[Previous] [Next] [Title]

11. Cyberspace privacy issues


Graham Greenleaf, revised 26 April 2002

= required reading

= material added since the date of the class concerning this topic

Objectives

This Reading Guide aims to help provide an understanding of the following:

11.1. Special nature of cyberspace privacy issues

Some suggested reasons why cyberspace privacy issues are different follow: What other reasons can you suggest?

11.2. Application of IPPs to cyberspace transactions

There are two main categories of issues here:

(i) Is there 'personal information' so that IPPs can apply at all? - This is always the threshold issue when looking at cyberspace privacy issues.

(ii) What do IPPs require in cyberspace transactions? - (iii) Are IPPs adequate to address cyberspace issues? - Surrent sets of IPPs may no longer be sufficient, even in principle. New IPPs may be needed. For an early discussion of these issues, see:

11.3. Internet business practices affecting privacy

11.3.1. Internet business practice involving privacy breaches

The purpose of this section is to illustrate the simple point that breaches of privacy often occur because of defective business practices, not principally because of the technologies employed (as to which, see the next section). We can use Dixon's examples to test the applicability of IPPs to cyberspace problems. Try to apply the IPPs in the Hong Kong, Australian or other legislation to these situations.

11.3.2. Privacy policies on web sites

Privacy policies on web sites may establish contractual or other obligations to those who browse those sites aware of or relying on those policies. This is of diminishing relevance in jurisdictions with legislative IPps which make some forms of 'privacy policies' including the disclosure of collection practices compulsory.

However, in addition to the questions of whether they comply with the legislative IPPs, privacy policies on web sites may be important because:

For a detailed discussion of the legal significance of website privacy policies, see Mark Berthold Website Privacy Policy Statements And The Changing Face Of E-Commerce [2002] PLPR (Issues 9 and 10). Part 2 mainly concerns Australian law, but the other parts of the article are of more general relevance.

Some surveys of web site privacy policies:

`[EPIC] reviewed 100 of the most frequently visited web sites on the Internet. We checked whether sites collected personal information, had established privacy policies, made use of cookies, and allowed people to visit without disclosing their actual identity. We found that few web sites today have explicit privacy policies (only 17 of our sample) and none of the top 100 web sites meet basic standards for privacy protection.'

11.3.3. Examples of practices and policies of particular organisations

11.4. Privacy-invasive technologies (PITs)

Cyberspace has made possible the development of many technologies which can be used for invasion of privacy which do not have exact equivalents in the physical world.

11.4.1. General resources

Roger Clarke provides some of the best classifications and explanations of technologies affecting privacy.

11.4.2. Cookies

Technical operation

What are `cookies'? `A cookie is a record stored on a user's machine as a result of a web-server instructing a web-browser to do so. It is sent to an appropriate web-server along with a request for pages.' (Clarke). Netscape describes them as:
` Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications.'
A lot of people regard them as a serious privacy invasion: The Electronic Privacy Information Centre (EPIC) says `a cookie is a mechanism that allows a web site to record your comings and goings, usually without your knowledge or consent'. "I basically equate cookies to the notion of a store being able to tattoo a bar code on your forehead, and then laser-scan you every time you come through the doors" (Simson Garfinkel). Others think they are one of the few ways to overcome the `statelessness' of web protocols and are essentially benign.
Application of IPPs
For class discussion

11.4.3. Single pixel GIFs (aka 'invisible GIFs' or 'Web bugs')

Technical operation

Related to cookies are single pixel GIFs, which are graphics that are usually invisible to web users because they are 1x1 pixel in size, with no border and the same colour as the page background. They are also known as 'web bugs', 'web beacons', '1-by-1 GIFs', 'clear GIFs' and 'invisible GIFs'.

Single pixel GIFs have many different surveillance uses. Kaman Tsoi explains (see reference below) that these 'web bugs' are used by network advertisers

But when the user views the ad host's home page, in addition to any cookie which may be set by the ad host itself, the network advertiser serves a cookie to the user's browser. And because the banner ad graphic is operating as a web bug, the network advertiser receives information including the IP address of the user's computer, the URL of the ad host's home page, the time that the page was viewed and the type of browser being used by the user.
If the user then clicks on the banner ad to link through to the advertiser's website, the further movements of that user would be monitored to the extent that the network advertiser had invisible web bugs on any pages of the advertiser's site. Each time a web-bugged page is viewed by the user, the network advertiser receives the same information about the IP address, page URL, and time and browser type, along with the cookie value that was set when the banner ad was first viewed. Unless the user deletes the cookie, this monitoring could occur even if the user did not view the advertiser's site immediately or via the banner ad link.
...
While this is all impressive, particularly in comparison to other forms of advertising, what really takes web bugs into mind-boggling territory is simply this: for each network advertiser, there are many more ad hosts, advertisers and users. What this means is that by using the same cookie wherever the network advertiser has banners or web bugs on ad host or advertiser sites, the network advertiser can consolidate the data related to a particular cookie to form a detailed profile of browsing habits which could include the types of sites visited. The network advertiser can then add value to its advertisers by using these cookie profiles to determine what ad is shown the next time a user with that cookie is identified visiting an ad host's site. The major network advertisers hold hundreds of millions of these consumer profiles between them. The AltaVista search engine can be used to search for web bugs, and one recent search reported more than four million web bugs planted by 30 vendors on the internet

More information:

