Introduction to Privacy January 24, 2006 1
advertisement
Introduction to Privacy
January 24, 2006
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
1
Administrivia
Collect homework and human subjects
certificates
Collect student survey forms
Make sure everyone has been getting
mailing list messages
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
2
Outline
What is privacy?
Privacy laws and self-regulation
Privacy risks from personalization
Reducing privacy risks
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
3
What is privacy?
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
4
What is privacy?
“Being alone.”
- Shane (age 4)
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
5
Westin “Privacy and Freedom” 1967
“Privacy is the claim of individuals, groups
or institutions to determine for themselves
when, how, and to what extent information
about them is communicated to others”
Privacy is not an absolute
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
6
Privacy as process
“Each individual is continually engaged in a
personal adjustment process in which he
balances the desire for privacy with the
desire for disclosure and
communication….”
- Alan Westin, 1967
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
7
Westin’s four states of privacy
Solitude
• individual separated from the group and freed from the
observation of other persons
Intimacy
• individual is part of a small unit
Anonymity
• individual in public but still seeks and finds freedom
from identification and surveillance
Reserve
• the creation of a psychological barrier against
unwanted intrusion - holding back communication
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
8
Different views of privacy
Privacy as limited access to self
• the extent to which we are known to others and
the extent to which others have physical
access to us
Privacy as control over information
• not simply limiting what others know about you,
but controlling it
• this assumes individual autonomy, that you can
control information in a meaningful way (not
blind click through, for example)
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
9
Privacy as animal instinct
Is privacy necessary for species survival?
Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
10
Privacy laws and self-regulation
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
11
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
12
US FTC simplified principles
Notice and disclosure
Choice and consent
Data security
Data quality and access
Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
13
Laws and regulations
Privacy laws and regulations vary widely throughout the
world
US has mostly sector-specific laws, with relatively minimal
protections
• Federal Trade Commission has jurisdiction over fraud and
deceptive practices
• Federal Communications Commission regulates
telecommunications
European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws
• Privacy commissions in each country (some countries have
national and state commissions)
• Many European companies non-compliant with privacy laws (2002
study found majority of UK web sites non-compliant)
• Safe Harbor allows US companies to self-certify compliance
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
14
Some US privacy laws
Bank Secrecy Act, 1970
Fair Credit Reporting Act, 1971
Privacy Act, 1974
Right to Financial Privacy Act, 1978
Cable TV Privacy Act, 1984
Video Privacy Protection Act, 1988
Family Educational Right to Privacy Act, 1993
Electronic Communications Privacy Act, 1994
Freedom of Information Act, 1966, 1991, 1996
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
15
US law – recent additions
HIPAA (Health Insurance Portability and
Accountability Act, 1996)
• When implemented, will protect medical records and
other individually identifiable health information
COPPA (Children‘s Online Privacy Protection Act,
1998)
• Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
16
Voluntary privacy guidelines
Online Privacy Alliance
http://www.privacyalliance.org
Direct Marketing Association Privacy Promise
http://www.thedma.org/library/
privacy/privacypromise.shtml
Network Advertising Initiative Principles
http://www.networkadvertising.org/
CTIA Location-based privacy guidelines
http://www.wowcom.com/news/press/body.cfm?record_id=907
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
17
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
18
Chief privacy officers
Companies are increasingly appointing CPOs to
have a central point of contact for privacy
concerns
Role of CPO varies in each company
•
•
•
•
Draft privacy policy
Respond to customer concerns
Educate employees about company privacy policy
Review new products and services for compliance with
privacy policy
• Develop new initiatives to keep company out front on
privacy issue
• Monitor pending privacy legislation
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
19
Seal programs
TRUSTe – http://www.truste.org
BBBOnline – http://www.bbbonline.org
CPA WebTrust –
http://www.cpawebtrust.org/
Japanese Privacy Mark
http://privacymark.org/
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
20
Seal program problems
Certify only compliance with stated policy
• Limited ability to detect non-compliance
Minimal privacy requirements
Don’t address privacy issues that go beyond the web site
Nonetheless, reporting requirements are forcing licensees
to review their own policies and practices and think
carefully before introducing policy changes
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
21
Privacy policies
Policies let consumers know about site’s
privacy practices
Consumers can then decide whether or not
practices are acceptable, when to opt-in or
opt-out, and who to do business with
The presence of privacy policies increases
consumer trust
What are some problems with privacy policies?
