Final Report

 

Angela Reese

reeseanm@notes.udayton.edu

 

Works read:

Annotated Bibliography ñ E-commerce

Annotated Bibliography ñ Requirements

Privacy Resources

 

Why privacy is important, risks:

Privacy concerns consumers in many realms including electronic commerce, database management, security techniques, telecommunications, collaborative systems and systems implementation. Privacy is involved in the development of applications within all of these areas. It is important to think of these issues before a systemís development is complete. It is necessary for privacy policies to be developed properly and for the system to follow the policy it is based upon [AE01].

It is important to align IT requirements and a privacy policy; the first step is to articulate what strategic goals policies actually support. A site's privacy policies are not always consistent with their practices [AEP01].

Statistics show that not many consumers read privacy policies, but there are some who do. When Macyís changed their privacy policy, customers held a protest at a store. Protesters were complaining about the opt-out policy. This means that people would have to specifically say they do not want to receive telemarketing emails or phone calls from Macyís partners [Ols01b].

 

Times PII has been revealed:

Eli Lilly unintentionally released email addresses of people on Prozac. The company sent customers an email to inform them a service was being cancelled. This email contained all the email addresses of the people currently using this service [Wil01]. In another case, Indiana University had hackers break into their system twice. The hackers stole information such as names, addresses, and even social security numbers. The information from the second breach was from people who filled out online forms expressing interest in the music school [Ols01a].

 

Work done:

I worked on a few different projects this summer. I started out researching privacy on the Internet. I came across many different privacy seals. There was one seal that was very interesting because it claimed to be geared toward consumer privacy rather than the companyís interests. As I researched further, I found that the seal was backed by a defunct company. Despite the fact that the seal was meaningless, I found many sites still displaying the seal. I found this to be a troublesome problem since it was misrepresenting information to customers. I contacted companies bearing the seal on their websites and received mixed reactions. Some were thankful for bringing the situation to their attention, others simply removed the seal without responding to me, and yet others completely ignored the situation.

For most of the summer I was extracting goals from privacy policies in the Health Care industry. This was a continuation of work done last summer, which looked at all different types of industries.

I also worked on an Internet Privacy User Values Survey that will be put to use in the fall. I fixed the layout and edited some HTML code.Ý I also edited the content of the survey, by deciding which questions were relevant.Ý I found that many of the questions on the survey were closely related to the list of goals I collected.

 

 

Ý

Hereís what we did and how we did it:

Goals were extracted from a total of 23 privacy policies. There were 6 pharmaceutical companies, 7 health insurance companies, and 10 pharmacies. In the next section is the set of heuristics involved in extracting goals out of the policies. Once the goal set was established, more heuristics and scenarios were developed to reduce the size of the goal set.

The goals were analyzed according to different characteristics such as protection vs. vulnerability goals, subject (e.g. cookies, PII, browsing patterns, etc.), and by what are considered ìgoodî and ìbadî goals for two different types of consumers. One type of consumer is the ìshopper,î who is interested in privacy and shopping and does not mind certain privacy issues as long as it is used for better service. The other type of consumer is the ìparanoid,î whose top priority is privacy; they do not want anyone to get any information about them. There are two different sets of data, one set with scenarios, and one without.

 

Protection Goals

Access/Participation

This refers to a Web site's practice of allowing consumers to view, edit, and update their PII for accuracy and completeness. Also refers to how much access a person can have to the site without providing any info.

CHOICE/CONSENT

This refers to a Web site giving consumers the option to specify how their PII is to be used and whether it may be used for secondary purposes.

ENFORCEMENT/REDRESS

This refers to a company enforcing its privacy policies. Types of enforcement include self-regulation, private remedies, and government enforcement. Types of redress include disciplinary measures such as firing employees who violate a privacy policy.

INTEGRITY/SECURITY

This refers to the practice of ensuring that data is kept both accurate and secure as well as maintaining the integrity of all data.

NOTICE/AWARENESS

This refers to a Web site's practice of notifying consumers before any information is actually collected from consumers or when changes have been made to the privacy policy.

 

Vulnerability Goals

AGGREGATION OF INFORMATION

This refers to a Web site's use of previously gathered PII and data obtained from third parties for purposes of aggregation.

