
Mailing address
(street, city, state,
and Zip code)
Phone number
Transactional data:
Details of plane trips
Search phrases used at
search engines
Health conditions
“It was not necessary for me to click on the banner ads
for information to be sent to DoubleClick servers.”
– Richard M. Smith
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
18
Online and offline merging
In November 1999, DoubleClick
purchased Abacus Direct, a
company possessing detailed consumer profiles on more
than 90% of US households.
In mid-February 2000 DoubleClick announced plans to
merge “anonymous” online data with personal
information obtained from offline databases
By the first week in March 2000 the plans were put on
hold
Stock dropped from $125 (12/99) to $80 (03/00)
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
19
Offline data goes online…
The
Cranor
family’s 25
most
frequent
grocery
purchases
(sorted by
nutritional
value)!
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
20
Subpoenas
Data on online activities is increasingly of
interest in civil and criminal cases
The only way to avoid subpoenas is to not
have data
In the US, your files on your computer in
your home have much greater legal
protection that your files stored on a
server on the network
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
21
P3P: Introduction
Original Idea behind P3P
A framework for automated privacy
discussions
Web sites disclose their privacy practices in
standard machine-readable formats
Web browsers automatically retrieve P3P
privacy policies and compare them to users’
privacy preferences
Sites and browsers can then negotiate about
privacy terms
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
22
P3P: Introduction
P3P history
Idea discussed at November 1995 FTC meeting
Ad Hoc “Internet Privacy Working Group” convened to
discuss the idea in Fall 1996
W3C began working on P3P in Summer 1997
Several working groups chartered with dozens of participants
from industry, non-profits, academia, government
Numerous public working drafts issued, and feedback resulted in
many changes
Early ideas about negotiation and agreement ultimately removed
Automatic data transfer added and then removed
Patent issue stalled progress, but ultimately became non-issue
P3P issued as official W3C Recommendation on April 16,
2002
http://www.w3.org/TR/P3P/
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
23
P3P: Introduction
P3P1.0 – A first step
Offers an easy way for web sites to
communicate about their privacy policies
in a standard machine-readable format
Can be deployed using existing web servers
This will enable the development of tools
that:
Provide snapshots of sites’ policies
Compare policies with user preferences
Alert and advise the user
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
24
P3P: Introduction
The basics
P3P provides a standard XML format that web
sites use to encode their privacy policies
Sites also provide XML “policy reference files” to
indicate which policy applies to which part of
the site
Sites can optionally provide a “compact policy”
by configuring their servers to issue a special
P3P header when cookies are set
No special server software required
User software to read P3P policies called a “P3P
user agent”
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
25
P3P: Enabling your web site – overview and options
What’s in a P3P policy?
Name and contact information for site
The kind of access provided
Mechanisms for resolving privacy disputes
The kinds of data collected
How collected data is used, and whether
individuals can opt-in or opt-out of any of these
uses
Whether/when data may be shared and whether
there is opt-in or opt-out
Data retention policy
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
26
P3P/XML encoding
Statement
P3P version
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY discuri="http://p3pbook.com/privacy.html"
Location of
name="policy">
human-readable
P3P policy name
<ENTITY>
<DATA-GROUP>
privacy policy
<DATA
Site’s
ref="#business.contact-info.online.email">[email protected]
name
</DATA>
and
<DATA
ref="#business.contact-info.online.uri">http://p3pbook.com/
contact
</DATA>
info
<DATA ref="#business.name">Web Privacy With P3P</DATA>
</DATA-GROUP>
Access disclosure
</ENTITY>
Human-readable
<ACCESS><nonident/></ACCESS>
explanation
<STATEMENT>
<CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE>
<PURPOSE><admin/><current/><develop/></PURPOSE>
How data may
<RECIPIENT><ours/></RECIPIENT>
be used
<RETENTION><indefinitely/></RETENTION>
<DATA-GROUP>
Data recipients
<DATA ref="#dynamic.clickstream"/>
<DATA ref="#dynamic.http"/>
Data retention policy
</DATA-GROUP>
</STATEMENT>
Types of data collected
</POLICY>
</POLICIES>
P3P: Introduction
P3P1.0 Spec Defines
A standard vocabulary for describing set of uses,
recipients, data categories, and other privacy
disclosures
A standard schema for data a Web site may wish
to collect (base data schema)
An XML format for expressing a privacy policy in
a machine readable way
A means of associating privacy policies with Web
pages or sites
A protocol for transporting P3P policies over
HTTP
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
28
P3P: Introduction
A simple HTTP transaction
GET /index.html HTTP/1.1
Host: www.att.com
. . . Request web page
Web
Server
HTTP/1.1 200 OK
Content-Type: text/html
. . . Send web page
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
29
P3P: Introduction
… with P3P 1.0 added
GET /w3c/p3p.xml HTTP/1.1
Host: www.att.com
Request Policy Reference File
Web
Server
Send Policy Reference File
Request P3P Policy
Send P3P Policy
GET /index.html HTTP/1.1
Host: www.att.com
. . . Request web page
HTTP/1.1 200 OK
Content-Type: text/html
. . . Send web page
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
30
P3P: Introduction
Transparency
P3P clients can check
a privacy policy each
time it changes
http://www.att.com/accessatt/
P3P clients can check
privacy policies on all
objects in a web
page, including ads
and invisible images
http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
31
P3P: Introduction
P3P in IE6
Automatic processing of
compact policies only;
third-party cookies without
compact policies blocked by
default
Privacy icon on status bar
indicates that a cookie has
been blocked – pop-up appears
the first time the privacy icon
appears
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
32
P3P: Introduction
Users can click on
privacy icon for
list of cookies;
privacy summaries
are available at
sites that are
P3P-enabled
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
33
P3P: Introduction
Privacy summary
