Homework 4 - due October 18, 2007
Please email your homework in Microsoft Word or PDF format to privacy-homework AT cups DOT cs
DOT cmu DOT edu and put "hw4"
in the subject line.
Don't forget to properly cite all sources (including assigned
readings) and include a bibliography with all homework
- Privacy, Information, and Technology, 4C
Privacy, Business Records, and Financial Information: Spam,
- Privacy, Information, and Technology, 4D
Privacy, Business Records, and Financial Information: Identity Theft,
- Web Privacy with P3P, Chapter 13: A P3P Preference
Exchange Language (APPEL),
- David Stampley, Managing
Information Technology Security and Privacy Compliance,
- Mary Culnan, How Privacy Notices
Promote Informed Consumer Choice, in
Considering Consumer Privacy: A Resource for Policymakers and
- Carlos Jensen and Colin Potts, Privacy policies as
decision-making tools: an evaluation of online privacy
notices, CHI 2004, pp. 471-478.
- L. Cranor, S. Egelman, S. Sheng, A. McDonald, and
A. Chowdhury. P3P Deployment
on Websites. To be published in Electronic Commerce Research
and Applications, 2008.
- Irene Pollach, What's wrong with
online privacy policies?, CACM September 2007, 50(9): 103-108.
- Alessandro Acquisti and Ralph Gross. Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook, Workshop on Privacy-Enhancing Technologies (PET) 2006.
1. Write a short summary of each chapter in the reading
assignment (3-7 sentences each). Graduate students should also read and
write a summary of one optional reading paper. After each summary (in a separate
paragraph) provide a "highlight" for that chapter. This can be
something new you learned that you found particularly interesting, a
point you would like to discuss further in class, a question the
chapter did not fully answer, something you found confusing, a point
you disagree with, or anything else you found noteworthy. [25 points]
2. Write a brief report on the eCRS session you attended. [10 points]
3. [25 points] Pick a particular industry or type of web site and
find two P3P-enabled sites of that type.
- a) For EACH of the two sites, use the W3C P3P validator to answer these questions:
- (i) Is the site fully P3P-enabled, partially P3P-enabled (has some but not all
required P3P files, has errors in P3P files, has compact policy but
not a full policy, etc. - if the site is partially P3P-enabled, explain), or not P3P-enabled at all?
- (ii) Does the site have a compact P3P policy?
- (iii) If the site is P3P-enabled, how many P3P policies does it have?
- b) Pick one of the P3P-enabled sites and compare the P3P policy
with the site's human-readable policy. Then answer these questions:
not captured at all by the P3P policy?
- (iii) Are any of these elements you identified in part ii items that are supposed to
be encoded in a P3P policy (that is, did the site make an error, or
are they limited by the P3P syntax)?
4. Read the privacy policies associated with two search engines or
social networking sites. Compare and critique the two policies in
terms of the privacy protections they provide, as well as their
clarity and presentation. How would you recommend that they improve
the content and/or presentation of their policies? [15 points]
5. Do part 2 of the group privacy
policy project. [25 points]