8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology
Privacy Policy Group Assignment
As part of this assignment, our class will draft a privacy policy and
accompanying P3P policy for a real web site. The assignment will be done
in several parts, which will be assigned as part of homework
assignments throughout the semester.
The assignment will be done in small groups, assigned in class on
September 16.
This semester we will draft a privacy policy for the Pittsburgh
Dynamo Youth Soccer Club.
Part 1 - Due September 30 (as part of HW3)
(I) Review the privacy policies of several other youth sports organizations (one for each member of your group). For each one:
- (a) Provide the URL of the privacy policy.
- (b) List any content that is missing from the policy or described
inadequately. See Cranor p. 67 for a list of content to look for in a
privacy policy. For each missing or inadequate item explain whether it
is missing completely, too confusing, etc. (If nothing is missing, say
so.)
- (c) List any practices described by the policy that you consider
to be inadequate from a privacy perspective. Briefly explain why the
practice is inadequate and how you would recommend improving it. (If
you think the policy offers adequate privacy protections, say
so.)
- (d) Critique the presentation of the policy, including both the
readability and formatting.
- (e) Use the obfuscation critieria proposed by Irene Pollach in What's wrong with
online privacy policies? to analyze the privacy policy.
(II) Familiarize yourself with the Pittsburgh Dynamo web site. Make a list of
questions you will need to answer in order to draft a privacy policy
for Dynamo.
Part 2 - Due October 14 (as part of HW4)
Draft a privacy
policy for Dynamo. Format it as an HTML file suitable for posting
on the Dynamo web site (but include a note that this is a draft and not the
official policy). Submit the HTML file (or if you have
multiple files, submit a zip archive) via email.
Your policy will be graded on the following points:
- accuracy
- Your privacy policy should accurately reflect the organization's
information practices.
- completeness
- Your privacy policy should address at least all of the
bullet points on Cranor p. 67.
- readability
- Your privacy policy should be easy to understand. It should be written in
clear, concise, and correct English, and should be carefully
proofread. Points will be taken off for sloppy organization,
spelling, punctuation, and grammar.
- formatting
- Your privacy policy's formatting should aid reading, with section
headings that stand out, lists set off with bullet points, important
points or words emphasized, readable fonts, etc. The document should
look professional.
- usefulness
- Your privacy policy should be useful to the organization in that it should address
the needs expressed by the organization representatives.
Part 3 - Due October 28 (as part of HW5)
Review the draft privacy policies created by the other teams. Based
on your review and the feedback provided in class, create
a revised privacy policy. Feel free to cut and paste from other teams'
drafts. Once again, format your policy in HTML and submit the files
via email. Your policy will again be graded on accuracy, completeness,
readability, formatting, and usefulness, as described under Part 2, above.
Part 4 - Due November 16 (as part of HW6)
(I) Create a plan for P3P enabling the Dynamo web sites. Do the following:
- (a) Describe your plan. Be sure to address at least the
following issues:
- (i) how many P3P policies to create
- (ii) whether to use the well-known location or alternatives
- (iii) whether to use compact policies
- (iv) whether to combine policies in the policy reference file or
to have policies in separate files
- (b) Briefly state the rationale for each of your choices on the
four issues listed in part (a).
(II) Create the necessary P3P files as outlined in your plan. Make sure
you validate them!
Submit via email the following files:
- your P3P plan
- p3p files
- a set of instructions for posting the P3P files on the company's
sites
Your plan, P3P files, and instructions will be graded on:
- rationale
- your decisions in (I) should meet the
needs of the company, and your rationale should explain how your
decisions meet the company's needs
- completeness
- Dynamo should be able to fully P3P enable their
site by simply follow your instructions
- correctness
- the P3P files you submit should accurately reflect the privacy
policy you wrote for Part 3 and should be bug-free