skip to main content
research-article

A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations

Published:30 April 2009Publication History
Skip Abstract Section

Abstract

Numerous studies over the past ten years have shown that concern for personal privacy is a major impediment to the growth of e-commerce. These concerns are so serious that most if not all consumer watchdog groups have called for some form of privacy protection for Internet users. In response, many nations around the world, including all European Union nations, Canada, Japan, and Australia, have enacted national legislation establishing mandatory safeguards for personal privacy. However, recent evidence indicates that Web sites might not be adhering to the requirements of this legislation. The goal of this study is to examine the posted privacy policies of Web sites, and compare these statements to the legal mandates under which the Web sites operate. We harvested all available P3P (Platform for Privacy Preferences Protocol) documents from the 100,000 most popular Web sites (over 3,000 full policies, and another 3,000 compact policies). This allows us to undertake an automated analysis of adherence to legal mandates on Web sites that most impact the average Internet user. Our findings show that Web sites generally do not even claim to follow all the privacy-protection mandates in their legal jurisdiction (we do not examine actual practice, only posted policies). Furthermore, this general statement appears to be true for every jurisdiction with privacy laws and any significant number of P3P policies, including European Union nations, Canada, Australia, and Web sites in the USA Safe Harbor program.

References

  1. Adkinson, W. F., Eisenach, J. A., and Lenard, T. M. 2002. Privacy Online: A Report on the Information Practices and Policies of Commercial Web Site. The Progress and Freedom Foundation.Google ScholarGoogle Scholar
  2. Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. 2003. An XPath-based preference language for P3P. In Proceedings of the 12th International Conference on the World Wide Web. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Anton, A. I., Earp, J. B., Vail, M., Jain, N., Frink, J., and Gheen, C. 2007. An analysis of Web site privacy policy in the presence of HIPPA. IEEE Secur. Priv. 5, 1, 45--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Asia-Pacific Economic Cooperation. 2004. APEC Privacy Framework.Google ScholarGoogle Scholar
  5. Australia Office of Legislative Drafting and Publishing. 1988. Privacy Act 119.Google ScholarGoogle Scholar
  6. Bellman, S., Johnson, E. J., and Lohse, G. L. 2001. On site: to opt-in or opt-out?: It depends on the question. Comm. ACM 44, 2, 25--27. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Black, H. 2005. On-line data brokers. http://www.privcom.gc.ca/legislation/let/let_051118_e.asp.Google ScholarGoogle Scholar
  8. Bowie, N. E. and Jamal, K. 2006. Privacy rights on the Internet: Self-regulation or government regulation. Bus. Ethics Quar. 16, 3.Google ScholarGoogle ScholarCross RefCross Ref
  9. Byers, S., Cranor, L. F., and Kormann, D. P. 2003. Automated analysis of P3P-enabled Web sites. In Proceedings of the 5th International Conference on Electronic Commerce (ICEC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Canadian Public Works and Government Services. 2000. Personal Information Protection and Electronic Documents Act.Google ScholarGoogle Scholar
  11. Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences 2nd Ed. Lawrence Earlbaum Associates, Hillsdale, NJ.Google ScholarGoogle Scholar
  12. Copas, J. and Jackson, D. 2004. A bound for publication bias based on the fraction of unpublished studies. Biometrics 60, 146--153.Google ScholarGoogle ScholarCross RefCross Ref
  13. Cranor, L., Dobbs, B., Egelman, S., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J. M., Schunter, M., Stampley, D. A., and Wenning, R. 2006. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. http://www.w3.org/TR/P3P11/.Google ScholarGoogle Scholar
  14. Cranor, L. F., Egelman, S., Sheng, S., McDonald, A.M., and Chowdhury, A. 2008. P3P deployment on websites. Electron. Commerce Resear. Appl. Elsevier Science, Amsterdam. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Cranor, L., Langheinrich, M., and Marchioni, M. 2002. A P3P Preference Exchange Language 1.0 (APPEL 1.0). http://www.w3.org/TR/P3P-preferences/.Google ScholarGoogle Scholar
  16. Cranor, L. F., Byers, S., and Kormann, D. 2003. An analysis of P3P deployment on commercial, government, and children's Web sites as of May 2003. Federal Trade Commission Workshop on Technologies for Protecting Personal Information, AT&T Tech. rep.Google ScholarGoogle Scholar
  17. Cranor, L. F., Guduru, P., and Arjula, M. 2006. User interfaces for privacy agents. ACM Trans. Comput-. Hum. Inter. 13, 2, 135--178. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Cranor, L. F., Marchiori, M., Presler-Marshall, M., and Reagle, J. M. 2002. The Platform for Privacy Preferences 1.0 Specification. http://www.w3.org/TR/P3P/.Google ScholarGoogle Scholar