COLLECTION OF INFORMATION

This refers to a Web site's practice of an organization to collect information from consumers either by directly asking them to enter it or by collecting information without their consent.

MONITORING OF INFORMATION

This refers to a Web site's practice of monitoring visitor buying, browsing, and usage patterns.

PERSONALIZATION

This refers to a Web site's practice of using cookies or PII to tailor the functionality or Web content offered to its visitors.

SOLICITATION

This refers to a Web site's practice of sending correspondence to consumers for marketing or promotional purposes.

STORAGE OF INFORMATION

This refers to a Web site's practice of storing any PII and account/purchase information on the organization's database.

TRANSFER OF INFORMATION

This refers to a Web site's practice with regard to the transfer, sale, sharing, and disclosing of information to third parties.

 

 

Heuristics:

I created a set of heuristics for extracting and identifying goals from privacy policies. Heuristics are rules, which help analysts and will make it possible to automatically parsing through privacy policies.

 

Information that can reveal an individual's personal identity is translated into the following key word: PII.

 

Health information such as allergies, prescription information, health insurance information, illnesses, current medication, family medical history, etc. is translated into the following key word: HI.

 

There are two different types of users, a user who does not provide information and a user who provides information. The user that does not provide information is considered a VISITOR. The user that provides information is considered a CUSTOMER (cust).

 

Given certain key words associated with ownership of personal information, such as YOUR, PATIENT, USER, etc., these words should be translated into the following key word: customer (cust).

If consent is involved then membership is implied and the person is referred to as a CUSTOMER (cust).

 

When given the name of the company, the name should be transformed into the following key words: our company.

 

The Web page from which you entered a company's site is translated into the following key word: preceding website.

 

The key words PARENT or PARENTAL include guardians as well as parents.

 

Given certain key words associated with a customer requesting something, such as products, information, etc., these words should be translated into the following key word: SERVICE.

 

Non personally identifiable information, "usage data," such as age, sex, etc. is translated into the following key word: aggregate data.

 

Payment information, information needed to complete a transaction, such as a credit card number, expiration data, etc. is translated into the following key word: Credit Card Information.

 

Information such as a bank account, investments, etc. is translated into the following key word: Financial Information.

 

Given certain key words related with a worker at the company, such as ASSOCIATE, EMPLOYEE, etc., these words should be translated into the following key word: employee (empl).

 

Given certain key words associated with associated parties of the company, such as partner, sponsor, member, etc., these words should be translated into the following key word: AFFILIATE.

 

Given certain key words associated with a minute picture used to track sites visited, such as ACTION TAG, WEB TRACKER, CLEAR GIFS, etc., these words should be translated into the following key word: WEB BUG.

 

"Clickstream" information is translated into browsing and usage patterns.

 

The auxiliary verb: may is translated into the verb following it. If a company MAY do something, it is assumed they actually DO it.

 

When the burden is on the customer to make some action/decision, this is a disclaimer and is ignored because it is not a goal for the system.

 

Those goals that seem like a disclaimer, but are not controlled by the user are vulnerability goals.

 

Statements describing how a goal is done or why it is done shall be expressed in terms of SCENARIOS.

 

Given certain key words associated with keeping something from happening, such as WILL NOT, ENSURE with a contraint, etc., these words should be translated into the following key word: PREVENT.

 

Given certain key words associated with making something different, such as CHANGE, UPDATE, REVISE, CORRECTetc., these words should be translated into the following key word: MODIFY.

 

Given certain key words associated with improving, individualizing, such as PERSONALIZE, ENHANCE, TAILOR, etc., these words should be translated into the following key word: CUSTOMIZE.

 

Given certain key words associated with doing something with PII, such as USE, ASK FOR, REQUEST, etc., these words should be translated into the following key word: COLLECT.

 

When both actions of SENDING and RECEIVING are involved, these words should be transformed into the following key word: TRANSMIT.

 

Given certain key words associated with action of giving authority, such as AUTHORIZE, etc., these words should be translated into the following key word: CONSENT.

 

Given certain key words associated with making information known, such as RELEASE, DIVULGE, etc., these words should be translated into the following key word: DISCLOSE.

