Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 Privacy and technology Week.

Slides:



Advertisements
Similar presentations
Mobile Computing and Commerce And Pervasive Computing
Advertisements

Back to Table of Contents
ICT at Work Banking and Finance.
TPS – UNIQUE HARDWARE ( Option 1: Transaction Processing Systems.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Fair Information.
Groups 23 & 24. What is it? Radio frequency identification Small electronic device consisting of a microchip or antenna containing up to 2 KB of data.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Design for Privacy 1 February.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Engineering Privacy November 6, 2008.
Computers and Society Carnegie Mellon University Spring 2007 Cranor/Tongia 1 Privacy Week 6 - February 20,
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Design for Privacy February 20,
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Introduction to Privacy January.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Web Privacy.
Microsoft Passport Waldemar Swiercz.
Computers and Society Carnegie Mellon University Spring 2007 Cranor/Tongia 1 Regulating Online Speech / Privacy.
Ethics and Policy issues in Computing Carnegie Mellon University Spring 2008 Tongia 1 Privacy –
Location Systems for Ubiquitous Computing Jeffrey Hightower and Gaetano Borriello.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.
Institute of Information Systems, Humboldt University, 2006· Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University.
3 Ethics and Privacy.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Design for Privacy February.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Introduction to Privacy.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Technical Issues in Library RFID Privacy David Molnar UC-Berkeley Computer Science.
The Privacy Tug of War: Advertisers vs. Consumers Presented by Group F.
Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy and Technology Week.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 Privacy Self-Regulation.
CyLab Usable Privacy and Security Laboratory 1 CyLab Usable Privacy and Security Laboratory Design for.
July 25, 2005 PEP Workshop, UM A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab.
Developing RFID Application In Supply Chain
RFID Policy Update 1/23/08 Dan Caprio President DC Strategies, LLC.
CMU Usable Privacy and Security Laboratory Hey, That’s Personal! Lorrie Faith Cranor 28 July 2005
© Oklahoma State Department of Education. All rights reserved.1 Credit Cards: More Than Plastic Standard 8. 1 Credit Cards and Online Shopping.
RFID Inventory Management And Tracking System Greg McDaniel Hashem Garner Adam Kesner Thomas Harris.
E-Commerce and the Entrepreneur
CSE/ISE 312 Privacy (Part 2). The Business and Social Sectors Marketing and personalization What we do ourselves Location tracking A right to be forgotten.
E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the Internet.
E-commerce Vocabulary Terms By: Laura Kinchen. Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the.
Privacy CSC385 Kutztown University Fall 2009 Oskars J. Rieksts.
OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.
Created by, Author Name, School Name—State FLUENCY WITH INFORMATION TECNOLOGY Skills, Concepts, and Capabilities.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 Identity and biometrics.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
RFID Myths, Facts and Reality. What is RFID? Radio frequency identification or RFID Generic term for technologies that use radio waves to automatically.
SPAM Settings. The ExchangeDefender Admin Site is a powerful tool that gives you access to all of the benefits ExchangeDefender has to offer, from the.
Location, Location, Location: The Emerging Crisis in Wireless Data Privacy Ari Schwartz & Alan Davidson Center for Democracy and Technology
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Multinational E-business Chapter 9. E-business Business to business (B2B) transactions 70 – 85% of all e-commerce Online sales – customer can order a.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
6 Ethics and Privacy.
Chapter 10 Electronic Commerce. E-commerce is the buying and selling of products and services electronically over the Internet.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Privacy CSC385 Kutztown University Fall 2009 Oskars J. Rieksts.
How to Manage Risk. This is the process involves the process for any application from a: Individual Cardholder Company or Corporate cards Merchants Any.
Protecting your search privacy A lesson plan created & presented by Maria Bernhey (MLS) Adjunct Information Literacy Instructor
Lecture4 Information Privacy 1-1. Overview Introduction Perspectives on privacy Information disclosures Data mining 1-2.
Regulation models addressing data protection issues in the EU concerning RFID technology Ioannis Iglezakis Assistant Professor in Computers & Law Faculty.
Jim Loter Director of Information Technology
Facebook privacy policy
"Our vision is to be earth's most customer-centric company; to build a place where people can come to find and discover anything they might want to buy.
Identifying People With Data
Shavonne Henry, Nikia Clarke, David Heymann, Brandon Knight
Chapter 12 Accessing Databases
IT and Society Week 2: Privacy.
The Platform for Privacy Preferences Project
Presentation transcript:

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 1 Privacy and technology Week 13 - November 23

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 2 Administrivia Returning rough drafts today  Please follow our suggestions  If we wrote that you have a lot of work left to do, we really mean it  I will try to review 2nd drafts if you send them to me Homework 13 (last homework!) will be reading and summary/highlight only - Due November 30  November 30: Current issues discussion, will probably focus on issues that have been raised on class mailing list December 2: Assemble posters in class December 3: Poster session 3-5 pm Please fill out faculty course evaluations! I would also like feedback on books and guest speakers

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 3 Homework 11 Discussion 11.html 11.html Cases where US government used personal data to violate civil liberties of US citizens Brin: “Can we stand living our lives exposed to scrutiny... if in return we get flashlights of our own?”

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 4 Privacy invasive technologies Location tracking (cell phones, GPS devices that phone home, etc.) RFID Transit cards Computer software that phones home Devices that phone home Video cameras (hidden cameras, cell phones) Personalized ecommerce sites Automobile data recorders Face recognition

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 5 The Global Positioning System (GPS) Radio-navigation system operated by US DoD Comprised of 24 satellites and 5 ground stations Uses satellites like “man-made stars” to triangulate and calculate 3D position from 4 satellite signals Receivers listen for radio beacons and triangulate their position Typical accuracy in meters, cm accuracy possible  DoD intentionally degraded accuracy until May 2000 One-way system  If receivers are to report their location back they must use another system, for example cellular phone network Does not work indoors

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 6 Radio-frequency identification (RFID) Tags  Antenna bonded to small silicon chip encapsulated in glass or plastic (as small as grain of rice)  Unpowered (passive) tags and powered (active) tags Readers  Broadcast energy to tags, causing tags to broadcast data  Energy from readers can also power onboard sensors or cause tag to write new data to memory  Read ranges currently a few centimeters up to a few meters

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 7 Current and near term uses of RFID Automobile immobilizers Animal tracking Building proximity cards Payment systems Automatic toll collection Inventory management (mostly at pallet level)  Prevent drug counterfeiting Passports

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 8 Electronic Product Code Standard managed by EPCglobal Relatively small tags  Inexpensive  No encryption, limited security  Kill feature  Password feature Designed to replace UPC bar codes 96-bit+ serial number Object Name Service (ONS) database operated by EPCglobal

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 9 Ecommerce personalization Ecommerce web sites increasingly offer personalized features  Targeted marketing  Build relationships with customers Personalization may be:  Based on explicit or implicit data  Task/session focused or profile based  User initiated or system initiated  Prediction based or content based

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 10 Problems Ecommerce personalization may not actually work for most sites Jupiter report says  Personalization features can quadruple site costs  Most consumers have never customized a site  Consumers say personalization not a factor in purchase decisions  Consumers concerned about privacy issues  More cost effective ways of achieving goals

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 11 Privacy risks Unsolicited marketing Computer can “figure things out about me”  Inaccurate inferences -“My TiVo thinks I’m gay!”  Surprisingly accurate inferences Profiles may facilitate price discrimination  Concern about being charged higher prices  Concern about being treated differently Revealing personal info to other users of a computer  Revealing info to family members or co-workers  Revealing secrets that can unlock many accounts Exposing secrets to criminals Info may be subpoenaed Info may be used for government surveillance

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 12 Risks may be magnified in future Wireless location tracking Semantic web applications Ubiquitous computing (Maybe personalization will be more effective in these contexts than it is for today’s ecommerce web sites?)

