An Analysis of P3P DeploymentIntroductionP3P SpecificationsSlide 4P3P Evaluation System DesignURL CollectorP3P Policy RetrieverP3P ValidatorP3P Policy EvaluatorData AnalysisWeb Site SelectionWeb Site Selection (Cont.)P3P Adoption on May 2003P3P Adoption (Cont.)Privacy Bird EvaluationPrivacy Bird Evaluation (Cont.)Slide 17Slide 18Types of Data CollectedTypes of Data Collected (Cont.)Data UsageData Usage (Cont.)Data Recipients and SharingData Recipients and Sharing (Cont.)Choice OptionsChoice Options (Cont.)Access ProvisionsAccess Provisions (Cont.)Dispute Resolution Options and RemediesSlide 30Data Retention PoliciesData Retention Policies (Cont.)ConclusionAn Analysis of P3P DeploymentHyun Jin KimSensitive Information in a Wired WorldNovember 11, 2003IntroductionPrivacy PoliciesUS self-regulatory approach to online privacy protectionDescription of a company’s data practicesWhat information they collect from individuals and what they do with itP3P SpecificationsDeveloped by World Wide Web Consortium (W3C) over 5 years of workBecame an official W3C “Recommendation” just over a year ago on April 16, 2002P3P SpecificationsP3P Evaluation System DesignAutomated process to measure P3P adoption and gather data from P3P-enabled web sitesBy Lorrie Faith Cranor, Simon Byers, and David Kormann (AT&T Labs-Research)Five major componentsURL Collection MechanismP3P Policy RetrieverScripted Interface to the W3C P3P ValidatorP3P Policy EvaluatorGeneric Data Analysis ToolsURL CollectorTo identify sets of sites of interestExisting lists of URLsNewly constructed lists that focus on particular web sitesWeb spidering techniqueGather information from web directories and other sourcesP3P Policy RetrieverPearl Script to retrieve P3P informationAll policies, policy reference files, compact header policiesP3P ValidatorW3C P3P ValidatorFetches P3P policy reference files, policy files and compact policiesChecks them for compliance with the P3P 1.0 SpecificationStops validation upon encountering an errorScripted interface to the W3C P3P ValidatorRetrieve P3P policies from sites with errors in their policy reference filesP3P Policy EvaluatorCompares a web site’s policy with a user’s privacy preferences Finds a mismatch between the P3P policy and the privacy preferencesData AnalysisOutputs of policy evaluations gathered in a rectangular matrixRow – policy from a web siteColumn – APPEL rule set fileRun a Pearl script over the matrixProduce various tabulations i.e., number of sites that returned mismatch between privacy preferences and P3P policiesWeb Site SelectionFocus on the sites frequently visited by usersPFF Most Popular85 of the 100 busiest sites determined by the October 2001 Nielsen/NetRatings ranking of sites with the most unique visitors per monthExcludes adult sites, children’s sites, business-to-business sites, and sites not in the .com top level domainPFF RandomRandom sample of 302 of the 7821 domains with at least 39,000 unique monthly visitors in October 2001 by Nielsen/NetRatingsPFF Refined Random209 domains from the PFF Random list that were in the top 5,625 domains in October 2001 by Nielsen/NetRatingsExcludes adult sites, children’s sites, business-to-business sites, and non-dot-comsNetscore Top 500500 domains with the most unique visitors during July 2002 by comScore Media Matrix netScore Standard Traffic Measurement reportKey MeasuresTop 500 domains with the most unique visitors during July 2002 by comScore Media Matrix Key Measures reportIncludes “third-party” sitesWeb Site Selection (Cont.)AlexiaTop 500 domains by Alexia Traffic Ranking on Feb.4, 2003Includes non-US domains and adult sitesFroogle1,017 sites obtained by crawling the www.froogle.com web sites in April 2003 Sites offer products for saleYahooligans900 sites obtained by crawling www.yahooligans.com in April 2003Sites for children ages 7-12Firstgov344 government sites indexed at www.firstgov.gov in April 2003Includes US federal and state government sites and sites for some quasi-government organizationsNews2,429 sites by news.google.com in April 2003Includes a variety of news-reporting organizations from the US and other countriesP3P Adoption on May 2003P3P Adoption (Cont.)P3P adoption increasing over timeHighest for the most popular web sitesKey Measures site lists higher than NetscorePresence of “third-party” sitesTo avoid having their cookies blocked by IE6Alexa top 500 list lowestInternational natureLarge number of adults sitesOne third of the P3P-enabled sites had errors flagged by W3C P3P Validator7% had errors that prevented their evaluation by Privacy Bird evaluation engineOmit required components of a P3P policy Improperly referencing data elementsPrivacy Bird EvaluationDefinition of not sharing dataSites share data only with agents that use it only to complete the transaction for which it was provided or with delivery companiesData sharing occurs only under an opt-in policy3 standard settingsLowTrigger a red bird – policy does not match the preferencesCollects health/medical infoShare it with other companiesUse it for analysis, marketing or to make decisions what content or ads the user seesEngage in marketing but do not provide a way to opt-outPrivacy Bird Evaluation (Cont.)Medium Same as lowSites sharing PII (physical contact info, online contact info, government-issued identifier), financial info, or purchase info with other companiesSites collecting PII but provide no access provisionsHighSame as mediumSites sharing any personal info (including non-identified info) with other companiesUse it to determine the user’s habits, interests, or other characteristicsSites contacting users for marketingSites using financial or purchase info for analysis, marketing, or to make decisions that may affect what content or ads the user seesPrivacy Bird Evaluation (Cont.)Privacy Bird Evaluation (Cont.)Red bird on 24% of the evaluated sitesNo opt-out of marketing and/or telemarketing ability offeredMost popular sites receive both green bird on low setting and red bird on high settingGreen bird - Greater awareness of the importance of the “choice” principleRed bird - Most offer rich ecommerce
View Full Document