report is
generated
automatically
from full P3P policy
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
34
P3P: Introduction
P3P in Netscape 7
Preview version similar to IE6,
focusing, on cookies; cookies
without compact policies (both
first-party and third-party)
are “flagged” rather than
blocked by default
Indicates flagged cookie
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
35
P3P: Introduction
Users can view English
translation of (part of)
compact policy in Cookie
Manager
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
36
P3P: Introduction
A policy summary can be
generated automatically
from full P3P policy
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
37
P3P: Introduction
AT&T Privacy Bird
Free download of beta from
http://www.privacybird.com/
“Browser helper object” for
IE 5.01/5.5/6.0
Reads P3P policies at all
P3P-enabled sites automatically
Puts bird icon at top of browser window that changes to
indicate whether site matches user’s privacy preferences
Clicking on bird icon gives more information
Current version is information only – no cookie blocking
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
38
P3P: Introduction
Chirping bird is privacy indicator
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
39
P3P: Introduction
Click on the bird for more info
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
40
P3P: Introduction
Privacy policy summary - mismatch
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
41
P3P: Introduction
Users select warning conditions
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
42
P3P: Introduction
Bird checks policies for embedded content
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
43
P3P: Introduction
Why web sites adopt P3P
Demonstrate corporate leadership on privacy
issues
Show customers they respect their privacy
Demonstrate to regulators that industry is taking
voluntary steps to address consumer privacy concerns
Distinguish brand as privacy friendly
Prevent IE6 from blocking their cookies
Anticipation that consumers will soon come to
expect P3P on all web sites
Individuals who run sites value personal privacy
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
44
P3P: Introduction
P3P early adopters
News and information sites – CNET, About.com,
BusinessWeek
Search engines – Yahoo, Lycos
Ad networks – DoubleClick, Avenue A
Telecom companies – AT&T
Financial institutions – Fidelity
Computer hardware and software vendors – IBM, Dell,
Microsoft, McAfee
Retail stores – Fortunoff, Ritz Camera
Government agencies – FTC, Dept. of Commerce,
Ontario Information and Privacy Commissioner
Non-profits - CDT
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
45
P3P: The future
Impacts
Somewhat early to evaluate P3P
Some companies that P3P-enable think
about privacy in new ways and change
their practices
Systematic assessment of privacy practices
Concrete disclosures – less wiggle room
Disclosures about areas previously not
discussed in privacy policy
Hopefully we will see greater
transparency, more informed consumers,
and ultimately better privacy policies
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
46
Discussion questions
What elements are needed in order to
facilitate a robust market for privacy of
personal information?
How can P3P help realize such a market?
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
47
Homework discussion
Argue for or against placing privacy-related
restrictions on public web cams.
P3P and privacy policies
What aspects of each privacy policy you liked and
what aspects you did not like
Compare the experience of reading the privacy
policies with using each P3P user agent
Pick one new-technology-related privacy
concern that you believe to be particularly
significant. Explain the privacy issue and why
you think it is a significant concern. What might
be done to mitigate the concern?
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
49
Degrees of anonymity
More
Absolute privacy: adversary cannot observe communication
Beyond suspicion: no user is more suspicious than any other
Probable innocence: each user is more likely innocent than not
Possible innocence: nontrivial probability that user is innocent
Exposed (default on web): adversary learns responsible user
Provably exposed: adversary can prove your actions to others
Less
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
50
The Anonymizer
Request
Request
Anonymizer
Reply
Reply
Client
Server
Acts as a proxy for users
Hides information from end servers
Sees all web traffic
Adds ads to pages (free service; subscription
service also available)
http://www.anonymizer.com
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
51
Cryptography Basics
Encryption algorithm
used to make content unreadable by all but
the intended receivers
E(plaintext,key) = ciphertext
D(ciphertext,key) = plaintext
Symmetric (shared) key cryptography
A single key is used is used for E and D
D( E(p,k1), k1 ) = p
Management of keys determines who has
access to content
E.g., password encrypted email
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
52
Public Key Cryptography
Public Key cryptography
Each key pair consists of a public and private
component: k+ (public key), k- (private key)
D( E(p, k+), k- ) = p
D( E(p, k-), k+ ) = p
Public keys are distributed (typically)
through public key certificates
Anyone can communicate secretly with you if
they have your certificate
E.g., SSL-base web commerce
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
53
Mixes [Chaum81]
Sender
Destination
B, C
dest,msg kC kB kA
Mix C
msg
dest,msg kC
Mix A
C dest,msg kC kB
Mix B
kX = encrypted with public key of Mix X
Sender routes message randomly through network
of “Mixes”, using layered public-key encryption.
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
54
Crowds
Users join a Crowd of other users
Web requests from the crowd cannot be linked
to any individual
Protection from
end servers
other crowd members
system administrators
eavesdroppers
First system to hide data shadow on the web
without trusting a central authority
http://avirubin.com/cacm.pdf
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
55
Crowds
Crowd members
Web servers
1
3
6
5
5
2
1
6
3
4
4
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
2
56
Anonymous email
Anonymous remailers allow people to send
email anonymously
Similar to anonymous web proxies
Send mail to remailer, which strips out any
identifying information (very controversial)
Johan (Julf) Helsingius ~ Penet
Some can be chained and work like mixes
http://anon.efga.org/Remailers
Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/
57