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
22
Privacy policy problems
BUT policies are often
•
•
•
•
difficult to understand
hard to find
take a long time to read
change without notice
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
23
Privacy policy components
Identification of site, scope, contact
info
Security assurances
Types of information collected
Children’s privacy
•
Including information about cookies
How information is used
Conditions under which information
might be shared
Information about opt-in/opt-out
Information about access
Information about data retention
policies
There is lots of information
to convey -- but policy
should be brief and
easy-to-read too!
Information about seal programs
What is opt-in? What is opt-out?
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
24
Short Notices
Project organized by Hunton & Williams law firm
• Create short version (short notice) of a human-readable privacy notice for
both web sites and paper handouts
• Sometimes called a “layered notice” as short version would advise people
to refer to long notice for more detail
• Now being called “highlights notice”
• Focus on reducing privacy policy to at most 7 boxes
• Standardized format but only limited standardization of language
• Proponents believe highlights format may eventually be mandated by law
• A work in progress -- not yet in use
Alternative proposals from privacy advocates focus on check boxes
Interest Internationally
• http://www.privacyconference2003.org/resolution.asp
Interest in the US for financial privacy notices
• http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
25
Privacy Notice Highlights Template
We use information about you to manage your account and offer you other products and services we
think may interest you.
We share information about you with our sister companies to offer you products and services.
We share information about you with other companies, like insurance companies, to offer you a wider
array of jointly-offered products and services.
We share information about you with other companies so they can offer you their products and
services.
You may opt out of receiving promotional
information from us and our sharing your
contact information with other companies. To
exercise your choices, call (800) 123-1234 or
click on “choice” at ACME.com.
You may request information on your billing
and payment activities.
HOW TO REACH US
PERSONAL
INFORMATION
We collect information directly from you and maintain information on your activity with us, including
your visits to our website.
We obtain information, such as your credit report and demographic and lifestyle information, from
other information providers.
USES
This statement applies to Acme Company
and several members of the Acme family of
companies.
YOUR CHOICES
SCOPE
Dated: May 28, 2002
IMPORTANT
INFORMATION
Template prepared by the Notices Project, a program of
the Center for Information Policy Leadership at Hunton &
Williams
© 2002 Center for Information Policy Leadership
NY142510v1
5/28/2002
Acme Company
Privacy Notice
Highlights
For more information about our privacy
policy, write to:
Consumer Department
Acme Company
11 Main Street
Anywhere, NY 10100
Or go to the privacy statement on our
website at acme.com.
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
26
Checkbox proposal
WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES.
Collection:
We collect personal information directly from you
We collect information about you from other sources:
We use cookies on our website
We use web bugs or other invisible collection methods
We install monitoring programs on your computer
Uses: We use information about you to:
Send you advertising mail
Send you electronic mail
Call you on the telephone
Sharing: We allow others to use your information to:
Maintain shared databases about you
Send you advertising mail
Send you electronic mail
Call you on the telephone
YES
NO
With Your
Consent
Without Your
Consent
With Your
Consent
N/A
Without Your
Consent
N/A
Access: You can see and correct {ALL, SOME, NONE} of the information we have about you.
Choices: You can opt-out of receiving from
Advertising mail
Electronic mail
Telemarketing
Retention:
Change:
We keep your personal data for:
Us
{Six Months Three Years
Affiliates
Third Parties
N/A
Forever}
We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE}
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
27
Platform for Privacy Preferences Project (P3P)
Developed by the World Wide Web Consortium
(W3C) http://www.w3.org/p3p/
• Final P3P1.0 Recommendation issued 16 April 2002
Offers an easy way for web sites to communicate
about their privacy policies in a standard
machine-readable format
• Can be deployed using existing web servers
Enables the development of tools (built into
browsers or separate applications) that
• Summarize privacy policies
• Compare policies with user preferences
• Alert and advise users
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
28
Basic components
P3P provides a standard XML format that web
sites use to encode their privacy policies
Sites also provide XML “policy reference files” to
indicate which policy applies to which part of the
site
Sites can optionally provide a “compact policy” by
configuring their servers to issue a special P3P
header when cookies are set
No special server software required
User software to read P3P policies called a “P3P
user agent”
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
29
What’s in a P3P policy?
