Document Sample
Privacy Powered By Docstoc
					Consumer’s Privacy in terms of
      Mental Model
           Chandan Sarkar
           Class CS-419/519
Privacy & Mental Model

• Interfaces do not reflect good thinking on how to make
  them easy to use in a manner that results in terms of

• Security problems arguably might stem from bad
  interaction between humans and systems.
Research Questions

• How much eCommerce sites care about consumer’s
  privacy ?

• How and to what extent existing Security and Privacy
  technologies fits with the human mental model ?

• Technique Used:
  Qualitative Research (Conducting interview’s).
  Literature survey.
Content of Talk

1.PPS analysis of Ecommerce site.

2. Different Survey Results for analysis of end user’s
   mental model.

3. Privacy Law’s.

4. Existing Toolbar plug-ins.

5. My Solutions.
PPS Analysis Strategy
•   Goal Mining : “What goal's does this statement or fragment exemplify?” and/or “What
    goal(s) does this statement obstruct or thwart?”.

•    Goals in privacy policies are thus also identified by looking for useful keywords

•   “The Lack of Clarity in Financial Privacy Policies and the Need for
    Standardization” by Annie I. Antón, Julia B. Earp, Davide Bolchini, Qingfeng He, Carlos
    Jensen, William Stufflebeam, 14 August 2003.

•   Normative Template : OECD 'Guidelines for Consumer Protection in the Context of
    Electronic Commerce‘

•   “A Major Impediment to B2C Success        is ...the Concept 'B2C’” by Roger
    Clarke ICEC’06, August 14–16, 2006
PPS Analysis
• Accessibility of Terms.
  (Consolidated list of terms applicable to consumer

• Choice and Consent.

• Warranties and Guarantees.

• Recourse.

• Redress.
End user’s Survey Results.
• Survey on Privacy in summer 1998

     “Privacy in e-commerce: examining user scenarios and privacy preferences” by Ackerman ,
     Cranor and Reagle.
 Acceptance of the use of persistent identifiers
      varies according to their purpose.
• AT&T Research, April 14, 1999.

• 52% of concerned about Web cookies.
• Another 12% said they were uncertain about what a cookie is.

• Privacy Practices of Internet Users: Self-reports versus
  observed behavior by Carlos Jensen, Colin Potts, Christian Jensen July 2005
• Cookies
• 90.3% of concerned about Web cookies.
• 14% (14.0% of those who claim.)
                       Regional Differences
                          among User’s
•    IBM-Harris multinational survey
    – Phone interviews with 1000+ adults in each of three countries: US, UK and
     Germany (10/1999)

•    US:
     Greatest trust in companies, but most likely to actively protect privacy.

•   Germany:
    Most comfortable with governmental privacy protection

•    Japan’s Ministry of Postal & Telecomm.
    Survey interviews with 968 adults, 1999

    – 70% have interest in privacy protection
    – 92% fear that personal information is used

                 Some US privacy laws
•   Bank Secrecy Act, 1970

•   Fair Credit Reporting Act, 1971

•   Privacy Act, 1974

•   Right to Financial Privacy Act, 1978

•   Cable TV Privacy Act, 1984

•   Video Privacy Protection Act, 1988

•   Family Educational Right to Privacy Act, 1993

•   Electronic Communications Privacy Act, 1994

•   Freedom of Information Act, 1966, 1991, 1996
                US law – recent additions
•   HIPAA (Health Insurance Portability and Accountability Act, 1996)
     – When implemented, will protect medical records and other individually identifiable
       health information.

•   COPPA (Children‘s Online Privacy Protection Act, 1998)
     – Web sites that target children must obtain parental consent before collecting
       personal information from children under the age of 13.

•   GLB (Gramm-Leach-Bliley-Act, 1999).
     – Requires privacy policy disclosure and opt-out mechanisms from financial
       service institutions.

     Various privacy guidelines Online Privacy Alliance, Direct Marketing Association
        Privacy Promise, CTIA Location-based privacy guidelines etc.
                       Research Question
• The imposition of legally mandated privacy policy statements would
  significantly increase consumer trust and thus willingness to engage
  in e-commerce?

•   “Would Regulation of Web Site Privacy Policy Statements Increase Consumer
    Trust?” by David B. Meinert and Dane K. 2006 Informing Science Journal

•   Type of information and type of privacy policy statement play a role in determining
    consumer willingness to submit personal information via the Internet.