Application of IPPs

For class discussion

11.4.4. Spam - Unsolicited bult email

According to Hormel Foods, manufacturers of the 'popular' luncheon meat 'SPAM':
"Use of the term "spam" was adopted [in order to describe Unsolicited Bulk Email (UBE) or Unsolicited Commercial Email (UCE)] as a result of the Monty Python skit in which a group of Vikings sang a chorus of "spam, spam, spam . . . " in an increasing crescendo, drowning out other conversation. Hence, the analogy applied because UCE / UBE was drowning out normal discourse on the Internet. "

Why spam is a problem

According to the Australian (NOIE) survey:

Law regulating spam

Resources on spam

11.4.5. Location extraction

11.4.6. Data aggregation

11.5. Technical protections - 'Privacy enhancing technologies' (PETs)

This part catalogues a number of what many describe as 'Privacy enhancing technologies' or 'PETs' - forms of technological 'self-help'. In many cases these have been promoted (particularly in the USA) as alternatives to legislative protection of privacy, but in other countries they are more usefully considered from the following perspectives:

11.5.1. Overviews of PETs

The best starting points are: Some of these PETs are discussed further below

11.5.2. How serious are PETs as privacy solutions?

Advocates of PETs as a principal method of privacy protection include:

11.5.3. The W3C's Platform for Privacy Preferences (P3P)

The World Wide Web Consortium (W3C) has developed the Platform for Privacy Preferences (P3P), which has been described as `a framework within which trust can be achieved between web services providers and consumers' (Clarke's description in 1998, though he would reject it now).

Explanations

Here is the official description from the P3P web pages:
What is P3P? (2002 description) The Platform for Privacy Preferences Project (P3P), developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.
P3P Project in a nutshell (1998 description) P3P* is a privacy assistant: users can be informed, in control, and use P3P to simplify and help them make decisions based on their individual privacy preferences. The P3P specification will enable Web sites to express their privacy practices and users to exercise preferences over those practices. P3P products will allow users to be informed of site practices, to delegate decisions to their computer when possible, and allow users to tailor their relationship to specific sites. Sites with practices that fall within the range of a user's preference could, at the option of the user, be accessed "seamlessly," otherwise users will be notified of a site's practices and have the opportunity to agree to those terms or other terms and continue browsing if they wish. P3P gives users the ability to make informed decisions regarding their Web experience and their ability to control the use of their information. Sites can use P3P to increase the level of confidence users place in their services, as well as improve the quality of the services offered, the customization of content, and simplify site access. P3P allows one to make statements about privacy practices and preferences in a flexible manner. P3P uses RDF/XML for making privacy statements as well as for exchanging data under user control. P3P will support future digital certificate and digital signature capabilities as they become available. P3P can be incorporated into browsers, servers, or proxy servers that sit between a client and server. * For brevity, we often refer to the P3P project, activity, specifications, or products as "P3P."

The W3C's general approach to privacy issues is on its Privacy Activities page.

More details, including all technical specifications, are available from the P3P Project web pages. Please browse

Roger Clarke 'Platform for Privacy Preferences: An Overview' (April 1998) - provides a simple explanation, and technical summaries as well.

Comments

[The following comments are from a paper I wrote in 1998 - they may now need some revision: GG]

P3P is a protocol which is intended to be able to be applied to support negotiations in a variety of internet contexts, including explicit data provision (eg answers to questions on web forms), implicit data provision (eg capture of the `click stream' or URLs of pages visited in succession), and explicit data provision from third sources (eg a web user's stored profile of preferences, demographic details etc). How it can be applied to some extensions to basic HTML such as cookies, Java etc is not yet determined. P3P allows web users to have multiple personae (digital pseudonyms), allowing a user to choose between a `data-poor' or `data rich' personality depending on the site visited[1].

P3P is the first important privacy initiative to have emerged from the consultative and self-regulatory structures of internet governance (although dominated by W3C staff members), and for that reason alone is of considerable significance.

Clarke compares what P3P is attempting to deliver against the OECD privacy Guidelines[2]http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html], and concludes that it only addresses parts of three of the OECD Principles (data collection directly from the individual concerned; limitations on use and disclosure, and openness about use and disclosure policies), but does not address other principles relating to collection from third parties, subject access to data held by the web-site operator, retention of data and security. This is not necessarily a criticism, merely a limitation of one tool, but it would seem that some of these matters could be addressed by the same protocol in order to give more comprehensive privacy protection.

The more substantial criticism is that P3P says nothing about measures to ensure that it is complied with. If the web service provider breaches the practices that it has told the user that it adopts during a P3P `negotiation' what can the user do about it (assuming he or she ever finds out in the first place)? Some aspects of this problem are:

P3P may become `one important element among many others' (as Clarke concludes), but it will be of little use unless it meshes with law and organisational practices. Until it does that, it could be little more than a framework for deception.

The Electronic Privacy Information Center (EPIC) identifies a different danger in that it considers that a what is in effect framework for efficient collection of personal information as a condition of entry to web sites (with the possibility of increasing exclusion of those who value their privacy) may be counter-productive to privacy, compared with simply opposing the increased collection of personal information.

Critiques of P3P

There are now a wide range of papers available about P3P.

Implementations of P3P

How will the defaults be set in software that implements P3P?

11.6. The 'borderless' problem: Internet privacy invasions from overseas

More than any other form of privacy problem, cyberspace issues are likely to involve complaints of invasions of privacy by overseas organisations. This leads to a premium on self-help (PETs).

What are legal systems doing about this?:

But a TRIPS or WTO for privacy (an international standard which must be enforced locally even though it is foreiners who are affected) is not yet on the horizon outside Europe.

[1] Paragraph summarised from Clarke, `Overview' op cit

[2] Roger Clarke `Platform for Privacy Preferences: A Critique' -


[Previous] [Next] [Title]