Can be prevented, with the appropriate security settings, but most people don’t take these precautions
Third party cookie tracking
Ad servers like Engage, DoubleClick, and others put coding inside their ads to identify users
But what if this information is tied to your email or IP address?
And what if a third-party site obtains additional information about you this way?
Rate these privacy invasions
Sending out a single piece of email with everyone's email address clearly visible in the header
A web site that tries to make it easier for its customers to login and track their accounts
A piece of software that records the IP address of the machine it is running on and reports back to headquarters
Privacy best practices
What are your expectations?
What info is collected?
How are you informed of the collection process?
How can you change your address and other ID information?
What happens when the company is sold?
What kinds of information is considered private?
Your IP address
Your Ethernet MAC address/Windows GUID
Your purchase history with a web storefront (or physical store)
Your address and phone
Your email address
Your credit card, banking account numbers
How do products inform you of their information collection practices?
Before you download them in clear language on the web site
At the time you download them
With obscure privacy policies on their web site
In a press release from the vendor after something bad happens
How can you change your ID?
With the post office, credit history, and others, relatively simple
With software, not so simple
Many products don’t have any automated tools for making changes
Who shares this information?
Do sites offer secure logins or are they in the clear?
What about third-party cookies, who makes use of them?
What happens to this information when your company gets sold?
Does a company have a legal right to hold on to its data?
Does a customer have a legal right to expect a company to not sell its data?
Do we need new consumer protection laws for these situations?
Are individuals’ privacy data considered a corporate asset or a liability?
Case in point: eBay
Changed its privacy practices 4/01 to specifically mention what happens if sold
But hides this deep within their privacy policies
How do you protect your customer’s privacy data?
Secure servers, careful data structures and policies
Authorized employees with limited access
Do all of these things really work?
Back to email issues
Hidden HTML code inside many email messages these days, called “web bugs”
Convey information on whether you open the email message or not, whether you click on this specific link, and if you want to unsubscribe
Works even if you use just the preview pane in MS OE/Outlook
Supposedly this information is just used in the aggregate, but can you be sure?
Bad boys of web site privacy
Made the mistake of combining two businesses: banner ad serving and email marketing
Is it a violation of privacy when you aggregate individual information?
Third-party cookie issues
Is it a violation of privacy when you automatically subscribe users to your service, and bury any opt-out information?
Should Real record my music listening habits without my explicit permission?
And store this data even when I am not connected to the Net?
Download an ActiveX control that makes numerous changes to your browser and email configuration, as well as Startup folders – but advertised as a “video player browser enhancement.”
First the company didn’t explain these changes, but now they do – in very, very fine print.
Aggregates personal TV viewing habits of its users
But doesn’t really make that clear
And employees of the company could have access to your privacy data
eCommerce privacy mishaps
ToySmart trying to sell its customer list
Long list of break-ins to obtain customer credit cards and accounts from numerous web sites, including Ikea, Western Union
Microsoft’s many problems
Hotmail break-ins galore
Global ID transmitted inside Word docs
Network collapse from poor DNS config
Software updates that scan your disk
Browser enhancement tools study
Privacy Foundation examined 12 different software utilities that work with web browsers, and found numerous privacy problems
ALL products sent more data back “home” to vendors’ HQ than required or disclosed to end-users
Results: poor notification of privacy violations
Poor placement of disclosure statements
Sites reserve the right to release information when they want to
Privacy policies are clouded in technobabble and jargon
Policies are vague or wrongly stated
Sites use seals of approval from TrustE and BBB to certify their sites, but not any actual software
First, understand your own actions
Examine standards efforts
Policy creation software tools
Learning from eBay’s example
If you develop software
Tell the truth about who has access to customer data
Have lawyers work with your engineers to review software’s actual privacy practices
Design with privacy in mind from the start
Use opt-in rather than opt-out
Don’t monitor URLs
W3C standards-based effort
Major multi-vendor contributions
Blesses various software tools that can generate privacy policies that are more machine-readable than by humans
TrustE’s model privacy statement
Available at www.truste.com/webpublishers/pub_modelprivacystatement.html
Can easily copy and modify accordingly
More like a legal document than helpful to users
A good place to start
Brief, clear, to the point
You can examine my own policy here: strom.com/privacypolicy.html
IBM’s Privacy Tool
Again, machine-readable policies that can be verified by P3P standard checking software
Several different versions, charts, and pages
Many different levels of detail, including information about spam, cookies, etc.
Link from bottom of home page
Note how they notify users when it changes
The fine print
“ It is possible that eBay, its subsidiaries, its joint ventures, or any combination of such, could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information in order to continue to provide the service. You will receive notice of such event…”
Copies of this presentation: strom.com/pubwork/privacy.ppt