Section 22.1. Introduction

22.1. Introduction

Alan Westin defines privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others." He goes on to explain that "each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication of himself to others, in light of the environmental conditions and social norms set by the society in which he lives."^[2] Westin's definition envisions an individual actively involved in a decision-making process. It assumes a certain level of individual awareness of the consequences of both disclosing and not disclosing personal information, and the ability to effectively control whether information is disclosed. In practice, individuals are often unable to make such informed decisions or to take the necessary actions to control information disclosure because they lack knowledge about how their personal information may be used and how they can exercise control.

^[2] Alan F. Westin, Privacy and Freedom (New York: Antheum, 1967), 7.

Privacy policies have emerged as mechanisms for communicating about information collection and use. On the World Wide Web, privacy policies have been widely adopted. These policies are encouraged by consumer and industry groups, and in some jurisdictions are even required by law. The purpose of these policies is to inform web site visitors about how sites will use their personal information and what choices are available to them. Thus, individuals should be able to gather the information they need to take advantage of privacy-related options at the sites they visit and to choose sites based on their privacy policies. Unfortunately, while many privacy policies are posted, in practice few are read.^[3] Studies have shown that consumers find privacy policies time consuming to read and difficult to understand,^[4] and readability experts have found that privacy policies typically require college-level reading skills to comprehend.^[5] In addition, privacy policy formats are not standardized, making comparisons between policies difficult. Consumers who do read these policies are also frustrated by the fact that they may change unexpectedly.

^[3] Privacy Leadership Initiative, Privacy Notices Research Final Results (conducted by Harris Intereactive, Dec. 2001); http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf.

^[4] Joseph Turow, "Americans & Online Privacy: The System Is Broken," a report from the Annenberg Public Policy Center of the University of Pennsylvania (June 2003); http://www.asc.upenn.edu/usr/jturow/internet-privacy-report/36-page-turow-version-9.pdf.

^[5] Carlos Jensen and Colin Potts, "Privacy Policies As Decision-Making Tools: An Evaluation of Online Privacy Notices," Proceedings of the 2004 Conference on Human Factors in Computing Systems (Vienna, Austria, 2004). See also Will Rodger, "Privacy Isn't Public Knowledge: Online Policies Spread Confusion with Legal Jargon," USA Today (May 1, 2003), 3D.

When personal information is collected electronically, the potential exists to automate the process of informing individuals about how that information will be used and to give them tools to automate their ability to exercise controls. We can imagine a world in which all web sites and electronic forms are accompanied by privacy policies,^[6] and all RFID readers,^[7] video surveillance cameras,^[8] and other automated personal data collectors broadcast privacy policies that can be understood and acted upon by personal electronic agents. In order to realize this vision, we need standards for encoding and transferring privacy policies and electronic agents that have the ability to understand their users' privacy needs.^[9]

^[6] Lorrie Faith Cranor, "P3P: Making Privacy Policies More Useful," IEEE Security and Privacy (Nov./Dec. 2003), 5055.

^[7] Christian Floerkemeier, Roland Schneider, and Marc Langheinrich, "Scanning with a Purpose: Supporting the Fair Information Practice Principles in RFID Protocols," Proceedings of the 2nd International Symposium on Ubiquitous Computing Systems (Tokyo, Nov. 8-9, 2004); http://www.vs.inf.ethz.ch/publ/papers/floerkem2004-rfidprivacy.pdf.

^[8] Marc Langheinrich, "Privacy Awareness System for Ubiquitous Computing Environments," Proceedings of the 4th International Conference on Ubiquitous Computing (UbiComp2002; September 2002); http://www.vs.inf.ethz.ch/publ/papers/privacy-awareness.pdf.

^[9] While technology can be used to build this world, to fully realize this vision will likely require laws or other incentives for adoption of standard privacy policies, provisions for enforcement, and the availability of a meaningful "market" in which individuals who are unhappy with the privacy policies of one service can find an alternative service that better suits their needs. A discussion of legal and market issues is beyond the scope of this chapter.

In the next section, I discuss the Platform for Privacy Preferences (P3P), which provides a standard mechanism for encoding and transferring web site privacy policies. In the two sections that follow, I describe the design and evaluation of a P3P user agent called Privacy Bird that can read and interpret P3P-encoded privacy policies and compare them with an individual's privacy preferences. Finally, I return to the vision introduced here and discuss ways that P3P might evolve to bring us closer to that vision.