Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Privacy Dr. Heng Xu Privacy Assurance Lab (PAL) Penn State 03/31/2010.

Published byJuliana Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Privacy Dr. Heng Xu Privacy Assurance Lab (PAL) Penn State 03/31/2010."— Presentation transcript:

1

2 Information Privacy Dr. Heng Xu Privacy Assurance Lab (PAL) PAL @ Penn State 03/31/2010

3 pal.ist.psu.edu 2

4 3 Outline What is Privacy? Privacy Concerns Web Privacy Privacy Protection Approaches Legislation Industry Self-Regulation Technology

5 4 What does privacy mean to you? How would you define privacy? What does it meant to you for something to be private?

6 5 Britney Spears: “We just need privacy” “You have to realize that we're people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.” — Britney Spears 15 June 2006 NBC Dateline http://www.cnn.com/2006/SHOWBIZ/Music/06/15/people.spears.reut/index.html

7 6 Benefits Financial rewards Coupons, gift vouchers, discounts, cash… Personalization Risks Lose control of your personal information Identity theft Disclosed InformationBenefits in Return Information Subject Service Provider Benefit/Risks Analysis Information Disclosure Privacy Tradeoffs

8 Google Google Google Search Google Search Web Privacy

9 8 Web Privacy: A look at privacy policies at Google, Microsoft and Yahoo What gets saved when you use the service Microsoft doesn't record IP address, log-in time, or other user-specific information in its logs Both Yahoo and Google collect these data, along with your browser and what you clicked on the page. Google log record example Q = cars url = www.google.com/search?q=carswww.google.com/search?q=cars IP = 72.14.253.xx Cookie = PREF=66FUQULL0QBT8MMTVSC5K: LD=en… User-Agent: Mozilla/4.75 [en] (X11; U; NetBSD 1.5_ALPHA i386) Time = 25 Mar 2007 10:15:32

10 9 Web Privacy: A look at privacy policies at Google, Microsoft and Yahoo Amount of personal information when you sign up Google - just name and the country you live in Yahoo and Microsoft - name, gender, birthday, and zip code. Time-to-Delete Google may take up to 60 days to completely remove that "Vegas was great" e-mail from its servers after you delete it. Microsoft takes three days or less Yahoo says that, though removing the actual e-mail content may take a short while, the information becomes dissociated from your account almost as soon as you delete it http://www.pcworld.com/article/id,137363-page,1-c,onlineprivacy/article.html

11 Privacy Protection Legislation Industry Self-Regulation Technology

12 11 Privacy Laws Privacy laws and regulations vary widely throughout the world US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt” Privacy Laws – Private Sector Fair Credit Reporting Act (FCRA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) The Children’s Online Privacy Protection Act (COPPA) The Drivers Privacy Protection Act (DPPA) Privacy Laws – Public Sector The Privacy Act of 1974 The Freedom of Information Act (FOIA)

13 12 Privacy Laws … State Security Breach Notification Laws Laws that compel Disclosure of personal information The US Patriot Act of 2001 Homeland Security Act of 2002 Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA): The US Communications Assistance to Law Enforcement Act (CALEA): European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right

14 13 Privacy self-regulation Since 1995, the US FTC has pressured companies to “self regulate” in the privacy area Upcoming FTC town hall on behavioral advertising http://www.ftc.gov/opa/2007/08/ehavioral.shtm http://www.ftc.gov/opa/2007/08/ehavioral.shtm Self regulation may be completely voluntary or mandatory (or somewhere in between) Self-regulatory programs and initiatives Industry Guidelines Privacy Seals Privacy Policies

15 14 Voluntary privacy guidelines Direct Marketing Association Privacy Promise Network Advertising Initiative Principles CTIA Location-based privacy guidelines Generally Accepted Privacy Principals

16 15 Privacy policies Policies let consumers know about site’s privacy practices Consumers can then decide whether or not practices are acceptable, when to opt- in or opt-out, and who to do business with The presence of privacy policies increases consumer trust What are some problems with privacy policies?

17 16 Privacy policy problems BUT policies are often difficult to understand hard to find take a long time to read change without notice?

