Introduction to Privacy January 24, 2006 Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 1 Administrivia Collect homework and human subjects certificates Collect student survey forms Make sure everyone has been getting mailing list messages Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 2 Outline What is privacy? Privacy laws and self-regulation Privacy risks from personalization Reducing privacy risks Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 3 What is privacy? Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 4 What is privacy? “Being alone.” - Shane (age 4) Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 5 Westin “Privacy and Freedom” 1967 “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” Privacy is not an absolute Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 6 Privacy as process “Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” - Alan Westin, 1967 Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 7 Westin’s four states of privacy Solitude • individual separated from the group and freed from the observation of other persons Intimacy • individual is part of a small unit Anonymity • individual in public but still seeks and finds freedom from identification and surveillance Reserve • the creation of a psychological barrier against unwanted intrusion - holding back communication Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 8 Different views of privacy Privacy as limited access to self • the extent to which we are known to others and the extent to which others have physical access to us Privacy as control over information • not simply limiting what others know about you, but controlling it • this assumes individual autonomy, that you can control information in a meaningful way (not blind click through, for example) Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 9 Privacy as animal instinct Is privacy necessary for species survival? Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 10 Privacy laws and self-regulation Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 11 OECD fair information principles http://www.datenschutzberlin.de/gesetze/internat/ben.htm Collection limitation Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 12 US FTC simplified principles Notice and disclosure Choice and consent Data security Data quality and access Recourse and remedies US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/ Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 13 Laws and regulations Privacy laws and regulations vary widely throughout the world US has mostly sector-specific laws, with relatively minimal protections • Federal Trade Commission has jurisdiction over fraud and deceptive practices • Federal Communications Commission regulates telecommunications European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws • Privacy commissions in each country (some countries have national and state commissions) • Many European companies non-compliant with privacy laws (2002 study found majority of UK web sites non-compliant) • Safe Harbor allows US companies to self-certify compliance Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 14 Some US privacy laws Bank Secrecy Act, 1970 Fair Credit Reporting Act, 1971 Privacy Act, 1974 Right to Financial Privacy Act, 1978 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Family Educational Right to Privacy Act, 1993 Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996 Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 15 US law – recent additions HIPAA (Health Insurance Portability and Accountability Act, 1996) • When implemented, will protect medical records and other individually identifiable health information COPPA (Children‘s Online Privacy Protection Act, 1998) • Web sites that target children must obtain parental consent before collecting personal information from children under the age of 13 GLB (Gramm-Leach-Bliley-Act, 1999) • Requires privacy policy disclosure and opt-out mechanisms from financial service institutions Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 16 Voluntary privacy guidelines Online Privacy Alliance http://www.privacyalliance.org Direct Marketing Association Privacy Promise http://www.thedma.org/library/ privacy/privacypromise.shtml Network Advertising Initiative Principles http://www.networkadvertising.org/ CTIA Location-based privacy guidelines http://www.wowcom.com/news/press/body.cfm?record_id=907 Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 17 Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 18 Chief privacy officers Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns Role of CPO varies in each company • • • • Draft privacy policy Respond to customer concerns Educate employees about company privacy policy Review new products and services for compliance with privacy policy • Develop new initiatives to keep company out front on privacy issue • Monitor pending privacy legislation Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 19 Seal programs TRUSTe – http://www.truste.org BBBOnline – http://www.bbbonline.org CPA WebTrust – http://www.cpawebtrust.org/ Japanese Privacy Mark http://privacymark.org/ Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 20 Seal program problems Certify only compliance with stated policy • Limited ability to detect non-compliance Minimal privacy requirements Don’t address privacy issues that go beyond the web site Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 21 Privacy policies Policies let consumers know about site’s privacy practices Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with The presence of privacy policies increases consumer trust What are some problems with privacy policies? Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 22 Privacy policy problems BUT policies are often • • • • difficult to understand hard to find take a long time to read change without notice Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 23 Privacy policy components Identification of site, scope, contact info Security assurances Types of information collected Children’s privacy • Including information about cookies How information is used Conditions under which information might be shared Information about opt-in/opt-out Information about access Information about data retention policies There is lots of information to convey -- but policy should be brief and easy-to-read too! Information about seal programs What is opt-in? What is opt-out? Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 24 Short Notices Project organized by Hunton & Williams law firm • Create short version (short notice) of a human-readable privacy notice for both web sites and paper handouts • Sometimes called a “layered notice” as short version would advise people to refer to long notice for more detail • Now being called “highlights notice” • Focus on reducing privacy policy to at most 7 boxes • Standardized format but only limited standardization of language • Proponents believe highlights format may eventually be mandated by law • A work in progress -- not yet in use Alternative proposals from privacy advocates focus on check boxes Interest Internationally • http://www.privacyconference2003.org/resolution.asp Interest in the US for financial privacy notices • http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 25 Privacy Notice Highlights Template We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services. You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. You may request information on your billing and payment activities. HOW TO REACH US PERSONAL INFORMATION We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers. USES This statement applies to Acme Company and several members of the Acme family of companies. YOUR CHOICES SCOPE Dated: May 28, 2002 IMPORTANT INFORMATION Template prepared by the Notices Project, a program of the Center for Information Policy Leadership at Hunton & Williams © 2002 Center for Information Policy Leadership NY142510v1 5/28/2002 Acme Company Privacy Notice Highlights For more information about our privacy policy, write to: Consumer Department Acme Company 11 Main Street Anywhere, NY 10100 Or go to the privacy statement on our website at acme.com. Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 26 Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection: We collect personal information directly from you We collect information about you from other sources: We use cookies on our website We use web bugs or other invisible collection methods We install monitoring programs on your computer Uses: We use information about you to: Send you advertising mail Send you electronic mail Call you on the telephone Sharing: We allow others to use your information to: Maintain shared databases about you Send you advertising mail Send you electronic mail Call you on the telephone YES NO With Your Consent Without Your Consent With Your Consent N/A Without Your Consent N/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving from Advertising mail Electronic mail Telemarketing Retention: Change: We keep your personal data for: Us {Six Months Three Years Affiliates Third Parties N/A Forever} We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE} Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 27 Platform for Privacy Preferences Project (P3P) Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/ • Final P3P1.0 Recommendation issued 16 April 2002 Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format • Can be deployed using existing web servers Enables the development of tools (built into browsers or separate applications) that • Summarize privacy policies • Compare policies with user preferences • Alert and advise users Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 28 Basic components P3P provides a standard XML format that web sites use to encode their privacy policies Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set No special server software required User software to read P3P policies called a “P3P user agent” Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 29 What’s in a P3P policy? Name and contact information for site The kind of access provided Mechanisms for resolving privacy disputes The kinds of data collected How collected data is used, and whether individuals can opt-in or opt-out of any of these uses Whether/when data may be shared and whether there is opt-in or opt-out Data retention policy Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 30 A simple HTTP transaction GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page Web Server HTTP/1.1 200 OK Content-Type: text/html . . . Send web page Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 31 … with P3P 1.0 added GET /w3c/p3p.xml HTTP/1.1 Host: www.att.com Request Policy Reference File Web Server Send Policy Reference File Request P3P Policy Send P3P Policy GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 32 P3P increases transparency P3P clients can check a privacy policy each time it changes http://www.att.com/accessatt/ P3P clients can check privacy policies on all objects in a web page, including ads and invisible images http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 33 P3P in IE6 Automatic processing of compact policies only; third-party cookies without compact policies blocked by default Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 34 Users can click on privacy icon for list of cookies; privacy summaries are available at sites that are P3P-enabled Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 35 Privacy summary report is generated automatically from full P3P policy Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 36 P3P in Netscape 7 Preview version similar to IE6, focusing, on cookies; cookies without compact policies (both first-party and third-party) are “flagged” rather than blocked by default Indicates flagged cookie Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 37 Privacy Bird Free download of beta from http://privacybird.com/ • Origninally developed at AT&T Labs • Released as open source “Browser helper object” for IE6 Reads P3P policies at all P3P-enabled sites automatically Bird icon at top of browser window indicates whether site matches user’s privacy preferences Clicking on bird icon gives more information Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 38 Chirping bird is privacy indicator Red bird indicates mismatch Check embedded content too Privacy settings Example: Sending flowers Privacy Finder Prototype developed at AT&T Labs, improved and deployed by CUPS Uses Google or Yahoo! API to retrieve search results Checks each result for P3P policy Evaluates P3P policy against user’s preferences Reorders search results Composes search result page with privacy annotations next to each P3P-enabled result Users can retrieve “Privacy Report” similar to Privacy Bird policy summary Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 46 Demo P3P Resources For further information on P3P see: • http://www.w3.org/P3P/ • http://p3ptoolbox.org/ • http://p3pbook.com/ Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 48 Privacy risks from personalization Unsolicited marketing Desire to avoid unwanted marketing causes some people to avoid giving out personal information Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 50 My computer can “figure things out about me” The little people inside my computer might know it’s me… … and they might tell their friends Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 51 Inaccurate inferences “My TiVo thinks I’m gay!” Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 52 Surprisingly accurate inferences Everyone wants to be understood. No one wants to be known. Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 53 You thought that on the Internet nobody knew you were a dog… …but then you started getting personalized ads for your favorite brand of dog food Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 54 Price discrimination Concerns about being charged higher prices Concerns about being treated differently Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 55 Revealing private information to other users of a computer Revealing info to family members or co-workers • Gift recipient learns about gifts in advance • Co-workers learn about a medical condition Revealing secrets that can unlock many accounts • Passwords, answers to secret questions, etc. Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 56 The Cranor family’s 25 most frequent grocery purchases (sorted by nutritional value)! Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 57 Exposing secrets to criminals Stalkers, identity thieves, etc. People who break into account may be able to access profile info People may be able to probe recommender systems to learn profile information associated with other users Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 58 Subpoenas Records are often subpoenaed in patent disputes, child custody cases, civil litigation, criminal cases Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 59 Government surveillance Governments increasingly looking for personal records to mine in the name of fighting terrorism People may be subject to investigation even if they have done nothing wrong Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 60 Little Brother as Big Brother QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 61 Risks may be magnified in future Wireless location tracking Semantic web applications Ubiquitous computing Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 63 If you’re not careful, you may violate data protection laws Some jurisdictions have privacy laws that • Restrict how data is collected and used • Require that you give notice, get consent, or offer privacy-protective options • Impose penalties if personal information is accidentally exposed Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 64 Reducing privacy risks Axes of personalization Tends to be MORE Privacy Invasive Implicit Persistent (profile) System initiated Predication based Tends to be LESS Privacy Invasive Data collection method Duration User involvement Reliance on predictions Explicit Transient (task or session) User initiated Content based Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 66 A variety of approaches to reducing privacy risks No single approach will always work Two types of approaches: • Reduce data collection and storage • Put users in control Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 67 Collection limitation: Pseudonymous profiles Useful for reducing risk and complying with privacy laws when ID is not needed for personalization But, profile may become identifiable because of unique combinations of info, links with log data, unauthorized access to user’s computer, etc. Profile info should always be stored separately from web usage logs and transaction records that might contain IP addresses or PII Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 68 Collection limitation: Client-side profiles Useful for reducing risk and complying with laws Risk of exposure to other users of computer remains; storing encrypted profiles can help Client-side profiles may be stored in cookies replayed to server that discards them after use Client-side scripting may allow personalization without ever sending personal info to the server For some applications, no reason to send data to server Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 69 Collection limitation: Task-based personalization Focus on data associated with current session or task - no user profile need be stored anywhere May allow for simpler (and less expensive) system architecture too! May eliminate problem of system making recommendations that are not relevant to current task Less “spooky” to users - relationship between current task and resultant personalization usually obvious Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 70 Putting users in control Users should be able to control • what information is stored in their profile • how it may be used and disclosed Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 71 Developing good user interface to do this is complicated Setting preferences can be tedious Creating overall rules that can be applied on the fly as new profile data is collected requires deep understanding and ability to anticipate privacy concerns Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 72 Possible approaches Provide reasonable default rules with the ability to add/change rules or specify preferences for handling of specific data • Up front • With each action • After-the-fact Explicit privacy preference prompts during transaction process Allow multiple personae Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 73 Example: Google Search History Amazon.com privacy makeover Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 75 Streamline menu navigation for customization Provide way to set up default rules Every time a user makes a new purchase that they want to rate or exclude they have to edit profile info • There should be a way to set up default rules Exclude all purchases Exclude all purchases shipped to my work address Exclude all movie purchases Exclude all purchases I had gift wrapped Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 77 Remove excluded purchases from profile Users should be able to remove items from profile If purchase records are needed for legal reasons, users should be able to request that they not be accessible online Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 78 Better: options for controlling recent history Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 79 Use personae Amazon already allows users to store multiple credit cards and addresses Why not allow users to create personae linked to each with option of keeping recommendations and history separate (would allow easy way to separate work/home/gift personae)? Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 80 Allow users to access all privacyrelated options in one place Currently privacy-related options are found with relevant features Users have to be aware of features to find the options Put them all in one place But also leave them with relevant features Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 81 I didn’t buy it for myself How about an “I didn’t buy it for myself” checkoff box (perhaps automatically checked if gift wrapping is requested) I didn’t buy it for myself Usable Privacy and Security • Carnegie Mellon University • Spring 2006 • Cranor/Hong/Reiter • http://cups.cs.cmu.edu/courses/ups-sp06/ 82