  19. Crocker, D. and Overell, P. 1997. Augmented BNF for Syntax Specifications: ABNF. The Internet Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Earp, J. B., Anton, A. I., Aiman-Smith, L., and Stufflebeam, W. 2005. Examining Internet privacy policies within the context of user privacy values. IEEE Trans. Eng. Manag. 52, 2, 227--237.Google ScholarGoogle ScholarCross RefCross Ref
  21. Egelman, S., Cranor, L., and Chowdhury, A. 2006. An analysis of P3P-enabled Web sites among top-20 search results. In Proceedings of the 8th International Conference on Electronic Commerce. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. European Parliament. 1995. Directive 95/46/EC the protection of individuals with regard to the processing of personal data and on the free movement of such data. Union, Official J. L 281.Google ScholarGoogle Scholar
  23. Française, C. R. 2006. Comission Nationale De L'Informatique Et Des Libertes. http://www.cnil.fr/index.php?id=4.Google ScholarGoogle Scholar
  24. Gideon, J., Cranor, L., Egelman, S., and Acquisti, A. 2006. Power strips, prophylactics, and privacy, oh my! In Procceedings of the 2nd Symposium on Usable Privacy and Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Hasselblad, V. and Hedges, L. V. 1995. Meta-analysis of screening and diagnostic tests. Psych. Bull. 117, 1, 167--178.Google ScholarGoogle ScholarCross RefCross Ref
  26. Hogben, G. 2002. A Technical Analysis Of Problems With P3P V1.0 And Possible Solutions. Joint Research Centre.Google ScholarGoogle Scholar
  27. Hogben, G., Jackson, T., and Wilikens, M. 2002. A fully compliant research implementation of the P3P standard for privacy protection: Experiences and recommendations. In Proceedings of the 7th European Symposium on Research on Computer Security. Lecture Notes in Computer Science vol. 2502, 104--125. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jamal, K., Maier, M., and Sunder, S. 2003. Privacy in e-commerce: Development of reporting standards, disclosure, and assurance services in an unregulated market. J. Account. Res. 41, 2, 285--309.Google ScholarGoogle ScholarCross RefCross Ref
  29. Jutla, D. and Zhang, Y. 2005. Maturing e-privacy with P3P and context agents. In Proceedings of the IEEE International Conference on e-Technology, e-Commerce, and e-Services. IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Karat, C., Brodie, C., and Karat, M. 2003. Views of Privacy: Business Drivers, Strategy and Directions, IBM Research.Google ScholarGoogle Scholar
  31. Lawson, P. and Vicq, J. 2006. On the data trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. The Canadian Internet Policy and Public Interest Clinic.Google ScholarGoogle Scholar
  32. Lipsey, M. W. and Wilson, D. B. 2001. Practical Meta-Analysis. Sage Publications, Thousand Oaks, CA.Google ScholarGoogle Scholar
  33. Markel, M. 2006. Safe Harbor and Privacy Protection: A looming issue for IT Professionals. IEEE Trans. Prof. Comm. 49, 1, 1--11.Google ScholarGoogle ScholarCross RefCross Ref
  34. OECD. 1980. OECD Guidelines on the protection of privacy and transborder flows of personal data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.Google ScholarGoogle Scholar
  35. Rajan, M. T. S. 2002. The Past and Future of Privacy in Russia. Rev. Cent. East Europ. Law 27, 4, 625--638.Google ScholarGoogle ScholarCross RefCross Ref
  36. Reay, I. K., Beatty, P., Miller, J., and Dick, S. 2007. A survey and analysis of the P3P protocol's agents, adoption, maintenance and future. IEEE Trans. Depend. Secure Comput. 4, 2, 151--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Rice, J. A. 2007. Mathematical Statistics and Data Analysis. Thompson/Brooks/Cole, Belmont, CA.Google ScholarGoogle Scholar
  38. Safe Harbor Program. 2007. http://www.export.gov/safeharbor/doc_safeharbor_index.asp.Google ScholarGoogle Scholar
  39. Seligy, J. L. and Lawson, P. 2006. Compliance with Canadian data protection laws: Are retailers measuring up? The Canadian Internet Policy and Public Interest Clinic.Google ScholarGoogle Scholar
  40. Sheng, S. and Cranor, L. 2006. An evaluation of the effect of US financial privacy legislation through the analysis of privacy policies. I/S: A J. Law Policy Inform. Soc. 2, 3, 943--979.Google ScholarGoogle Scholar
  41. Sheskin, D. J. 2004. Handbook of Parametric and NonParametric Statistical Procedures. Chapman and Hall/CRC, Boca Raton IL. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Swedish Data Inspection Board. 1998. The Personal Data Act of Sweden.Google ScholarGoogle Scholar
  43. U.S. Federal Trade Commission. 1996. Health Insurance Portability and Accountability Act.Google ScholarGoogle Scholar
  44. U.S. Federal Trade Commission. 1998. Children's Online Privacy Protection Act.Google ScholarGoogle Scholar
  45. U.S. Federal Trade Commission. 1999. Gramm-Leach-Bliley Act.Google ScholarGoogle Scholar
  46. U.S. Federal Trade Commission. 2004. The Fair Credit Reporting Act.Google ScholarGoogle Scholar
  47. Watt, A. 2005. Beginning Regular Expressions. Wiley Publishing, Inc., New York, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Wenning, R. and Cranor L. 2006. The platform for privacy preferences (P3P) project. http://www.w3.org/P3P/.Google ScholarGoogle Scholar