18 17 Short Notices Project organized by Hunton & Williams law firm Short version (short notice) of human-readable policy for web and paper Also called a “layered notice” - refer to long notice for more detail Now being called “highlights notice” Focus on reducing privacy policy to at most 7 boxes Alternative proposals from privacy advocates focus on check boxes Interest Internationally http://www.privacyconference2003.org/resolution.asp Interest in the US for financial privacy notices http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm

19 18 Acme Company Privacy Notice Highlights For more information about our privacy policy, write to: Consumer Department Acme Company 11 Main Street Anywhere, NY 10100 Or go to the privacy statement on our website at acme.com. We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers. PERSONAL INFORMATION We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services. USES You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. YOUR CHOICES You may request information on your billing and payment activities. IMPORTANT INFORMATION HOW TO REACH US This statement applies to Acme Company and several members of the Acme family of companies. SCOPE NY142510v1 5/28/2002 Dated: May 28, 2002 Template prepared by the Notices Project, a program ofthe Center for Information Policy Leadership at Hunton &Williams © 2002 Center for Information Policy Leadership Privacy Notice Highlights Template

20 19 Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection: YESNO We collect personal information directly from you   We collect information about you from other sources:   We use cookies on our website   We use web bugs or other invisible collection methods   We install monitoring programs on your computer   Uses: We use information about you to:With YourWithout Your ConsentConsent Send you advertising mail   Send you electronic mail   Call you on the telephone   Sharing: We allow others to use your information to:With YourWithout YourConsent Maintain shared databases about you   Send you advertising mail   Send you electronic mail   Call you on the telephoneN/AN/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving fromUsAffiliatesThird Parties Advertising mail   Electronic mail   Telemarketing  N/A Retention: We keep your personal data for:{Six Months Three Years Forever} Change:We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE} Source: Robert Gellman, July 3, 2003

21 20

22 21

23 22 P3P What is P3P? www.w3.org/P3P/ www.w3.org/P3P/ From a Web site ’ s perspective: A protocol designed to provide a way for a Web site to encode its privacy statement in a machine- readable format. From a user’s perspective: Use a P3P User Agent Configure their privacy preferences Get notification of a Web site’s privacy practices

24 23 Privacy Bird Privacy Bird configuration screen Users can choose to be notified or not, when a site uses financial information for marketing purposes.

25 24 Chirping bird is privacy indicator

26 25 Red bird indicates mismatch

27 Privacy Bird: Notice Approach How about choice?

28 27

29 28

30 29 Privacy Finder Uses Google or Yahoo! API to retrieve search results Checks each result for P3P policy Evaluates P3P policy against user’s preferences Reorders search results Composes search result page with privacy annotations next to each P3P-enabled result Users can retrieve “Privacy Report” similar to Privacy Bird policy summary

31 Thank you! What’s next?

32 SRA 472 Integration of Privacy & Security Conception Foundation Concepts Fair Information Practices Technological Drivers Privacy-Enhancing & Privacy- Invasive Technologies The Platform for Privacy Preferences (P3P) & Design for Privacy Organizational Approaches Building a Privacy Org. Infrastructure IT Governance and Risk Control Profession & Training Professional Associations Career Opportunities Project Presentations Privacy Laws

33 SRA 472: Integration of Privacy and Security Support course for Social Factors & Risk (SFR) and Intelligence Analysis & Modeling (IAM) options of SRA major Substitute for IST402 for the IST major, SRA/ICS option, and the IST and SRA minors. 32

Download ppt "Information Privacy Dr. Heng Xu Privacy Assurance Lab (PAL) Penn State 03/31/2010."

Similar presentations

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.

© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.
Online Privacy and Codes of Conduct Peter Fleischer Global Privacy Counsel my personal blog:

Online Privacy and Codes of Conduct Peter Fleischer Global Privacy Counsel my personal blog:
CHAPTER 4 E-ENVIRONMENT

CHAPTER 4 E-ENVIRONMENT
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
Privacy and the Right to Know Grayson Barber, Esq. Grayson Barber, LLC.

Privacy and the Right to Know Grayson Barber, Esq. Grayson Barber, LLC.
Consumer Privacy and Information Access Professor Matt Thatcher.

Consumer Privacy and Information Access Professor Matt Thatcher.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Self-Regulation.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Self-Regulation.
Internet Privacy Policies Presented by: Paul Frenken President, COLAIP.

Internet Privacy Policies Presented by: Paul Frenken President, COLAIP.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Data Retention LIS 550 Winter 2010 Unsworth Tuesday, March 02, 2010.

Data Retention LIS 550 Winter 2010 Unsworth Tuesday, March 02, 2010.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Introduction to Privacy January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Introduction to Privacy January.
Personalization vs. Privacy Invasion © 2001 Ann Schlosser, University of Washington Business School.

Personalization vs. Privacy Invasion © 2001 Ann Schlosser, University of Washington Business School.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Privacy as an International Information Issue MD823 October 18, 2004.

Privacy as an International Information Issue MD823 October 18, 2004.

Similar presentations

Ads by Google