Abstract
Numerous studies over the past ten years have shown that concern for personal privacy is a major impediment to the growth of e-commerce. These concerns are so serious that most if not all consumer watchdog groups have called for some form of privacy protection for Internet users. In response, many nations around the world, including all European Union nations, Canada, Japan, and Australia, have enacted national legislation establishing mandatory safeguards for personal privacy. However, recent evidence indicates that Web sites might not be adhering to the requirements of this legislation. The goal of this study is to examine the posted privacy policies of Web sites, and compare these statements to the legal mandates under which the Web sites operate. We harvested all available P3P (Platform for Privacy Preferences Protocol) documents from the 100,000 most popular Web sites (over 3,000 full policies, and another 3,000 compact policies). This allows us to undertake an automated analysis of adherence to legal mandates on Web sites that most impact the average Internet user. Our findings show that Web sites generally do not even claim to follow all the privacy-protection mandates in their legal jurisdiction (we do not examine actual practice, only posted policies). Furthermore, this general statement appears to be true for every jurisdiction with privacy laws and any significant number of P3P policies, including European Union nations, Canada, Australia, and Web sites in the USA Safe Harbor program.
- Adkinson, W. F., Eisenach, J. A., and Lenard, T. M. 2002. Privacy Online: A Report on the Information Practices and Policies of Commercial Web Site. The Progress and Freedom Foundation.Google Scholar
- Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. 2003. An XPath-based preference language for P3P. In Proceedings of the 12th International Conference on the World Wide Web. ACM Press. Google Scholar
Digital Library
- Anton, A. I., Earp, J. B., Vail, M., Jain, N., Frink, J., and Gheen, C. 2007. An analysis of Web site privacy policy in the presence of HIPPA. IEEE Secur. Priv. 5, 1, 45--52. Google Scholar
Digital Library
- Asia-Pacific Economic Cooperation. 2004. APEC Privacy Framework.Google Scholar
- Australia Office of Legislative Drafting and Publishing. 1988. Privacy Act 119.Google Scholar
- Bellman, S., Johnson, E. J., and Lohse, G. L. 2001. On site: to opt-in or opt-out?: It depends on the question. Comm. ACM 44, 2, 25--27. Google Scholar
Digital Library
- Black, H. 2005. On-line data brokers. http://www.privcom.gc.ca/legislation/let/let_051118_e.asp.Google Scholar
- Bowie, N. E. and Jamal, K. 2006. Privacy rights on the Internet: Self-regulation or government regulation. Bus. Ethics Quar. 16, 3.Google Scholar
Cross Ref
- Byers, S., Cranor, L. F., and Kormann, D. P. 2003. Automated analysis of P3P-enabled Web sites. In Proceedings of the 5th International Conference on Electronic Commerce (ICEC). Google Scholar
Digital Library
- Canadian Public Works and Government Services. 2000. Personal Information Protection and Electronic Documents Act.Google Scholar
- Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences 2nd Ed. Lawrence Earlbaum Associates, Hillsdale, NJ.Google Scholar
- Copas, J. and Jackson, D. 2004. A bound for publication bias based on the fraction of unpublished studies. Biometrics 60, 146--153.Google Scholar
Cross Ref
- Cranor, L., Dobbs, B., Egelman, S., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J. M., Schunter, M., Stampley, D. A., and Wenning, R. 2006. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. http://www.w3.org/TR/P3P11/.Google Scholar
- Cranor, L. F., Egelman, S., Sheng, S., McDonald, A.M., and Chowdhury, A. 2008. P3P deployment on websites. Electron. Commerce Resear. Appl. Elsevier Science, Amsterdam. Google Scholar
Digital Library
- Cranor, L., Langheinrich, M., and Marchioni, M. 2002. A P3P Preference Exchange Language 1.0 (APPEL 1.0). http://www.w3.org/TR/P3P-preferences/.Google Scholar
- Cranor, L. F., Byers, S., and Kormann, D. 2003. An analysis of P3P deployment on commercial, government, and children's Web sites as of May 2003. Federal Trade Commission Workshop on Technologies for Protecting Personal Information, AT&T Tech. rep.Google Scholar
- Cranor, L. F., Guduru, P., and Arjula, M. 2006. User interfaces for privacy agents. ACM Trans. Comput-. Hum. Inter. 13, 2, 135--178. Google Scholar
Digital Library
- Cranor, L. F., Marchiori, M., Presler-Marshall, M., and Reagle, J. M. 2002. The Platform for Privacy Preferences 1.0 Specification. http://www.w3.org/TR/P3P/.Google Scholar
- Crocker, D. and Overell, P. 1997. Augmented BNF for Syntax Specifications: ABNF. The Internet Society. Google Scholar
Digital Library
- Earp, J. B., Anton, A. I., Aiman-Smith, L., and Stufflebeam, W. 2005. Examining Internet privacy policies within the context of user privacy values. IEEE Trans. Eng. Manag. 52, 2, 227--237.Google Scholar
Cross Ref
- Egelman, S., Cranor, L., and Chowdhury, A. 2006. An analysis of P3P-enabled Web sites among top-20 search results. In Proceedings of the 8th International Conference on Electronic Commerce. ACM, New York. Google Scholar
Digital Library
- European Parliament. 1995. Directive 95/46/EC the protection of individuals with regard to the processing of personal data and on the free movement of such data. Union, Official J. L 281.Google Scholar
