Jane Turk, Ph.D.
CIS 610
Summer 2003
1




 background & perspectives
 surveys of current Internet use children’s online privacy consumer online privacy possible solution routes
2




Direct Marketing: > $176 billion a year over 10,000 compiled & publicly traded databases on market today
 private databases, with little or no regulation except in financial industry ability to capture info about users on
Web
 target marketing
3



 protecting privacy of consumer info is
“very” important to consumers consumers don’t know scope of data maintained on them strong privacy standards

 develop trust in users encourage development of online commerce
4

 companies they patronize will provide their information to other companies without their permission (75%)
 their transactions may not be secure
(70%)
 hackers will steal their personal data
(69%) source : Harris survey, Nov 2001
5





 security measures are adequate (90%) company does not release customer personal data without permission (89%) access within the company is limited (84%) company is only collecting info that its privacy policies dictate (84%) info use or sharing follows stated privacy policies (81%) source : Harris survey, Nov 2001
6


verify privacy policy by a third party
(and 91% would do more business)
 online seal of approval does not necessarily verify

BBBOnLine and Truste
 audit by major accounting firm

PricewaterhouseCoopers source : Harris survey, Nov 2001
7



 consumers be given:
 notice of entity’s info practices

 choice/consent with respect to secondary use & dissemination of info collected from or about them access to info about them collector assure security & integrity of info provide enforcement mechanism
8




NYC voter registration site
NJ info on those licensed by state registries of sex offenders
 federal judges’ recommendation to put most civil proceedings online but to restrict criminal proceedings good source: www.epic.org/privacy/publicrecords
9




Federal Trade Commission:

 children are avid consumers and influence spending information collection targets are ages 8-11 business goal: microtarget individual child
CME 1996 study exposed the issues
10






“snapshot’, not comprehensive survey

126 sites listed by Yahooligans!
results announced Dec 1997
86% of sites surveyed were collecting personally identifiable info on children fewer than 30% of sites had privacy policy another review March 1998
11

 of 212 sites directed at children



89% collect personally identifiable info directly from children
54% disclose info collection practices fewer than 10% provide for some form of parental control
12

Children’s Online Privacy
Protection Act (1998)


 parental consent required for collection, use, disclosure of personal information from children under 13 parents may prevent further use or collection parents may review information
13


 parent


 approve kid’s giving email address totally involved in kid’s giving physical address order products in parent’s name kid

 can use (false) nickname never use name and address to buy
14



29% of parents would give identifying info in exchange for a free gift worth $100
45% of kids ages 10-17 would

39% of girls, 54% of boys
 parents need help
15




 passive files stored on hard drives of
Netscape & Microsoft IE users store a customer ID number for site/network used by online advertisers to track a user’s movements
 profiling, preferences issue: transparency
16




HTTP is stateless: keeps no information from a connection with cookies, a Web page can
“remember” you from your last visit enable much of interactivity
 customization, shopping baskets
17



 cookies, web bugs, URLs, info you provide anonymous, unless you identify yourself in customer database of the site/network

 pages/sites visited
DoubleClick tracks movement on 1500 sites
18



 deliver desired content to user provide information about interests of individual aggregate info about site
 info collected often without knowledge or consent
19




 conducts surveillance on a computer usually placed without knowledge or consent of computer owner violates basic FIPS e.g., “phone home” programs, Web bugs, home web monitoring
20




 clear GIFs, embedded images transmit info when page is viewed: where, when designed to monitor who is viewing page
 e.g., HTML mail recent SW enables detection
21


Internet Archive scoops up the Web
 postings to Usenet groups are saved in
Deja News
 now http://groups.google.com
 posts to email forums and chat services are searchable
 public record
22



 sales lost may be $18 billion older business models may be less effective than privacy-friendly models lost opportunities and higher costs for imported personal data

“safe harbor” includes complying with FIPS source : Robert Gellman, “ Privacy,
Consumers, and Costs ”
23

 higher prices

 stopping junk mail and telemarketing calls avoiding identity theft
 protecting privacy on the Internet source : Robert Gellman, “ Privacy,
Consumers, and Costs ”
24




 education, including

 fair information principles best business practices industry self-regulation technology legislation
25




 depends on posted privacy policies
 coming: integrated suites of tools online privacy seal programs

 e.g., TRUSTe, BBBOnLine implement some FIPS and monitor compliance public audit of privacy policies e.g., www.thedailyapple.com
26



 privacy policy promised customer information never to divulge

 certified by TRUSTe
FTC could intervene bankrupt company advertised
“databases and customer lists” for sale
FTC sued to prevent sale of customer info
27

 seek to eliminate use of personal data from transactions or give direct control for disclosure of personal information to individual concerned
 standard format for ratings systems:
Platform for Internet Content Selection

 machine-to-machine protocol for data exchange: P3P (Platform for Privacy
Preferences) anonymous use
28




 opt-in for sensitive personally identifiable info opt-out for less sensitive info follows most FIPS preempts state legislation on online privacy
29




Adkinson, William et al. “Privacy Online: A report on the information practices and policies of commercial web sites,” March 2002. The Progress and Freedom
Foundation.
Center for Democracy and Technology. “Guide to
Online Privacy,” http://www.cdt.org/privacy/guide/introduction/
Electronic Privacy Information Center. "Surfer
Beware III: Privacy Policies Without Privacy
Protection." Dec. 1999
<http://www.epic.org/reports/surfer-beware3.html>
30



Federal Trade Commission. “Privacy Online: Fair
Information Practices in the Electronic Marketplace,”
May 2000, www.ftc.gov/reports/privacy2000/privacy2000.pdf
Gellman, Robert. “Privacy, Consumers, and Costs: how the lack of privacy costs consumers and why business studies of privacy costs are biased and incomplete,” March 2002. www.epic.org/reports/dmfprivacy.html
31



Goldman, Janlori and Zoe Hudson and Richard M.
Smith. “Privacy Report on the Privacy Policies and practices of Health Web Sites”. Sponsored by
California HealthCare Foundation, January 2000, http://admin.chcf.org/documents/ehealth/privacyweb report.pdf
Pew Internet and American Life Project. “Trust and
Privacy Online: Why Americans Want to Rewrite the
Rules,” Aug 2000, www.pewinternet.org/reports/pdfs/PIP_Trust_Privacy
_Report.pdf
32