Layering privacy on operating systems, social networks, and other platforms by design
- First Online:
- Cite this article as:
- Jutla, D.N. IDIS (2010) 3: 319. doi:10.1007/s12394-010-0057-8
- 974 Downloads
Pervasive, easy-to-use privacy services are keys to enabling users to maintain control of their private data in the online environment. This paper proposes (1) an online privacy lifecycle from the user perspective that drives and categorizes the development of these services, (2) a layered platform design solution for online privacy, (3) the evolution of the PeCAN (Personal Context Agent Networking) architecture to a platform for pervasively providing multiple contexts for user privacy preferences and online informational privacy services, and (4) use of platform network effects for increasing wide-scale user adoption of privacy services. One implication of this paper’s concepts is that platform-mediated networks, which are reportedly the vehicles for most of the revenue earned by 60 of the world’s largest companies, and other platforms that commonly host millions of users, will not have to individually reinvent and manage sophisticated user services for privacy protection since universal privacy platforms can be layered on them in future.
KeywordsOnline privacy platform P3P PeCAN platform Social networking User adoption of technologies Web privacy services Identity protection
Privacy advocates are working with modern and innovative environments in which operations take place that are beyond the citizen’s control, and/or do not yet fall within the realms of governance. One such environment is the global Internet, where experimentation with business models is rampant, the combinations of multi-cultural approaches and infrastructure readiness is uneven on a per-country basis, and users are mass-adopting new and disruptive technologies in the shortest cycle times ever witnessed in world history. To add to this dynamic picture of progress are uncertain economics, as at the end of the first decade of the twenty-first century, major and minor economies are in recession, or declaring the end of it with predictions of sluggish growth for coming years. However, interestingly, even in these times, firms on the Internet, particularly social networking platforms, have experienced huge user growth. Countries, rich and poor, have significant percentages of young people online.
In October 2009, the social networking platform Facebook™ had over 300 million active users, and one million developers and entrepreneurs from over 180 countries (Facebook Statistics 2009). Its fastest growing demographic segment was approximately 35+ years old, whereas in September 2008, Facebook claimed 200 million active users and its fastest growing demographic was the 25+ age group.
In 2010, Facebook supports over 400 million active users. Moreover, seventy percent of Facebook users are outside of the US. Clearly, users greatly value the functionalities offered by such vehicles of worldwide, culture-crossing social innovation. Online social networks (OSNs) are now in a position to create and sustain new and old social norms for generations of users. The balance between personal branding and privacy is being tested and socialized.
In the OSN environment, one question that arises is whether users care about privacy and its long-held status as a social norm. OSNs’ experiences with user outrage and legal action over previous launches of privacy-invasive services indicate that the answer is affirmative. One such experience was recorded when Facebook launched its News Feed service from the Facebook Home Page in September 2006. Initially the service was opt-out and it automatically displayed all rich social information regarding recent activities of friends to other friends. Hostile user reaction emerged to having user information and interactions monitored and pushed to friends. Users formed groups, such as Students against Facebook, to speak out about the service’s privacy problem. Facebook immediately responded to its users’ outcry, and added privacy controls to allow users to decide what information they would allow to be pushed to others. Facebook’s CEO also publicly apologized for his company’s mistakes concerning privacy in the OSN.
Surprisingly, given recent company experience with user privacy, but not so surprising from a profit or business experiment perspective, one year later Facebook launched a privacy-infringing service called Beacon. Coupled with Facebook Ads, the Beacon service widened the scope to communicating user data from external parties, namely ad sponsors (i.e. companies) to the user’s friends. In effect, information regarding products that a user purchased, or commented on, from a partnering company’s site would be pushed to the user’s Facebook friends without explicit user permission. Additionally, many users were not informed about the program beforehand. This privacy violation was larger than the last and users escalated their outrage to a class action suit that was settled in Sept 2009, the same month that Facebook reported being cash flow positive for the first time. As part of the legal settlement, Facebook agreed to shut off its Beacon service and pay USD 9.5 Million to fund a privacy and online safety foundation. Again, the CEO of Facebook publicly apologized, the issue subsided, and the OSN continued to grow rapidly. By now the 6-year old OSN was exhibiting a strategy of launching for profit services that shared users’ data with many parties, and when or if users objected about the company’s handling of their private data, the company reacted by making amends and seeking forgiveness from its users.
Meanwhile in 2008, on the international scene, the Canadian Privacy Commissioner, Jennifer Stoddard launched a yearlong investigation on Facebook’s privacy practices, after a number of Ottawa University Law students and the Canadian Internet Policy and Public Interest Clinic filed a complaint about Facebook privacy practices and potential violations. Her investigation’s 2009 conclusions cited that Facebook needed to improve its privacy practices by improving its explanations around user privacy, restricting unnecessary access of user information to application developers, and not retaining user personal information after her/his account is deleted. Again, Facebook cooperated with the Privacy Commissioner’s Office to address its concerns. However, in 2010, the Commissioner started a further investigation into Facebook’s new privacy policies, after a Canadian user filed a complaint alleging that Facebook’s December 2009 default settings made his information more available to others.
Understandably, unsuspecting users do not immediately think of privacy issues when they join an OSN to network with friends and acquaintances. However when users notice infringement on their personal space, privacy is clearly important to them. Also apparent is the tension between user privacy and the OSNs business model. Again using Facebook as a good example, we see the bold 2008 launch of Facebook Connect. This time Facebook could give rich user data, including but not limited to profile information, social graph information such as Facebook IDs of all friends and spouse, number of wall posts and notes, photographs, tags etc., to companies that participated in Facebook Connect. One key difference in this service’s launch was that Facebook gave privacy settings to allow users to control what information, if any, is provided to the companies. Due to such organizational learning, Facebook is currently a leader in the OSN space not only for its functional value but also for the privacy controls provided to users.
As of March 2010, 80,000 web sites were participants and formed a chargeable customer group within Facebook Connect. In turn, Facebook users enjoyed the easy functionality of single sign-on using their Facebook authentication credentials to log into other web sites, the transfer of their own and friends’ information from the sites back to Facebook, and the easy viewing of their friends’ related information from their interactions with the external company sites. With Facebook Connect, the OSN is moving to a single portal from which users will conduct everyday tasks such as bank, register for courses, pay bills, and buy goods.
Given the rich personal data exchange, a current issue that worries privacy advocates is whether users are actively setting their privacy preferences on OSNs. Ethical business practices would guide OSNs into caring about user education in the privacy space. Due to the aggressive user growth rate, the importance of branding and reputation, and previous brushes with users’ outrage over their privacy infringement, platform sponsors and providers of OSNs should be receptive to their users, privacy associations, privacy commissioners, and governments’ advocacy, and be willing to pay close attention to their users’ needs around handling of their private data. Moreover, on the flipside, these social networking platforms present an inexpensive and effective opportunity for national privacy advocates to reach out to hundreds of millions of their citizens to increase user’s awareness and education around privacy. Such user education, at a minimum, influences how users share, protect, and hence control their private information, and informs users how to avert or detect poor handling of private data, and to avert and/or resolve private data handling disputes in future.
This paper presents a novel proposal to suggest that privacy platforms for awareness and education, and aggregation of privacy technologies for users to protect their privacy, detect privacy violations, and resolve privacy disputes are the way to go in the future. This proposal is a large step forward in comparison to the loose bunch of point technologies that are available now. For privacy platforms to be workable, they need to be sandwiched between other platforms such as operating systems, mobile devices, and social networking platforms. In effect, this paper’s proposal and design that layers privacy platforms onto operating system and social networking platforms may realize the opportunity to mature the services for the user privacy lifecycle universally across platforms and hence help billions of citizens to become more privacy-aware and in control.
The user’s online privacy life cycle
OECD classification of privacy technologies
Privacy technology category
Personal Privacy Enhancing
Cookie managers or blockers, ad blockers, encryption software
Anonymizers, P3P, E-P3P, EPAL
Olivier’s (2003) classification of privacy technologies
Privacy technology category
Cookie managers or blockers, encryption software
Ad blockers, P3P, Infomediaries, Proxies
E-P3P, EPAL, Hippocratic Databases
Privacy-preserving data mining
This paper proposes a higher-level classification system, according to user behaviour within a privacy lifecycle. This lifecycle system is multiple-level (Jutla et al. 2010) where each phase of the lifecycle presents itself for further sub-classification. However, due to space limitations, this paper describes only the top-level of the privacy lifecycle classification.
Becomes Aware of privacy issues and rights,
Acts to protect her/his privacy; note that Olivier’s classification is a possible sub-classification for the Act phase of this Privacy Life Cycle Classification system.
Detects privacy violations or potential privacy violations, and
Resolves privacy conflicts.
- (5)The lengths of time a user spends in each phase differs and the phases are cyclical, meaning that the user will re-enter them over time. These phases are illustrated in Fig. 1.
Life cycle-based classification of privacy technologies
Categories = phases of the privacy life cycle
P3P, PeCAN, web site resources
Refrain from releasing selected private data (P3P, PeCAN), cookie managers, blockers, anonymizers, pseudonymizers, encryption software, firewalls, proxies, privacy-preserving data mining
Online access to personal data, De-anonymizing (linking) software
Example Web sites: http://www.ipc.on.ca/english/Decisions-and-Resolutions/Decisions-and-Resolutions-Summary/?id=8303, http://www.priv.gc.ca/cf-dc/index_e.cfm, http://www.privacyinternational.org/index.shtml, http://www.privacy.org.nz/court-cases/, http://www.cnil.fr/english/news-and-events/the-swift-case/,
A privacy life cycle from the user perspective, to the best of my knowledge, has not been proposed before. In the literature, one finds privacy life cycles from the organizational perspective (Mont 2006; Guarda and Zannone 2009; Anton et al. 2004). These privacy life cycles for organizations focus on creating, maintaining, implementing and disposing of privacy policies, and monitoring employee and systems compliance to them. In common to both the user and organizational privacy life cycles are the information-providing and information-based services and the requirement to model personal data and support appropriate representations of user preferences. I further propose that the same phases of the privacy lifecycle provided from the user perspective can be used to classify the activities of the privacy life cycle from the organizational perspective. Details of the privacy life cycle from the organizational perspective are given in Jutla et al. 2010.
PrimeLife (2008) is a large European Initiative intending to create privacy technologies for the online arena. Areas of application include electronic commerce and social networks. Camenisch (2008), PrimeLife technical leader at IBM’s Zurich Research Lab, states “We aim to develop a toolbox, which you could describe as an integrated electronic ‘data manager.’ The data manager provides users with an overview of which personal data he or she uses when, where, and how. It lets users define default privacy settings and preferences for all kinds of applications, and it prompts the user if applications request data for any other purposes.” Allowing users to define privacy settings and preferences for all kinds of applications implies that context mechanisms, similar to the concepts introduced in Bodorik and Jutla 2003, Jutla and Zhang (2005), Jutla and Bodorik (2005), and Jutla et al. (2006) for electronic commerce, will be supported. PrimeLife is a well-funded European project and its deliverables are expected to revolutionize available privacy technologies in the marketplace.
The PrimeLife initiative, as per a recent update on its application to social software (Kuczerawy et al. 2008), has not yet identified a platform solution for privacy as proposed in this paper. Rather Pekárek and Pötzsch (2009) examine privacy in social networks and provide use cases to specify privacy requirements for social network users. In Pekárek and Leenes’s (2009) interesting position paper, researchers miss the fact that users can greatly influence the policies and practices of a social networking site. Further, the researchers have not identified that the strength of the business model of social networking sites depends on strong cross-side network effects wherein citizens comprise one side. User outrage will necessarily be avoided by the executive owners of these sites, and social networks will visibly try to accommodate user privacy needs once the users become aware and voice them.
Six unique 2-way comparison services for user preferences, business policies, and government regulations
Ten complex privacy services
3-way comparisons (1 or more governments, 1 or more organizations, and 1 or more users)
Multiple Orgs (2 or more )and 1 User
Multiple Governments (2 or more) and 1 User
Multiple Users (2 or more) and 1 Government
Multiple Orgs (2 or more) and 1 Government
Multiple Governments (2 or more)and 1 Org
Multiple Users (2 or more)and 1 Org
Multiple Governments (2 or more)
Multiple Organizations (2 or more)
Multiple Users (2 or more)
The aware phase
PeCAN and P3P share a common privacy model based on an educational focus and information-providing approaches to enhancing user control over personally identifiable information. I present the argument that good mechanisms to provide user control, such as P3P, PeCAN and HCI- related privacy mechanisms, implicitly have an educational aspect to them. Indeed, electronic privacy research in the information systems, human-computer interaction, and computer science areas (Jajodia 1996; Kobsa 2002; Patrick and Kenny 2002), and various implementations (e.g. AT&T’s Bird, Microsoft’s IE6) encourage organizations to provide explanations to their customers for why and what purposes data is being collected and with whom the collected data can be shared. The rationale is that comprehension on the users’ part will prevent misunderstandings, increase the perception of user control, and hence increase trust in e-commerce.
P3P is foundational in that it provides a valuable XML vocabulary for privacy on which many information-providing services can be built. PeCAN expands P3P in two important ways (1) by allowing users to customize their privacy preferences according to contexts, and (2) providing sophisticated information-providing services that intend to help users avoid giving out information that can be used by others to harm their privacy.
While the Platform for Privacy Preferences (Cranor 2003; Cranor et al. 2002a, b, 2006) is the most mature online platform for making the user aware of what organizations’ privacy policies state, its development may be complemented by other privacy platforms that are also information-and service providing. These complementary platforms may provide further sophisticated services to prevent the user from releasing private information, according to his/her privacy preferences, to an organization. This paper evolves the PeCAN (Personal Context Agent Networking) architecture into a platform and layers it onto the P3P platform, thereby illustrating how privacy services can develop and evolve in a platform environment. Moreover, a later section in this paper shows how the platform concept is a key vehicle for widespread user adoption of privacy web services.
Users’ privacy requirements last a lifetime and beyond. Education is a first-phase preventative approach to privacy management. This first phase maps to the Aware phase of the user’s online privacy life cycle illustrated in Fig. 1. Other phases are the Act, Detect, and Resolve phases. Each of these four phases are explained and illustrated in “The user’s online privacy life cycle”.
The act phase
User actions that emerge out of an increased privacy-awareness phase involve preventing privacy violations through limiting and/or avoiding release of private data to organizations, and questioning and/or negotiating with service providers about their intentions regarding the management and use of the data before releasing it to organizations. These actions are win-win to users and business as empirical research results (Jutla et al. 2004b) show that adoption of user intervention (uIV) tools such as P3P-based agents, encryption, cookie cutters, pseudonymizers, and anonymizers increase user trust in e-business.
Using the PeCAN and P3P platforms, users can also actively choose not to reveal their personal data to requesting organizations and thus these platforms service the Act phase where users take action to protect their privacy through non-disclosure. However, non-disclosure is not always possible, and so other popular privacy technologies and tools have emerged for users to take further explicit action to protect their privacy. These include the encryption-based approaches found in the FaceCloak (Luo et al. 2009) and NOYB (Guha et al. 2008) services, the PGP encryption platform (PGP 2009), and GnuPG tools. Various forms of encryption have been used to address authentication, access control, data confidentiality, data integrity, and non-repudiation needs on secure networks for decades (Denning 1982; Jajodia 1996; You et al. 1998). Many users have sought encryption services when, for example, they look for the shttp or https prefixes in web URLs, or the lock symbol on web pages. Users employ encryption approaches at a later phase when they choose to take pragmatic action to secure their private data after becoming aware or educated about privacy risks and solutions.
In some popular online social networks, increasing the extent of encryption-based approaches may have the disadvantage of changing some degree of functionality of the social networks. The usability of the encryption techniques has been a complicating issue (Whitten and Tygar 1999). However, software developers are aware of the usability issues and hence encryption implementations are becoming friendlier and easier to use, as apparent in Google’s Gmail support for SSL encryption.
Further, users can act to protect their privacy by employing anonymization technologies to prevent websites from collecting their identities by hiding or blocking identifying information such as cookies and IP addresses (Bayardo and Srikant 2003; Senicar et al. 2003; Goldberg et al. 1997). Other mature technical appliances for security and privacy that users actively employ are proxies and firewalls. Such tools are popularly described in the business literature (e.g. Panko 2008).
A popular means for a user to take control over maintaining her/his privacy is through applying the privacy settings available on browsers and some web sites. Social networking websites, in particular, are trying to address their users’ privacy needs by providing settings to allow users to restrict certain categories of their private data from being displayed.
More emergent technologies are the location-based privacy protocols implemented in privacy services for mobile social networks, such as Buddy Beacon, Loopt, and Whrrl, and which are being prototyped (Zhong et al. 2007) in research labs. Moreover, attempts at identity theft can be prevented by user actively using web anti-spoofing tools. Web spoofing, also known as “phishing” or “carding”, is a form of internet crime for identity theft (Chou et al. 2004). In Chou et al. (2004), a browser plug-in called SpoofGuard to protect users is described. The SpoofGuard detects spoofing by analyzing email to find suspicious links, and alerts the user.
The phases outlined here and the technologies discussed are from the user perspective and hence can be under the user control. Users benefit also from the organizational perspective when organizations similarly act and employ technologies to protect customer, employee, and partner privacy.
The detect phase
In the Detect phase, users may find out that their data has been mishandled in some way. For example, their information is aggregated in a manner that makes some private data visible and accessible to a larger audience than they initially intended. The violations can range from minor to severe. Users may detect privacy violations using many means including through simple online access of what data the organizations are holding and for what purposes the data were used. If these purposes, for instance, do not match what the user agreed to when her/his data was collected, then violations can be flagged.
Organizations and governments seek to preserve individuals’ privacy while releasing information or profiling users to provide optimized services. A common approach is to de-identify data to be released by removing the identifiers. However, de-identified information can be recovered from existing information, i.e. the remaining data fields available about the user. This can lead to a type of inadvertent privacy violation known as a linkage attack where “attackers use innocuous data in one data set to identify a record in a second data set with both innocuous and sensitive data.”(Greengard 2008)
Narayanan and Shmatikov (2009) created a re-identification algorithm that can be used to detect how private information is available online. Their algorithm re-identified users in the anonymized social network graphs available in social networking platforms by connecting the dots among user information provided on multiple platforms. The researchers showed how a third of the users, who can be verified to have accounts on Twitter and Flikr, were re-identified in the anonymous Twitter graph with a 12% error rate. Narayanan and Shmatikov (2009) also developed a re-identification algorithm that they applied to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix, the world’s largest online movie rental service. Using “the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.” (Narayanan and Shmatikov 2009) Note that identity-linking is not limited to social networks but can be done among pseudonyms or identifiers used to login, at the network-and application levels, on different systems, or email addresses, and so on.
It is possible that identity-linking can be the basis of a future user service as a user may find it useful to know what can be derived about him/her from the information posted on the web already. PeCAN also hosts a service for inference control (An et al. 2009) which prevents the user from releasing further information that would enable her/his privacy-sensitive contexts from being derived from those already released to ubiquitous software-enabled environments. In a sense PeCAN’s inference control service does detection as it must first automatically detect a potential privacy violation and then alert the user to prevent it. It is a service that spans the Act and Detect phases.
Indeed, the services that provide users with reasonable control over their private information are information-based or information-providing. Similarly, the software services in firms that enforce the protection of customers and employee privacy are information-based or information-providing. Note that we can make a further distinction between information-based versus information-providing models. Encryption, anonymization, and anti-spoofing use information-based models in that they manipulate, perturb, or block information in some way and thus belong to one class, whereas technologies such as P3P, PeCAN, and re-identification are based on information-providing models.
The resolve phase
In the Resolve phase, users are provided with several options depending on their jurisdiction and its privacy governance models. In the US, recourse is through discussion, and if high-conflict, through user-actioned lawsuits. In countries with Privacy Commissioners, the user can complain to the Commissioner and any investigative and legal costs are borne by the government. Indeed, Bennett (1992) proposes five models that describe the privacy governance models in use by most countries’ governments, according to who bears primary responsibility for protecting privacy interests: voluntary control (e.g. US), subject control (e.g. US), data commissioner model (e.g. Canada), registration (e.g.UK), and licensing (e.g. Norway). The bearer(s) of the primary responsibility are either or combinations of data gatherer, data subject, and government. In voluntary control and subject control, the organizations and citizens self-regulate on privacy issues. The data commissioner model uses a privacy ombudsman to help protect citizens’ privacy. Whereas the registration and licensing models mean the data gatherers must first register with the government the data stores or databases which contain private data. Under the registration model, the government can deregister a store as a penalty if citizens complain about privacy infractions. In the licensing model, government employees are tasked to do inspections for compliance. Thus the privacy governance model also determines how active an oversight agency is in the Detect phase as well.
Many countries have web portals, blogs, and wikis to provide information leading to resolutions. The Canadian Federal Privacy Commissioner’s web site has a serial listing of hundreds of privacy resolutions (Canada Federal Privacy Commissioner 2010). The Information and Privacy Commissioner of Ontario maintains a web site that includes indexed lookup of hundreds of summaries and resolutions (Ontario Information and Privacy Commissioner 2010). The online services for the Resolve phase are information-providing vs. transactional at this point.
Layering privacy platforms
Potentially there can be a privacy platform for each phase of the privacy life cycle, or one privacy platform can be created to host technologies to address all phases. It is more likely, in the beginning, with the fragmented efforts of privacy advocates, researchers, developers, and policymakers all around the world, that several platforms will emerge, and that the technologies to support the different user phases will map to these platforms. Indeed, this fragmentation of privacy platforms is the phenomenon we are witnessing today.
A useful platform (e.g. Windows, Akamai) provides a subset of services and rules employed by users in most of their transactions. Further, successful platforms are characterized by their usability, convenience, and pervasiveness. Business researchers define the platform-mediated network (hereafter referred to as a platform) as providing “a subset of components and rules employed by users in most of their transactions.” (Eisenmann et al. 2006) Examples of components are hardware, software, and services. Rules are the technical standards, protocols for information exchange, policies, and contracts that govern transactions (Baldwin and Clark 2000).
There are one-sided and many-sided platforms. In a one-sided platform, users are all part of a homogeneous user base whereas a many-sided platform supports different and non-overlapping groups or networks of users or customers. For example, in 2-sided networks (Rochet and Tirole 2003; Parker and Van Alstyne 2005), users are permanent members of one distinct group, a “side,” which transacts with a second side. Examples of popular many-sided e-business platforms are Alibaba, Amazon, Baidu, eBay, Clipvn, SalesForce.com, Visa, Monster, Xbox, and YouTube while examples of many-sided online social networking platforms are Facebook, Flikr, Orkut, QQ,Ning, MySpace, and Twitter.
A platform’s value to a user depends on the number of other network users, and is subject to network effects (Katz and Shapiro 1985; Economides 1996). Network effects represent users’ willingness to participate in, as expressed as their willingness-to-pay to associate with a platform, in the presence of an increasing or decreasing number of participants in the networks mediated by the platform. Social networking sites enjoy strong same side and cross-side network effects. When many friends of a user join Facebook on the same-side, for example, the more valuable the platform becomes to the user as he/she can communicate conveniently with a larger number friends through a common medium. The more users that join Facebook, the more application developers (a second Facebook customer group), and advertisers (a third Facebook customer group) will join on the cross-side. Users value the variety offered by the larger application development group and hence the platform becomes more valuable to the users. The latter phenomenon is a cross-side effect in the direction of application group to the user. Details of the high-level layered platform design will be elaborated in “Layering platforms—P3P, PeCAN, operating systems, social networks, and others”.
Layering platforms—P3P, PeCAN, operating systems, social networks, and others
This section provides an illustration of the design presented in “Layering privacy platforms”. It details the layering and synergies of two privacy platforms for the Aware phase of the Privacy Life Cycle. The privacy platform design is then illustrated where the combined services of the two privacy platforms are sandwiched in between the operating systems on user devices, such as the iPhone, and social networks or other high-level platforms.
Platform for privacy preferences—P3P (1997–2007)
AT&T provides a free P3P agent called Privacy Bird as a user add-on to the IE6 browsers. Bird checks for P3P policies for all content on a page visited by the user, compares them to the users’ privacy preferences, and reports on the match using a traffic-light metaphor (green, yellow, red), and a synopsis of alerts such a pop-up with text “this site can sell any medical data collected to third parties.” In 2003, 30 percent of the top 100 Web sites were P3P enabled (Byers et al. 2003). In addition, a number of easy-to-use tools are available for Web-masters to post privacy policies in P3P format. Microsoft Internet Explorer 6 (IE6) and Netscape Navigator 7 Web browser provide basic P3P functionality. A 2002 study of mainly over 50-year old users reports that the Privacy Bird is a useful agent. These user privacy agents simplify the task of examining the privacy policies posted by the websites and determining whether they are acceptable to the users/clients—a task that is cumbersome and disliked by users according to Lorrie Cranor, a leading privacy researcher and P3P author.
The lack of online privacy education for users in general, and hence a lack of user readiness to demand that companies carefully and ethically handle their private data in future,
A lack of user awareness that such a platform was available, and
The under-funding of research and development and marketing efforts to maintain and market the platform.
That future is still not here as the average online user is naïve, currently to the point of ignorance, regarding online privacy issues and how apparently “cool” or convenient platform services can violate her/his privacy. A more recent study (Cranor et al. 2008) shows that “P3P had been deployed on 10% of the sites returned in the top-20 results of typical searches, and on 21% of the sites returned in the top-20 results of e-commerce”. However, we put ourselves in a good strategic and technical position to help address deficiencies and avert crises when privacy technology research is proactive and anticipative rather than reactive.
The PeCAN platform (2002–present)
PeCAN’s platform vision is to provide common privacy services to other online platforms and e-businesses. PeCAN’s common service provides customized privacy preferences according to user context (space, time, country, organization, role of person, role of other interacting persons). In contrast, P3P provides one set of privacy preferences for all contexts. In addition, PeCAN supports multiple privacy services. Examples are services to maintain privacy-contexts and user-control mechanisms, sixteen enumerated services consisting of comparisons of government privacy regulations, business privacy policies, and user data handling preferences, and composite web services to maintain control over Personally Identifiable Information (PII) according to users’ privacy and socio-economic concerns.
Software and services components of the PeCAN platform
➢A user wants to know whether her/his privacy preferences match the privacy practices of each of the organization’s third party business partners.
➢A user wants to know whether privacy laws and authorities exist in Canada to enforce the intentions stated within the privacy policies on the businesses’ web sites.
➢The user does not want to do business with a company that has CheatersInc or UnGreenCompany as a third party business partner because he/she considers these as unethical or environmentally unfriendly.
➢The user does not want to have her/his information shared with a third party business partner that is in a country with poor privacy laws.
➢The user does not want to deal with a company that shares customer data with a third party partner originating from a country with human rights abuses.
The PeCAN software agent architecture was presented in Jutla et al. 2006. It consists of a multi-agent system interacting with entities on behalf of the user. The platform prototype is developed in Java and C++ and uses mainstream web services standards, such as XML (Extensible Markup Language), SOAP, UDDI (Universal Description Discovery and Integration) , WSDL (Web Services Description Language), and the Web Ontology Language, OWL. Web privacy ontology (Kim et al. 2002) is a software component of PeCAN. It was motivated and designed in Jutla and Xu 2004; Jutla et al. 2006.
PeCAN’s services support, among other things, a collaboration between its personal context agent (Jutla and Zhang 2005) and a P3P agent in order to apply context-specific privacy rules during a user’s electronic commerce transaction with an organization’s Web site or Web services. It has a number of other specialized software agents. A monitor agent (Bodorik and Jutla 2003; Jutla and Bodorik 2005) oversees the user’s interaction with Web forms and other interaction mechanisms at Web service sites. A context agent manages dynamic changes of the user privacy context as the user interacts with sites on the Web, informs the user about the current privacy-related context for decision support within a Web transaction, and triggers revision of user privacy preferences either due to other agents in the architecture, or actions by the user. The arbitrator agent (He and Jutla 2006) allows users to negotiate on their PII’s usage purposes, handling both recipients and retention periods of personally identifiable data with an organization on the Web. The regulatory agent invokes privacy Web services and utilizes external service feeds and trusted third party (TTP) agents to obtain knowledge on privacy regulations, guidelines, and service sites in multiple jurisdictions. Recommendations for additions to P3P were made in Jutla and Xu (2004), Jutla et al. 2004a and Jutla and Bodorik (2005).
Web privacy services are useful not only for enabling these six two-way comparisons among user, government, and business stakeholders, but also for single stakeholder comparisons. For example, a service to compare business policies can be useful in several areas. One is the area of multiple jurisdictions where users might deal with a Web multinational, that is, with a company doing electronic commerce through subsidiaries in many countries (for example Amazon Japan or Amazon UK). A Web service doing such a comparison would tap resources, such as the Safe Harbor initiative, which lists membership information of companies who abide by other countries’ privacy laws when doing business in those countries. Another area could be a Web service in which a user can compare many business’ privacy policies to determine which of them handle personally identifiable data in a manner that is appropriate to the user.
PeCAN provides a service to perform a three-way comparison among user preferences, business practices, and government regulations (Jutla and Xu 2004; Jutla et al. 2004a). This comparison could be useful to an Internet user in several ways. An automatic comparison between the contents of P3P elements representing business privacy practices and those representing privacy law may result in highlighting to the user (1) omissions in the business’ P3P policy statements, or (2) concerns of mismatch of interpretation of privacy legislation. The P3P specification is not yet mature enough in terms of element definitions to handle many legal subtleties cleanly. Hence a Web service can be useful to the user in flagging absence/presence, or ambiguity, of fair information principles regarding privacy as defined in law in the business’ practices expressed in P3P policies.
Table 5 enumerates several other useful services for PeCAN which are proposed in this paper, based on comparison services between businesses, governments, and users. That is, in future PeCAN can implement services for a user to compare the privacy policies of two or more businesses, the privacy regulations for two or more governments, two or more sets of user privacy preferences, the privacy policies of multiple businesses against a set of user privacy preferences, and so on.
A further PeCAN service makes context sharing among software agents privacy-conscious. Bayesian network-based inference control methods (An et al. 2006, 2009) prevent privacy-sensitive contexts from being derived from those already released to ubiquitous software-enabled environments.
To increase the usability of the web privacy services, and to bring privacy management to mobile voice commerce, in 2005, Keselj and Jutla developed a high-level conceptual multi-agent software architecture which integrates natural language capability to be used in Internet Information Retrieval (IIR) tasks and privacy management. These improved PeCAN services are at experimental stages.
The market sides of the PeCAN platform
The PeCAN architecture specifies software components and services that may run on standard computer hardware. Service transactions have specific workflow and user input requirements that are part of the platform rules. Rules for a privacy platform are also dictated by the jurisdiction(s) of the operating platforms, including country- and industry-relevant regulations, laws, and acts.
Some platform markets cannot be developed without piggybacking on other platforms. Such is the case with current privacy platforms. P3P and PeCAN’s markets are limited without Internet Explorer, Safari, Mozilla Firefox, and Chrome’s support for their P3P and PeCAN agents and services, and a privacy vocabulary that is a web standard. Each client device must have an operating system, and hence privacy platform dependence and layering on operating system platforms is a natural extension. Similarly, without organizations and application providers placing their privacy policies in P3P-markup format, existing privacy platforms, P3P and PeCAN, will not have another market with which to connect their user services.
In Fig. 3, I focused on layering P3P and PeCAN platforms with the social networking organizations’ platforms as these hosts hundreds of millions of users in well over 180 countries. This paper thus proposes a strategy for stakeholders to use the strong network effects of the social networking (SN) platforms to make privacy services pervasive.
A platform can also be viewed as a technology disruptor. According to Brydon & Vining (2006), new technologies can disrupt a market by “changing individual incentives for creating and sharing information, raising or lowering the costs of enforcing property rights, reducing or relocating transaction costs, and supporting institutional mechanisms (e.g. rating/reputation systems).” I suggest that social networking platforms are ideal environments for institutionalizing privacy mechanisms as well. Such institutionalization would lead to pervasive provision and use of privacy services, and the enhancement of socially innovative platforms that have “assets which can hardly be copied and which contribute to sustainable competitiveness.” (Scheinstock et al. 2001; Jutla and Yu 2008)
Technology research often anticipates a future scenario. In this case it would be a scenario where users are better educated about online privacy issues. Privacy training will come from multiple sources, including classes in schools and specialized courses for employees. It would be an oversight to overlook the social service that OSN platforms can provide to their users in helping build privacy awareness and promoting informed and forward-looking user choices.
User-centric combined services for the aware and act phases
She wants to know all the intended purposes/uses and possible dissemination of her information which she has tagged as private at the OSN site.
She wants to know that the business’ privacy practices match her privacy preferences and to be alerted if they do not.
