8-533 / 8-733 / 19-608: Privacy Policy, Law, and Technology

Homework 2 - due September 20, 2007

Please email your homework in Microsoft Word or PDF format to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "hw2" in the subject line.

Don't forget to properly cite all sources (including assigned readings) and include a bibliography with all homework assignments.

Reading assignment:

• Privacy Rights Clearinghouse, A Review of the Fair Information Principles, 2004.
• Privacy, Information, and Technology, 1A Introduction: Information Privacy, Technology, and the Law, pp. 1-8.
• Lorrie Faith Cranor, I Didn't Buy it for Myself, in Designing Personalized User Experiences in eCommerce, 2004.
• Privacy, Information, and Technology, 1B Introduction: Information Privacy Law: Origins and Types, pp. 8-33.
• Privacy, Information, and Technology, 4B Privacy, Business Records, and Financial Information: Regulating Business Records and Databases, pp. 197-249.
• Web Privacy with P3P, Foreword, pp. xi-xiii.
• Robert Gellman, Privacy: Finding a Balanced Approach to Consumer Options, in Considering Consumer Privacy: A Resource for Policymakers and Practitioners, 2003.
• Hal Varian, Economic Aspects of Personal Privacy, in Privacy and Self-Regulation in the Information Age, 1997.
• Alessandro Acquisti and Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security & Privacy, January/February 2005, pp. 24-30.

1. Write a short summary of each chapter in the reading assignment (3-7 sentences each). Graduate students should also read and write a summary of one optional reading paper. After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy. [30 points]

2. Pick a technology that causes privacy concerns. [35 points]

• a) Find two relevant sources of information about the privacy concerns associated with this technology and summarize their key points briefly.
• b) Prepare a table similar to Table 1 in the I Didn't Buy it for Myself paper that lists privacy risks, possible consequences, and examples of parties to whom personal information might be exposed for the technology you picked.
• c) Prepare a table similar to Table 2 in the I Didn't Buy it for Myself paper that demonstrates how the OECD privacy principles might be applied to reducing the privacy risks associated with the technology you picked.

3. Research a self-regulatory privacy program or privacy law. Your research should include both reviewing the program's web site and searching for relevant news articles, endorsements, criticism, etc. Please include the relevant citations in your write-up and add the sources to your bibliography. [35 points]

• a) Write a short summary description of the program or law.
• b) Explain which of the fair information practice principles it addresses.
• For self-regulatory programs state c) who runs it and d) the kinds of praise and criticism it has been getting.
• For laws state c) the agency responsible for enforcing them and d) the types of enforcement actions that have been taken and published evaluation of the law's effectiveness.

You will be assigned a program or law to research in class from one of the following (or one that you suggest):

Self-regulatory programs

• TRUSTe
• BBBOnline
• Network Advertising Initiative
• Direct Marketing Association Privacy Promise
• CTIA Location-based privacy guidelines
• Safe Harbor

Laws

• The Privacy Act of 1974
• The Fair Credit Reporting Act
• HIPPA
• The Gramm-Leach Bliley Act
• The Video Privacy Protection Act
• Childrens Online Privacy Protection Act
• CPNI rules
• Cable TV Privacy Act
• EU Directive
• PIPEDA (Canadian privacy law)
• Japanese Personal Information Protection Act (PIPA)
• California SB-1386