 

Given certain key words associated with giving further knowledge to employees, such as EDUCATE, etc., these words should be translated into the following key word: TRAIN.

 

Given certain key words associated with joining something, such as LINK, etc., these words should be translated into the following key word: CONNECT.

 

Given certain key words associated with confining within bounds, such as RESTRICT, etc., these words should be translated into the following key word: LIMIT.

 

When information is in any way shown to others, it is assumed to be with 3rd parties unless stated otherwise. E.g. w/ 3rd parties or to 3rd parties.

 

 

Goal Classification:

Many goals overlap, so I created a goal classification.

 

COLLECT aggregate data ñ in order to do something w/ data, you have to collect it

  • IMPROVE site using aggregate data
  • PREVENT sharing aggregate data
  • SHARE aggregate data
  • TRACK usage patterns using aggregate data

 

USE cookies or other info files

  • COLLECT activities conducted while on site through cookies
  • COLLECT aggregate info about site usage using cookies
  • COLLECT how often visit site through cookies
  • CONNECT site usage of cookies w/ PII
  • CUSTOMIZE experience at our site using cookies
  • DISABLE order status feature if cookies turned off
  • DISABLE order tracking feature if cookies turned off
  • IMPROVE our site using cookies
  • PROVIDE additional functionality using cookies
  • RECOGNIZE repeat cust using cookies
  • REPORT site activity using cookies
  • REQUIRE cookies be enabled for shopping
  • RETRIEVE cust info using cookies
  • TRACK items placed in shopping basket using cookies
  • TRACK pages on our site using cookies
  • TRACK usage patterns using cookies

 

Lessons Learned, Generalizations:

-   44% of goals are about collecting or transferring information.

-   Considering the policies looked at, if you consider yourself to be a consumer focused on the shopping experience, there was only one policy that had no goals that would compromise your privacy. However, this company and others left out things that were really important to consumer privacy.

-   The length of the policy does not determine the number of goals the policy has. The average number of words per goal ranged from 14.7 to 73.1.

-   All sites had a goal about collecting information. All sites also had a goal about the transfer of that information or a notice/awareness goal. This means that the site either tells you what they do ahead of time or will notify you when your information is going to be used. This seems good, but only 17 out of the 23 sites had a choice/consent goal, which means that 6 sites give the user no choice at all as to how their information is being used. It is interesting to note that all drugstore companies provide a choice/consent goal. Furthermore, a small fraction of those sites that allow a choice, give the user the option to request a service rather than opting out of it.

-   72.4% of goals for Health Insurance companies are vulnerability goals. They are more concerned about existing threats than protecting information from those threats.

-   Only slightly over half the companies had some policy regarding childrenís information.

 

My Privacy Policy:

The following are what I consider good characteristics to be in a privacy policy:

 

Future work:

There is still much left to do in exploring privacy on the Internet. The next privacy policies to be looked at are in the financial/banking industry. Another step would be to go through and see if the companies actually followed their privacy policy.

 

References:

[AE01] A.I. AntÛn and J.B. Earp. ìStrategies for Developing Policies and Requirements for Secure Electronic Commerce Systems.î Accepted to the 1st ACM Workshop on Security and Privacy in E-Commerce (CCS 2000), Athens, Greece, 1-4 November 2000.

 

[AEP01] A.I. AntÛn, J.B. Earp, C. Potts and T.A. Aslpaugh. ìThe Role of Policy Stakeholder Privacy Values in Requirements Engineering.î IEEE 5th International Symposium on Requirements Engineering (RE'01), Toronto, Canada, August 2001.

 

[Ols01a] F. Olsen. ìIndiana U. Suffers Second Hacker Attack in Four Months.î http://chronicle.com/free/2001/06/2001061302t.htm 13 June 2001.

 

[Ols01b] S. Olsen. ìAdvocacy group protests Macyís privacy policy.î http://www.nytimes.com/cnet/CNET_0-1005-200-6260653.html?ex=993444299&ei=1&en=10ac3bf848898085 13 June 2001.

 

[Wil01] C. Wilson. ìLilly reveals ProzacÝ patients' identities .î http://www.infobeat.com/cgi-bin/WebObjects/IBFrontEnd.woa/wa/fullStory?article=409190643 17 July 2001.