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 13 Privacy risks from RFID?

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 14 Applying FIPs to ecom personalization Fair information practice principles can be a useful guide for thinking about privacy risks Lessons from 8 OECD principles:  Collect only the data you need  Don’t use data to make irrelevant inferences  Allow individuals to update and correct their profiles  Notify individuals about data collected and how it will be used  Don’t allow data collected for personalization to be used for other purposes without user consent  Use appropriate security safeguards to protect stored profiles and information in transit  Be proactive about developing policies, procedures, and software to support compliance with FIPPs

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 15 Applying FIPs to RFID?

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 16 Relevant laws and self regulation US has mostly sector-specific privacy laws  Financial, healthcare, and childrens’ sites most affected by privacy laws  Industry guidelines may require privacy notices or opt-outs or limit what may be included in a profile European countries have more comprehensive privacy laws  Privacy notices and access provisions required  Limitations on secondary uses and data sharing  In some cases, limitations on use of server logs and on automated use of profile data for decision-making  In some cases pseudonymous services required

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 17 Reducing privacy risks No single approach will always work Several approaches to “collection limitation” - reduce amount of data stored by web site to reduce exposure Approaches that put users in control address “data quality” and “individual participation,” and facilitate obtaining consent in compliance with “use limitation”

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 18 Tends to be More Privacy Invasive Tends to be Less Privacy Invasive Data collection method Implicit Explicit Duration Persistent (profile) Transient (task or session) User involvement System initiated User initiated Reliance on predictions Predication based Content based Axes of personalization

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 19 Pseudonymous profiles Useful for reducing risk and complying with privacy laws when personal info is not needed for personalization But, profile may become identifiable because of unique combinations of info, links with log data, unauthorized access to user’s computer, etc. Profile info should always be stored separately from web usage logs and transaction records that might contain IP addresses or PII Architectures for pseudonymous profiles across web sites proposed by  Arlein, Jain, Jaobsson, Monrose, and Reiter (EC’00)  Kobsa and Schreck (TOIT 2003)

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 20 Client-side profiles Useful for reducing risk and complying with laws But risk of exposure to other users of computer remains; storing profiles in encrypted form on user’s computer can help Client-side profiles may be stored in cookies that are replayed to the server, which discards them after use Client-side scripting may allow personalization without ever sending personal info to the server Architecture for recommendation system in which individuals compute their own recommendations without revealing their individual data proposed by  Canny (IEEE Symposium on Security and Privacy 2002)

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 21 Task-based personalization Focus on data associated with current session or task - no user profile need be stored anywhere May allow for simpler (and less expensive) system architecture too! May eliminate problem of system making recommendations that are not relevant to current task Less “spooky” to users - relationship between current task and resultant personalization usually obvious

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 22 Putting users in control Users should be able to control  what information is stored in their profile  how it may be used and disclosed Developing a good user interface to do this is complicated  Setting preferences can be tedious  Creating overall rules that can be applied on the fly as new profile data is collected requires deep understanding and ability to anticipate privacy concerns  Approach that provides reasonable default rules with the ability to add/change them for all data or on a case-by-case basis seems promising  Privacy preference prompts in transaction process may help  Use of multiple personae may help

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 23 Amazon critique Customizing profile requires navigating through several menus  There should be easier ways of getting to this info at the times when it is likely to be most relevant Users can rate purchases or have them excluded from recommendations, but not removed from profile  If items must remain in profile for legal reasons, users should be able to request that they not be accessible online Every time a user makes a new purchase that they want to rate or exclude they have to edit profile info  There should be a way to set up default rules Amazon already allows users to store multiple credit cards and addresses - why not allow users to create personae linked to each with option of keeping recommendations separate (would allow easy way to separate work/home/gift personae)? Likewise, how about an “I didn’t buy it for myself” check-off box (perhaps automatically checked if gift wrapping is requested)

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 24 RFID privacy proposals

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2004 Lorrie Cranor 25 Happy Thanksgiving!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.