Privacy Policy Issues and Pages on the WWWeb Jason Turner INF 385E - Information Architecture & Design 1 UT School of Information 16 Sep 03
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
What’s all the fuss about? 1 Privacy (prī´və-sē) : The quality or condition of being secluded from the presence or view of others. The state of being free from unsanctioned intrusion: a person's right to privacy. The state of being concealed; secrecy. 1 The American Heritage® Dictionary of the English Language, Fourth Edition, © 2000
What’s all the fuss about? 1 Privacy (prī´və-sē) : The quality or condition of being secluded from the presence or view of others. The state of being free from unsanctioned intrusion: a person's right to privacy. The state of being concealed; secrecy. 1 The American Heritage® Dictionary of the English Language, Fourth Edition, © 2000
What’s all the fuss about? 1 Privacy (prī´və-sē) : The quality or condition of being secluded from the presence or view of others. The state of being free from unsanctioned intrusion: a person's right to privacy. The state of being concealed; secrecy. What is privacy/what does it mean on the Internet? 1 The American Heritage® Dictionary of the English Language, Fourth Edition, © 2000
What’s all the fuss about? Primary concerns Internet is inherently open & interconnected system More data is being moved on line “It will soon be technologically possible for an average person to access virtually all recorded information.” 250 MB data/person 2 How Much Information? http://www.sims.berkeley.edu/research/projects/how-much-info/ 2
What’s all the fuss about? On-line habits / storage of others: Financial Medical Personal (life/travel, habits, associations, etc.) Privacy-related ills on the Internet SPAM (it’s not just for lunch anymore) “Cyber stalkers” and other cyber crimes Fraud Identity Theft Embarrassment/Libel Economic Loss
What’s all the fuss about? Privacy on the Internet is NOT Access Control Biometrics Smart Cards Passwords Authentication Procedures Transmission Security Firewalls (HW/SW) Encryption Dedicated Circuits Hardened Facilities (EM/RF Interference/Interception) Operational Security Alternate Terms/Language Cookies
What’s all the fuss about? Privacy on the Internet is NOT ONLY Access Control Biometrics Smart Cards Passwords Authentication Procedures Transmission Security Firewalls (HW/SW) Encryption Dedicated Circuits Hardened Facilities (EM/RF Interference/Interception) Operational Security Alternate Terms/Language Cookies
What’s all the fuss about? Privacy issues on the Internet are synthesis of all factors affecting on-/off-line activities: Hardware Software Procedures/Activities Motivations Intentions Choices
What’s all the fuss about? Privacy issues on the Internet are synthesis of all factors affecting on-/off-line activities: Hardware Software Procedures/Activities Motivations Intentions Choices Philosphy (the human factor)
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
A brief history of the universe Like any good government… Section 5, Federal Trade Commission Act (1914) Privacy Act (1974) Electronic Communications Privacy Act (1986) Health Insurance Portability and Accountability Act (1996) Children’s Online Privacy Protection Act (1988) Financial Modernization Act/Gramm-Leach-Bliley Act (1999) Fair Credit Reporting Act (2002) Online Personal Privacy Protection Act (2002)
A brief history of the universe Section 5, Federal Trade Commission Act (1914, and subsequent amendments) Prohibits unfair/deceptive practices Companies should keep their promises to consumers about privacy initiatives and precautions taken to ensure safety of personal information collected
A brief history of the universe Privacy Act (1974) Regulate collection, use and disclosure of personal information by government agencies Notion of “fair information practices” Electronic Communications Privacy Act (1986) Regulates privacy/disclosure issues surrounding data sent/stored via electronic means Health Insurance Portability and Accountability Act (1996) Encourage electronic transactions AND requires safeguards to protect security/confidentiality of health information
A brief history of the universe Children’s Online Privacy Protection Act (1988) Provides control over what information is collected from children online and how it may be used Financial Modernization Act/Gramm-Leach-Bliley Act (1999) Companies provide consumers with explanations of information-sharing practices AND consumers must be able to limit extent of sharing
A brief history of the universe Fair Credit Reporting Act (2002) Promotes accuracy in consumer credit reports and protects information w/in them Online Personal Privacy Protection Act (2002) Requires commercial Web sites/ISPs to obtain consent from consumers BEFORE collecting personal information
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
Principles for providing [perceptions of] privacy on the Internet Provisions of Online Personal Privacy Protection Act (2002) “Fair Information Practices” Notice – clear/conspicuous notice of what is collected and how it is used Choice – offer choice of how information is to be used (internal marketing, passed along to 3rd parties, etc.) Access – reasonable access and chance to review what has been collected Security – reasonable measures to protect information collected from consumers
Principles for providing [perceptions of] privacy on the Internet The Design of Sites “Fair Information Practices” Notice Choice (opt out of of disclosure to 3rd party, opt-in of use for purpose other than originally intended) Access Security Onward Transfer to 3rd Parties (combination of notice and choice) Data Integrity – personal info must be relevant to purposes of use Enforcement – independent means of resolving complaints/disputes and sanctions for breaking rules
Principles for providing [perceptions of] privacy on the Internet Implications of Fair Information Practices for site design: Make privacy policy clear, easy to understand and conspicuous Link to privacy policy on every page Give choice of how their information will be used Provide consent options for re-mailing, secondary marketing Don’t promote acquiescence by laziness—making “I accept” default vs. requiring opt-in/out Allow “guest” accounts for single transactions
Principles for providing [perceptions of] privacy on the Internet Implications of Fair Information Practices for site design: Tell people what information is collected/stored and provide a means to correct it if applicable “My account” Account management Take precautions to protect collected data Use secure connections (https) Proactive network management (virus scanning, software updates, etc.) Internal privacy policies/practices
Principles for providing [perceptions of] privacy on the Internet Managing perceptions Ally with union of privacy-minded sites and conform to agreed-upon guidelines Don’t mix secure w/non-secure content (balance cost of hosting content on secure server with consumer perceptions) Avoid several degrees of separation between front page, personal information collection, and transaction services (i.e. third party shopping carts and outside banking services)
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
Privacy practices in the wild According to FTC report to Congress In 1998, 92% of all websites were collecting personal information <15% of commercial sites have any privacy statement indicating what data was collected and how it was used By 2000, number had improved Addition of privacy disclosure statements to ~80% sites BUT Only 20% of surveyed sites had implemented basic aspects of “fair information practices” 3 Privacy Online: A Report to Congress (FTC, June ’00) http://www.ftc.gov/reports/privacy2000/privacy2000.pdf 3
Privacy practices in the wild Notice Amazon.com main page
Privacy practices in the wild Notice Amazon.com main page
Privacy practices in the wild Notice Amazon.com main page
Privacy practices in the wild Notice Amazon.com main page Similar link on every page BUT not too conspicuous
Privacy practices in the wild Dept. of Justice Main Page Notice Privacy Policy link is right up front at all times (static banner frame)
Privacy practices in the wild Amazon.com “My account” page Choice, Access View/edit personal & financial data Radio buttons to opt-in/out of various uses of personal data Adjust preferences of secondary marketing contacts
Privacy practices in the wild Examples of Fair Information Practices Dept. of Justice Privacy Policy Web Page Policy is direct and clearly stated Sections explicitly indicate: How/what information is collected How personal information is handled if sent Cookies Network security practices
Privacy practices in the wild Perception Management Trust-E and Better Business Bureau have Independent security programs/guidelines Participating sites enjoy benefits of association through display of their icons/”seals of approval”
Overview What’s all the fuss about? A brief history of the universe A mouthful of P’s (…or principles for providing [perceptions of] privacy on the Internet) Privacy practices in the wild
Questions?