Name and contact information for site
The kind of access provided
Mechanisms for resolving privacy disputes
The kinds of data collected
How collected data is used, and whether
individuals can opt-in or opt-out of any of these
uses
Whether/when data may be shared and whether
there is opt-in or opt-out
Data retention policy
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
30
A simple HTTP transaction
GET /index.html HTTP/1.1
Host: www.att.com
. . . Request web page
Web
Server
HTTP/1.1 200 OK
Content-Type: text/html
. . . Send web page
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
31
… with P3P 1.0 added
GET /w3c/p3p.xml HTTP/1.1
Host: www.att.com
Request Policy Reference File
Web
Server
Send Policy Reference File
Request P3P Policy
Send P3P Policy
GET /index.html HTTP/1.1
Host: www.att.com
. . . Request web page
HTTP/1.1 200 OK
Content-Type: text/html
. . . Send web page
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
32
P3P increases transparency
P3P clients can check
a privacy policy each
time it changes
http://www.att.com/accessatt/
P3P clients can check
privacy policies on all
objects in a web page,
including ads and
invisible images
http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
33
P3P in IE6
Automatic processing of compact
policies only;
third-party cookies without compact
policies blocked by default
Privacy icon on status bar
indicates that a cookie has been
blocked – pop-up appears the
first time the privacy icon
appears
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
34
Users can click on
privacy icon for
list of cookies;
privacy summaries
are available at
sites that are
P3P-enabled
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
35
Privacy summary
report is
generated
automatically
from full P3P policy
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
36
P3P in Netscape 7
Preview version similar to IE6,
focusing, on cookies; cookies
without compact policies (both
first-party and third-party)
are “flagged” rather than
blocked by default
Indicates flagged cookie
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
37
Privacy Bird
Free download of beta from
http://privacybird.com/
• Origninally developed at AT&T Labs
• Released as open source
“Browser helper object” for IE6
Reads P3P policies at all
P3P-enabled sites automatically
Bird icon at top of browser window indicates whether site
matches user’s privacy preferences
Clicking on bird icon gives more information
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
38
Chirping bird is privacy indicator
Red bird indicates mismatch
Check embedded content too
Privacy settings
Example:
Sending flowers
Privacy Finder
Prototype developed at AT&T Labs, improved and
deployed by CUPS
Uses Google or Yahoo! API to retrieve search
results
Checks each result for P3P policy
Evaluates P3P policy against user’s preferences
Reorders search results
Composes search result page with privacy
annotations next to each P3P-enabled result
Users can retrieve “Privacy Report” similar to
Privacy Bird policy summary
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
46
Demo
P3P Resources
For further information
on P3P see:
• http://www.w3.org/P3P/
• http://p3ptoolbox.org/
• http://p3pbook.com/
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
48
Privacy risks from personalization
Unsolicited marketing
Desire to avoid unwanted marketing
causes some people to avoid giving out
personal information
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
50
My computer can
“figure things out about me”
The little people inside my computer might
know it’s me…
… and they might tell their friends
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
51
Inaccurate inferences
“My TiVo thinks I’m gay!”
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
52
Surprisingly accurate inferences
Everyone wants to be understood.
No one wants to be known.
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
53
You thought that on the Internet
nobody knew you were a dog…
…but then you started getting personalized
ads for your favorite brand of dog food
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
54
Price discrimination
Concerns about being charged higher
prices
Concerns about being treated differently
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
55
Revealing private information to
other users of a computer
Revealing info to family members or co-workers
• Gift recipient learns about gifts in advance
• Co-workers learn about a medical condition
Revealing secrets that can unlock many accounts
• Passwords, answers to secret questions, etc.
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
56
The Cranor
family’s 25 most
frequent
grocery
purchases
(sorted by
nutritional value)!