•   Legally mandated or imposed privacy policy statements resulting from
    regulation are unlikely to significantly reduce consumer reluctance to
    provide personal information on-line.
                   Framework-Related Technologies and Standards

                                                                                                                   Relevant Standards Groups
                                                                                                                    OASIS (SAML, AVDL, PKI,
Negotiation Technologies                      Data Subject                       Data Requestor
                                                                                                                            WS-Security, XCBF, XRI)
                                                                                                                    W3C (XML*, HTTP, SOAP,
 APPEL                                                                                                                    P3P, APPEL, CC/PP)
Rights Expression                              Interaction                         Interaction                      Trusted Computing Group
                                                                                                                    Liberty Alliance Project
Languages                                      Negotiation                        Negotiation            Usage      XNS
 P3P                                                                 PI                                             Many Hardware & Govt Stds
 LicenseScript                                   Control         Container          Control

 FDRM                                                              (PIC)
 ODRL                                                                                                                                  Computing
 XrML                                                                                                                                  Group
                                             PI, Preferences                     PIC Repository
Validation Services                         & PIC Repository

 Adult Check Services                            Agent                               Agent

 Certificate Authorities
                                                            Assurance Services
 Credit Check Services
                                                                                                                            Privacy Seals
 Address Validation Services                                                                                           •   BBBOnline
                                               Validation        Certification         Audit         Enforcement
Integration & Interoperability                                                                                         •   BetterWeb
                                                                                                                       •   E-Safe
 Microsoft Passport                                                  Security Foundation
                                                                                                                       •   Global Trust Alliance
 Liberty Alliance Project                                                                                              •   Guardian eCommerce Security
 XNS                                                           Legal, Regulatory, & Policy Context                     •   Net-Ethix
 PSP                                                                                                                   •   Privacy License
                                 •   Access                                                                            •   Privacy Secure, Inc
Security Technologies                                                                                                  •
                                 •   Authentication
 Cryptography (PK & Symmetric)   •   Integrity                                                                         •   SecureBiz
 Secure Hashing                  •   Non-repudiation                                                                   •   TRUSTe
                                 •   Privacy (Encryption)                                                              •   WebTrust
P3P in IE6
      Automatic processing of compact
      policies only;
      third-party cookies without compact
      policies blocked by default

      Privacy icon on status bar
      indicates that a cookie has been
      blocked – pop-up appears the
      first time the privacy icon
Users can click on
 privacy icon for
 list of cookies;
privacy summaries
 are available at
  sites that are
P3P in Netscape 7
          Preview version similar to IE6,
          focusing, on cookies; cookies
          without compact policies (both
          first-party and third-party)
          are “flagged” rather than
          blocked by default

           Indicates flagged cookie
Privacy summary
report is
from full P3P policy
Chirping bird is privacy indicator
            Probable Solutions
• More awareness– courses like Computer Ethics.

• Certifiactions for I.T managers :

• Provide more effective solutions.

• Simple effective identifiable solutions attached to the
  browsing experience.

• Present solutions are more security oriented.
       Probable Solutions(contd.)
• Simplify and some sort scaling (say 1 to 5) to present the exact info
  to the user.

•    scale 5 -- complete privacy-eCommerce sites collects data and
    keep within themselves.

• Scale 4 -- privacy-eCommerce sites collects data and use it for only
  promotion of products related to their company.

• ……So on and so forth.

• Must be certified by some authorizing agency like security.
Display of Privacy Information's
           Need More Defined law’s
•   “Do Privacy Seals in E-Commerce Really Work?” by Dr. Trevor T.
    Moores and Dr. Gurpreet Dhillon COMMUNICATIONS OF THE ACM December 2003/Vol. 46, No.
    12ve 265

•   In the summer of 2000, the failed,, and all put their
    customer databases up for sale. Toysmart, a TRUSTe licensee, was sued by the U.S. Federal
    Trade Commission for violating the privacy commitment made to its customers. In January 2001,
    a settlement was reached whereby a subsidiary of Disney effectively paid Toysmart $50,000 to
    destroy the database.

•   In October 2000, TRUSTe sued two Web sites, and, for
    illegally displaying the trustmark.

•   A Web site can presumably avoid such litigation by having no privacy statement, or by declaring
    that the customer database is an asset that would be sold with all assets should the company be
    sold. The privacy notice for was changed in late-2000 to include exactly such a
    disclaimer under the heading of “Business Transfers.”
•   While it makes no sense to suggest a company must destroy its customer database when sold, it
    is unclear whether any purchaser of Amazon is under the same obligations of privacy with respect
    to sharing the data.
• Dr. Hal Koenig –COB Marketing.

• Dr. Keven Malkewitz - COB Marketing.

• Dr. Sullivan Dave - Information Management.

• R. Basu- Program Manager IBM.

• M. Clements – Senior Developer BSG.
The End

Shared By: