8-533 / 8-733 / 19-608: Privacy Policy, Law, and Technology

Homework 4 - due October 18, 2007

Please email your homework in Microsoft Word or PDF format to privacy-homework AT cups DOT cs DOT cmu DOT edu and put "hw4" in the subject line.

Don't forget to properly cite all sources (including assigned readings) and include a bibliography with all homework assignments.

Reading assignment:

• Privacy, Information, and Technology, 4C Privacy, Business Records, and Financial Information: Spam, pp. 249-251.
• Privacy, Information, and Technology, 4D Privacy, Business Records, and Financial Information: Identity Theft, pp. 251-256.
• Web Privacy with P3P, Chapter 13: A P3P Preference Exchange Language (APPEL), pp. 214-235.
• David Stampley, Managing Information Technology Security and Privacy Compliance, 2005
• Mary Culnan, How Privacy Notices Promote Informed Consumer Choice, in Considering Consumer Privacy: A Resource for Policymakers and Practitioners, 2003.
• Carlos Jensen and Colin Potts, Privacy policies as decision-making tools: an evaluation of online privacy notices, CHI 2004, pp. 471-478.
• L. Cranor, S. Egelman, S. Sheng, A. McDonald, and A. Chowdhury. P3P Deployment on Websites. To be published in Electronic Commerce Research and Applications, 2008.
• Irene Pollach, What's wrong with online privacy policies?, CACM September 2007, 50(9): 103-108.
• Alessandro Acquisti and Ralph Gross. Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook, Workshop on Privacy-Enhancing Technologies (PET) 2006.

1. Write a short summary of each chapter in the reading assignment (3-7 sentences each). Graduate students should also read and write a summary of one optional reading paper. After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy. [25 points]

2. Write a brief report on the eCRS session you attended. [10 points]

3. [25 points] Pick a particular industry or type of web site and find two P3P-enabled sites of that type.

• a) For EACH of the two sites, use the W3C P3P validator to answer these questions:
  • (i) Is the site fully P3P-enabled, partially P3P-enabled (has some but not all required P3P files, has errors in P3P files, has compact policy but not a full policy, etc. - if the site is partially P3P-enabled, explain), or not P3P-enabled at all?
  • (ii) Does the site have a compact P3P policy?
  • (iii) If the site is P3P-enabled, how many P3P policies does it have?
• b) Pick one of the P3P-enabled sites and compare the P3P policy with the site's human-readable policy. Then answer these questions:
  • (i) Do you think the company has accurately captured its privacy policy with its P3P policy? That is, are there any inconsistencies between the two policies? If you think there are inconsistencies, what are they?
  • (ii) What parts of the human-readable privacy policy, if any, are not captured at all by the P3P policy?
  • (iii) Are any of these elements you identified in part ii items that are supposed to be encoded in a P3P policy (that is, did the site make an error, or are they limited by the P3P syntax)?

4. Read the privacy policies associated with two search engines or social networking sites. Compare and critique the two policies in terms of the privacy protections they provide, as well as their clarity and presentation. How would you recommend that they improve the content and/or presentation of their policies? [15 points]

5. Do part 2 of the group privacy policy project. [25 points]