Consumer’s Privacy in terms of
Privacy & Mental Model
• Interfaces do not reflect good thinking on how to make
them easy to use in a manner that results in terms of
• Security problems arguably might stem from bad
interaction between humans and systems.
• How much eCommerce sites care about consumer’s
• How and to what extent existing Security and Privacy
technologies fits with the human mental model ?
• Technique Used:
Qualitative Research (Conducting interview’s).
Content of Talk
1.PPS analysis of Ecommerce site.
2. Different Survey Results for analysis of end user’s
3. Privacy Law’s.
4. Existing Toolbar plug-ins.
5. My Solutions.
PPS Analysis Strategy
• Goal Mining : “What goal's does this statement or fragment exemplify?” and/or “What
goal(s) does this statement obstruct or thwart?”.
• Goals in privacy policies are thus also identified by looking for useful keywords
• “The Lack of Clarity in Financial Privacy Policies and the Need for
Standardization” by Annie I. Antón, Julia B. Earp, Davide Bolchini, Qingfeng He, Carlos
Jensen, William Stufflebeam, 14 August 2003.
• Normative Template : OECD 'Guidelines for Consumer Protection in the Context of
• “A Major Impediment to B2C Success is ...the Concept 'B2C’” by Roger
Clarke ICEC’06, August 14–16, 2006
• Accessibility of Terms.
(Consolidated list of terms applicable to consumer
• Choice and Consent.
• Warranties and Guarantees.
End user’s Survey Results.
• Survey on Privacy in summer 1998
“Privacy in e-commerce: examining user scenarios and privacy preferences” by Ackerman ,
Cranor and Reagle.
Acceptance of the use of persistent identifiers
varies according to their purpose.
• AT&T Research, April 14, 1999.
• 52% of concerned about Web cookies.
• Another 12% said they were uncertain about what a cookie is.
• Privacy Practices of Internet Users: Self-reports versus
observed behavior by Carlos Jensen, Colin Potts, Christian Jensen July 2005
• 90.3% of concerned about Web cookies.
• 14% (14.0% of those who claim.)
• IBM-Harris multinational survey
– Phone interviews with 1000+ adults in each of three countries: US, UK and
Greatest trust in companies, but most likely to actively protect privacy.
Most comfortable with governmental privacy protection
• Japan’s Ministry of Postal & Telecomm.
Survey interviews with 968 adults, 1999
– 70% have interest in privacy protection
– 92% fear that personal information is used
Some US privacy laws
• Bank Secrecy Act, 1970
• Fair Credit Reporting Act, 1971
• Privacy Act, 1974
• Right to Financial Privacy Act, 1978
• Cable TV Privacy Act, 1984
• Video Privacy Protection Act, 1988
• Family Educational Right to Privacy Act, 1993
• Electronic Communications Privacy Act, 1994
• Freedom of Information Act, 1966, 1991, 1996
US law – recent additions
• HIPAA (Health Insurance Portability and Accountability Act, 1996)
– When implemented, will protect medical records and other individually identifiable
• COPPA (Children‘s Online Privacy Protection Act, 1998)
– Web sites that target children must obtain parental consent before collecting
personal information from children under the age of 13.
• GLB (Gramm-Leach-Bliley-Act, 1999).
Various privacy guidelines Online Privacy Alliance, Direct Marketing Association
Privacy Promise, CTIA Location-based privacy guidelines etc.
significantly increase consumer trust and thus willingness to engage
Trust?” by David B. Meinert and Dane K. 2006 Informing Science Journal
consumer willingness to submit personal information via the Internet.
regulation are unlikely to significantly reduce consumer reluctance to
provide personal information on-line.
Framework-Related Technologies and Standards
Relevant Standards Groups
OASIS (SAML, AVDL, PKI,
Negotiation Technologies Data Subject Data Requestor
WS-Security, XCBF, XRI)
W3C (XML*, HTTP, SOAP,
APPEL P3P, APPEL, CC/PP)
Rights Expression Interaction Interaction Trusted Computing Group
Liberty Alliance Project
Languages Negotiation Negotiation Usage XNS
P3P PI Many Hardware & Govt Stds
LicenseScript Control Container Control
PI, Preferences PIC Repository
Validation Services & PIC Repository
Adult Check Services Agent Agent
Credit Check Services
Address Validation Services • BBBOnline
Validation Certification Audit Enforcement
Integration & Interoperability • BetterWeb
Microsoft Passport Security Foundation
• Global Trust Alliance
Liberty Alliance Project • Guardian eCommerce Security
XNS Legal, Regulatory, & Policy Context • Net-Ethix
PSP • Privacy License
• Access • Privacy Secure, Inc
Security Technologies • PrivacyBot.com
Cryptography (PK & Symmetric) • Integrity • SecureBiz
Secure Hashing • Non-repudiation • TRUSTe
• Privacy (Encryption) • WebTrust
P3P in IE6
Automatic processing of compact
third-party cookies without compact
policies blocked by default
Privacy icon on status bar
indicates that a cookie has been
blocked – pop-up appears the
first time the privacy icon
Users can click on
privacy icon for
list of cookies;
are available at
sites that are
P3P in Netscape 7
Preview version similar to IE6,
focusing, on cookies; cookies
without compact policies (both
first-party and third-party)
are “flagged” rather than
blocked by default
Indicates flagged cookie
from full P3P policy
Chirping bird is privacy indicator
• More awareness– courses like Computer Ethics.
• Certifiactions for I.T managers : http://www.isaca.org
• Provide more effective solutions.
• Simple effective identifiable solutions attached to the
• Present solutions are more security oriented.
• Simplify and some sort scaling (say 1 to 5) to present the exact info
to the user.
• scale 5 -- complete privacy-eCommerce sites collects data and
keep within themselves.
• Scale 4 -- privacy-eCommerce sites collects data and use it for only
promotion of products related to their company.
• ……So on and so forth.
• Must be certified by some authorizing agency like security.
Display of Privacy Information's
Need More Defined law’s
• “Do Privacy Seals in E-Commerce Really Work?” by Dr. Trevor T.
Moores and Dr. Gurpreet Dhillon COMMUNICATIONS OF THE ACM December 2003/Vol. 46, No.
• In the summer of 2000, the failed Toysmart.com, Boo.com, and Craft-Shop.com all put their
customer databases up for sale. Toysmart, a TRUSTe licensee, was sued by the U.S. Federal
Trade Commission for violating the privacy commitment made to its customers. In January 2001,
a settlement was reached whereby a subsidiary of Disney effectively paid Toysmart $50,000 to
destroy the database.
• In October 2000, TRUSTe sued two Web sites, American-Politics.com and SurfAssured.com, for
illegally displaying the trustmark.
• A Web site can presumably avoid such litigation by having no privacy statement, or by declaring
that the customer database is an asset that would be sold with all assets should the company be
sold. The privacy notice for Amazon.com was changed in late-2000 to include exactly such a
disclaimer under the heading of “Business Transfers.”
• While it makes no sense to suggest a company must destroy its customer database when sold, it
is unclear whether any purchaser of Amazon is under the same obligations of privacy with respect
to sharing the data.
• Dr. Hal Koenig –COB Marketing.
• Dr. Keven Malkewitz - COB Marketing.
• Dr. Sullivan Dave - Information Management.
• R. Basu- Program Manager IBM.
• M. Clements – Senior Developer BSG.