She wants a store that will not only encrypt her credit card information but also the contents of her shopping basket.
She wants to know whether her privacy preferences match the privacy practices of each of the OSN supplier’s third party business partners.
She wants to know whether privacy laws and authorities exist in the business’ jurisdiction to enforce the intentions stated within the privacy policies on the businesses’ web sites.
She does not want to do business with a company that has CheatersInc or UnGreenCompany as a third party business partner because she considers these as unethical or environmentally unfriendly.
She does not want to have her information shared with a third party business partner that is in a country with poor privacy laws.
She does not want to deal with a company that shares customer data with a third party partner originating from a country with human rights abuses.
She wants to know which private data protection law has precedence for her transaction.
She would like to negotiate a quick electronic contract with a third party partner of the OSN, in which the company becomes obligated to destroy her data if it and its assets are sold to another company.
She wants to know that she does not inadvertently provide information on a Web form at this site that goes against her stated privacy preferences. For instance, she has a preference not to give out her age, but she provides her birth-date and weight in the context of buying prescription medication to a business linked to the OSN.
When she returns to the OSN, she would like to review her information and contracts for all the businesses or organizations linked to the OSN.
She wants to review her privacy preferences for a linked site when she returns to the OSN site.
She wants to maintain online privacy preferences for particular classes of organizations.
She wants the OSN to keep her data that she provides to its various partners unlinked.
She wants to ensure that private data that she intends to give out will not cause her other private data to be derived.
Analyzing these requirements, we see that current P3P agents will support the first three requirements on this list. Requirement 4 can be satisfied by an extension to P3P with a <SAFEGUARDS> tag and accompanying extension of the P3P agent’s matching algorithm to do a SAFEGUARDS comparison. Satisfying requirements 5–9 are the focus of the cooperating PeCAN Web services in (Jutla et al. 2004a). Data support in a Web privacy ontology combined with implementation of the PeCAN services shown in Tables 4 and 5 is envisaged to support requirement 10. Services to implement negotiation and contracts as in requirement 11 are described in another paper (He and Jutla 2006). PeCAN’s design includes services to satisfy requirements 12–17.
State-of-the-art privacy agents, such as the P3P-based agent PrivacyBird (AT&T 2005), are currently limited by fixed-format form interfaces. User preferences are restricted to specifying user rules for handling of his/her personal data in categories such as health, financial, and physical data. A good example of such a form is the Privacy Preference Settings form that AT&T Bird uses (see www.privacybird.com/tour/1_2_beta/). These settings are done at a large grain level that is user-friendly but lacks flexibility for personalizing privacy software according to a wide range of subjective user preferences and weightings of these preferences.
Warn me about companies that share customer information with other companies that do not have privacy statements.
Warn me about companies that share with other companies whose practices violate my privacy, ethical, and/or social preferences.
Warn me about a company that has a third party partner that is on my blocked list.
Warn me about businesses, 3rd party, or otherwise, that are in jurisdictions with no enforcement of fair information practices.
Summary of contributions, managerial, and user implications
Users’ knowledge of privacy issues and readiness to act on protecting privacy change over time and hence pass through different phases, each posing different challenges and opportunities in the changing online environment,
Protecting privacy requires different, yet sometimes overlapping, strategies and tools in each life cycle stage, and
Protecting a user’s privacy continues indefinitely, so the phases will cycle or repeat continuously throughout her/his lifetime, and for those affected (e.g. family members), beyond the lifetime.
The second major contribution of the paper is a design for providing privacy protection via layering privacy platforms. The multi-layer privacy technology platforms and their services may map to one or more of the lifecycle phases. Formal privacy platforms from the user perspective currently exist only for the Aware and Act phases. Online technologies are becoming available to add to platforms for the first three phases while the Resolve phase’s technology assistance is mainly through information-providing web sites at this time. The paper illustrated the application of platform management theory (Eisenmann et al. 2006) to privacy platforms wherein the PeCAN architecture is evolved to a platform to show the value of layering and combining privacy services across privacy platforms. What user privacy requirements are addressed through the combined service offerings of the P3P and PeCAN platforms are identified.
Another key contribution is that the platform concept can be turned into a bonanza, versus a nightmare for privacy, as piggybacking a privacy platform onto the strong network effects of existing operating systems and social networking platforms could translate to wide scale adoption of privacy services for awareness, action, detection, and resolution. That is, a strategy to make privacy pervasive is for user privacy services to become widely available, predictably and consistently, across mainstream platforms. This paper proposed accomplishing the wide scale pervasiveness of privacy services through a design to layer privacy platforms onto existing popular platforms.
With a platform-based strategy, the popularity of social networks, and a growing suite of online privacy services to meet the needs of the phases of the privacy life cycle, in coming years billions of users will have access to and will adopt the tools to take control and maintain their privacy online.
This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.