An Analysis of P3P DeploymentIntroductionP3P SpecificationsSlide 4P3P Evaluation System DesignURL CollectorP3P Policy RetrieverP3P ValidatorP3P Policy EvaluatorData AnalysisWeb Site SelectionWeb Site Selection (Cont.)P3P Adoption on May 2003P3P Adoption (Cont.)Privacy Bird EvaluationPrivacy Bird Evaluation (Cont.)Slide 17Slide 18Types of Data CollectedTypes of Data Collected (Cont.)Data UsageData Usage (Cont.)Data Recipients and SharingData Recipients and Sharing (Cont.)Choice OptionsChoice Options (Cont.)Access ProvisionsAccess Provisions (Cont.)Dispute Resolution Options and RemediesSlide 30Data Retention PoliciesData Retention Policies (Cont.)ConclusionAn Analysis of P3P DeploymentHyun Jin KimSensitive Information in a Wired WorldNovember 11, 2003IntroductionPrivacy PoliciesUS self-regulatory approach to online privacy protectionDescription of a company’s data practicesWhat information they collect from individuals and what they do with itP3P SpecificationsDeveloped by World Wide Web Consortium (W3C) over 5 years of workBecame an official W3C “Recommendation” just over a year ago on April 16, 2002P3P SpecificationsP3P Evaluation System DesignAutomated process to measure P3P adoption and gather data from P3P-enabled web sitesBy Lorrie Faith Cranor, Simon Byers, and David Kormann (AT&T Labs-Research)Five major componentsURL Collection MechanismP3P Policy RetrieverScripted Interface to the W3C P3P ValidatorP3P Policy EvaluatorGeneric Data Analysis ToolsURL CollectorTo identify sets of sites of interestExisting lists of URLsNewly constructed lists that focus on particular web sitesWeb spidering techniqueGather information from web directories and other sourcesP3P Policy RetrieverPearl Script to retrieve P3P informationAll policies, policy reference files, compact header policiesP3P ValidatorW3C P3P ValidatorFetches P3P policy reference files, policy files and compact policiesChecks them for compliance with the P3P 1.0 SpecificationStops validation upon encountering an errorScripted interface to the W3C P3P ValidatorRetrieve P3P policies from sites with errors in their policy reference filesP3P Policy EvaluatorCompares a web site’s policy with a user’s privacy preferences Finds a mismatch between the P3P policy and the privacy preferencesData AnalysisOutputs of policy evaluations gathered in a rectangular matrixRow – policy from a web siteColumn – APPEL rule set fileRun a Pearl script over the matrixProduce various tabulations i.e., number of sites that returned mismatch between privacy preferences and P3P policiesWeb Site SelectionFocus on the sites frequently visited by usersPFF Most Popular85 of the 100 busiest sites determined by the October 2001 Nielsen/NetRatings ranking of sites with the most unique visitors per monthExcludes adult sites, children’s sites, business-to-business sites, and sites not in the .com top level domainPFF RandomRandom sample of 302 of the 7821 domains with at least 39,000 unique monthly visitors in October 2001 by Nielsen/NetRatingsPFF Refined Random209 domains from the PFF Random list that were in the top 5,625 domains in October 2001 by Nielsen/NetRatingsExcludes adult sites, children’s sites, business-to-business sites, and non-dot-comsNetscore Top 500500 domains with the most unique visitors during July 2002 by comScore Media Matrix netScore Standard Traffic Measurement reportKey MeasuresTop 500 domains with the most unique visitors during July 2002 by comScore Media Matrix Key Measures reportIncludes “third-party” sitesWeb Site Selection (Cont.)AlexiaTop 500 domains by Alexia Traffic Ranking on Feb.4, 2003Includes non-US domains and adult sitesFroogle1,017 sites obtained by crawling the www.froogle.com web sites in April 2003 Sites offer products for saleYahooligans900 sites obtained by crawling www.yahooligans.com in April 2003Sites for children ages 7-12Firstgov344 government sites indexed at www.firstgov.gov in April 2003Includes US federal and state government sites and sites for some quasi-government organizationsNews2,429 sites by news.google.com in April 2003Includes a variety of news-reporting organizations from the US and other countriesP3P Adoption on May 2003P3P Adoption (Cont.)P3P adoption increasing over timeHighest for the most popular web sitesKey Measures site lists higher than NetscorePresence of “third-party” sitesTo avoid having their cookies blocked by IE6Alexa top 500 list lowestInternational natureLarge number of adults sitesOne third of the P3P-enabled sites had errors flagged by W3C P3P Validator7% had errors that prevented their evaluation by Privacy Bird evaluation engineOmit required components of a P3P policy Improperly referencing data elementsPrivacy Bird EvaluationDefinition of not sharing dataSites share data only with agents that use it only to complete the transaction for which it was provided or with delivery companiesData sharing occurs only under an opt-in policy3 standard settingsLowTrigger a red bird – policy does not match the preferencesCollects health/medical infoShare it with other companiesUse it for analysis, marketing or to make decisions what content or ads the user seesEngage in marketing but do not provide a way to opt-outPrivacy Bird Evaluation (Cont.)Medium Same as lowSites sharing PII (physical contact info, online contact info, government-issued identifier), financial info, or purchase info with other companiesSites collecting PII but provide no access provisionsHighSame as mediumSites sharing any personal info (including non-identified info) with other companiesUse it to determine the user’s habits, interests, or other characteristicsSites contacting users for marketingSites using financial or purchase info for analysis, marketing, or to make decisions that may affect what content or ads the user seesPrivacy Bird Evaluation (Cont.)Privacy Bird Evaluation (Cont.)Red bird on 24% of the evaluated sitesNo opt-out of marketing and/or telemarketing ability offeredMost popular sites receive both green bird on low setting and red bird on high settingGreen bird - Greater awareness of the importance of the “choice” principleRed bird - Most offer rich ecommerce