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
57
Exposing secrets to criminals
Stalkers, identity thieves, etc.
People who break into account may be
able to access profile info
People may be able to probe recommender
systems to learn profile information
associated with other users
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
58
Subpoenas
Records are often subpoenaed in patent
disputes, child custody cases, civil
litigation, criminal cases
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
59
Government surveillance
Governments increasingly looking for
personal records to mine in the name of
fighting terrorism
People may be subject to investigation
even if they have done nothing wrong
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
60
Little Brother as Big Brother
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
61
Risks may be magnified in future
Wireless location tracking
Semantic web applications
Ubiquitous computing
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
63
If you’re not careful, you may violate
data protection laws
Some jurisdictions have privacy laws that
• Restrict how data is collected and used
• Require that you give notice, get consent, or
offer privacy-protective options
• Impose penalties if personal information is
accidentally exposed
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
64
Reducing privacy risks
Axes of personalization
Tends to be MORE
Privacy Invasive
Implicit
Persistent
(profile)
System initiated
Predication based
Tends to be LESS
Privacy Invasive
Data collection method
Duration
User involvement
Reliance on predictions
Explicit
Transient
(task or session)
User initiated
Content based
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
66
A variety of approaches to reducing
privacy risks
No single approach will always work
Two types of approaches:
• Reduce data collection and storage
• Put users in control
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
67
Collection limitation: Pseudonymous
profiles
Useful for reducing risk and complying with
privacy laws when ID is not needed for
personalization
But, profile may become identifiable because of
unique combinations of info, links with log data,
unauthorized access to user’s computer, etc.
Profile info should always be stored separately
from web usage logs and transaction records that
might contain IP addresses or PII
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
68
Collection limitation:
Client-side profiles
Useful for reducing risk and complying with laws
Risk of exposure to other users of computer
remains; storing encrypted profiles can help
Client-side profiles may be stored in cookies
replayed to server that discards them after use
Client-side scripting may allow personalization
without ever sending personal info to the server
For some applications, no reason to send data to
server
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
69
Collection limitation:
Task-based personalization
Focus on data associated with current session or
task - no user profile need be stored anywhere
May allow for simpler (and less expensive)
system architecture too!
May eliminate problem of system making
recommendations that are not relevant to current
task
Less “spooky” to users - relationship between
current task and resultant personalization usually
obvious
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
70
Putting users in control
Users should be able to control
• what information is stored in their profile
• how it may be used and disclosed
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
71
Developing good user interface to do
this is complicated
Setting preferences can be tedious
Creating overall rules that can be applied
on the fly as new profile data is collected
requires deep understanding and ability to
anticipate privacy concerns
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
72
Possible approaches
Provide reasonable default rules with the ability to
add/change rules or specify preferences for
handling of specific data
• Up front
• With each action
• After-the-fact
Explicit privacy preference prompts during
transaction process
Allow multiple personae
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
73
Example: Google Search History
Amazon.com privacy makeover
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
75
Streamline menu navigation for
customization
Provide way to set up default rules
Every time a user makes a new purchase
that they want to rate or exclude they have
to edit profile info
• There should be a way to set up default rules
Exclude all purchases
Exclude all purchases shipped to my work address
Exclude all movie purchases
Exclude all purchases I had gift wrapped
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
77
Remove excluded purchases from
profile
Users should be able to
remove items from profile
If purchase records are
needed for legal reasons,
users should be able to
request that they not be
accessible online
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
78
Better: options for controlling recent
history
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
79
Use personae
Amazon already allows users to store
multiple credit cards and addresses
Why not allow users to create personae
linked to each with option of keeping
recommendations and history separate
(would allow easy way to separate
work/home/gift personae)?
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
80
Allow users to access all privacyrelated options in one place
Currently privacy-related options are found
with relevant features
Users have to be aware of features to find
the options
Put them all in one place
But also leave them with relevant features
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
81
I didn’t buy it for myself
How about an “I
didn’t buy it for
myself” checkoff box
(perhaps
automatically
checked if gift
wrapping is
requested)
I didn’t buy it
for myself
Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/
82