- Française, C. R. 2006. Comission Nationale De L'Informatique Et Des Libertes. http://www.cnil.fr/index.php?id=4.Google Scholar
- Gideon, J., Cranor, L., Egelman, S., and Acquisti, A. 2006. Power strips, prophylactics, and privacy, oh my! In Procceedings of the 2nd Symposium on Usable Privacy and Security. Google Scholar
Digital Library
- Hasselblad, V. and Hedges, L. V. 1995. Meta-analysis of screening and diagnostic tests. Psych. Bull. 117, 1, 167--178.Google Scholar
Cross Ref
- Hogben, G. 2002. A Technical Analysis Of Problems With P3P V1.0 And Possible Solutions. Joint Research Centre.Google Scholar
- Hogben, G., Jackson, T., and Wilikens, M. 2002. A fully compliant research implementation of the P3P standard for privacy protection: Experiences and recommendations. In Proceedings of the 7th European Symposium on Research on Computer Security. Lecture Notes in Computer Science vol. 2502, 104--125. Google Scholar
Digital Library
- Jamal, K., Maier, M., and Sunder, S. 2003. Privacy in e-commerce: Development of reporting standards, disclosure, and assurance services in an unregulated market. J. Account. Res. 41, 2, 285--309.Google Scholar
Cross Ref
- Jutla, D. and Zhang, Y. 2005. Maturing e-privacy with P3P and context agents. In Proceedings of the IEEE International Conference on e-Technology, e-Commerce, and e-Services. IEEE. Google Scholar
Digital Library
- Karat, C., Brodie, C., and Karat, M. 2003. Views of Privacy: Business Drivers, Strategy and Directions, IBM Research.Google Scholar
- Lawson, P. and Vicq, J. 2006. On the data trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. The Canadian Internet Policy and Public Interest Clinic.Google Scholar
- Lipsey, M. W. and Wilson, D. B. 2001. Practical Meta-Analysis. Sage Publications, Thousand Oaks, CA.Google Scholar
- Markel, M. 2006. Safe Harbor and Privacy Protection: A looming issue for IT Professionals. IEEE Trans. Prof. Comm. 49, 1, 1--11.Google Scholar
Cross Ref
- OECD. 1980. OECD Guidelines on the protection of privacy and transborder flows of personal data. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.Google Scholar
- Rajan, M. T. S. 2002. The Past and Future of Privacy in Russia. Rev. Cent. East Europ. Law 27, 4, 625--638.Google Scholar
Cross Ref
- Reay, I. K., Beatty, P., Miller, J., and Dick, S. 2007. A survey and analysis of the P3P protocol's agents, adoption, maintenance and future. IEEE Trans. Depend. Secure Comput. 4, 2, 151--164. Google Scholar
Digital Library
- Rice, J. A. 2007. Mathematical Statistics and Data Analysis. Thompson/Brooks/Cole, Belmont, CA.Google Scholar
- Safe Harbor Program. 2007. http://www.export.gov/safeharbor/doc_safeharbor_index.asp.Google Scholar
- Seligy, J. L. and Lawson, P. 2006. Compliance with Canadian data protection laws: Are retailers measuring up? The Canadian Internet Policy and Public Interest Clinic.Google Scholar
- Sheng, S. and Cranor, L. 2006. An evaluation of the effect of US financial privacy legislation through the analysis of privacy policies. I/S: A J. Law Policy Inform. Soc. 2, 3, 943--979.Google Scholar
- Sheskin, D. J. 2004. Handbook of Parametric and NonParametric Statistical Procedures. Chapman and Hall/CRC, Boca Raton IL. Google Scholar
Digital Library
- Swedish Data Inspection Board. 1998. The Personal Data Act of Sweden.Google Scholar
- U.S. Federal Trade Commission. 1996. Health Insurance Portability and Accountability Act.Google Scholar
- U.S. Federal Trade Commission. 1998. Children's Online Privacy Protection Act.Google Scholar
- U.S. Federal Trade Commission. 1999. Gramm-Leach-Bliley Act.Google Scholar
- U.S. Federal Trade Commission. 2004. The Fair Credit Reporting Act.Google Scholar
- Watt, A. 2005. Beginning Regular Expressions. Wiley Publishing, Inc., New York, NY. Google Scholar
Digital Library
- Wenning, R. and Cranor L. 2006. The platform for privacy preferences (P3P) project. http://www.w3.org/P3P/.Google Scholar
Index Terms
A large-scale empirical study of P3P privacy policies: Stated actions vs. legal obligations
Recommendations
Can P3P help to protect privacy worldwide?
MULTIMEDIA '00: Proceedings of the 2000 ACM workshops on MultimediaPrivacy is a basic cultural requirement, often regulated by national law, but not everywhere in the same way. Privacy protection must be effective across national borders. Technical tools and procedures can help to enforce and propagate privacy ...
Capturing P3P semantics using an enforceable lattice-based structure
PAIS '11: Proceedings of the 4th International Workshop on Privacy and Anonymity in the Information SocietyWith the increasing amount of data collected by service providers, privacy concerns increase for data owners who must provide private data to receive services. Legislative acts require service providers to protect the privacy of customers. Privacy ...
A Comparative Study of Privacy Mechanisms and a Novel Privacy Mechanism [Short Paper]
Information and Communications SecurityAbstractPrivacy of PII(Personally Identifiable Information) on the Internet is a major concern of a netizen. On the Internet different service providers are supposed to publish their own privacy policies but understanding of these policies is a major ...








Comments