Index Terms

  1. A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations

            Recommendations

            Reviews

            Giannakis Antoniou

            Many Internet users are under the impression that the privacy policy of a company-represented by the Platform for Privacy Preferences Project (P3P) protocol-is an accurate and legal statement. This is not always correct. This paper follows a simple methodology to show that there is a gap between the legal jurisdiction and the posted policies, regarding the handling of users' private information. Although the methodology may not be completely accurate-for example, the location of the Web server indicates the location/country of the company's Web site and a P3P document with syntax errors was not taken into account-the outcome of the methodology is very clear. The authors describe well the limitations of P3P as a tool to represent the privacy policy of a company. They also give a very comprehensive description of related legislation in different countries. While extensive work has been done on how to create and manage a P3P privacy policy, there is little work on how to ensure that the privacy policy is actually being followed. This paper helps readers realize that currently, P3P is a marketing tool rather than a tool that protects the privacy of Internet users. Online Computing Reviews Service

            Access critical reviews of Computing literature here

            Become a reviewer for Computing Reviews.

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM Transactions on the Web
              ACM Transactions on the Web  Volume 3, Issue 2
              April 2009
              98 pages
              ISSN:1559-1131
              EISSN:1559-114X
              DOI:10.1145/1513876
              Issue’s Table of Contents

              Copyright © 2009 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 30 April 2009
              • Accepted: 1 February 2009
              • Revised: 1 July 2008
              • Received: 1 February 2008
              Published in tweb Volume 3, Issue 2

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article
              • Research
              • Refereed

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!