 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Lorrie Faith Cranor, Principal Technical Staff Member, Secure Systems Research
AT&T Labs Research
The Role Of Privacy Enhancing Technologies [pdf]
Online privacy tools perform many functions including:
This paper introduces each of these functions and discusses the capabilities and limitations of available technology in each area.
Encryption is used to protect information stored on a computer or transmitted over the Internet. Encryption is usually thought of as a security tool, as it is used to prevent unauthorized access to communications, files, and computers. However, by preventing access it also has the effect of helping to protect privacy. Encryption and other security tools are generally necessary for privacy protection, but are not in and of themselves sufficient. For example, an individual might use an encrypted channel to transfer data to a website, and that website might use encryption to restrict access to a database. However, they might also sell the data they collect from individuals to marketers, resulting in privacy invasions.
Inexpensive (and in many cases free) high quality encryption software is widely available for encrypting files and email and establishing encrypted tunnels
between two computers on the Internet. However, except in corporate environments where use of this software is mandated, encryption software is not widely used unless it is built into applications that individuals use routinely and the encryption occurs without user intervention. Because of the need to secure online banking and e-commerce transactions, most web browsers include software for encrypting data sent to web sites. When users visit sites that support this software the encryption is done automatically. But most computer users remain unaware of the availability of other encryption software and lack the knowledge to use it effectively. Even sophisticated computer users and security experts usually don't bother to encrypt most of their email messages because they find the software cumbersome to use and many of their correspondents unequipped to handle encrypted messages. As a result, most email can be intercepted and read while in transit or while stored by an Internet Service Provider or on a home computer.
The Platform for Privacy Preferences (P3P
) is a standard computer-readable format for online privacy policies developed by the World Wide Web Consortium (W3C
). P3P-encoded privacy policies can be fetched automatically by P3P-enabled web browsers and other P3P software. The policies can be analyzed, compared with user-specified privacy settings, used to make automated decisions about blocking cookies or preventing website access, and used to generate privacy-related notices for display to users. As of July 2002 basic P3P functionality had been built into the Microsoft Internet Explorer 6 and Netscape Navigator 7 web browsers. However the P3P implementations in these browsers are limited to automated processing of cookies and display of summary privacy policies when requested by a user. Add-on software for the Internet Explorer browser that provides more extensive P3P features is available from AT&T (
In the future P3P software built into search engines might assist users in identifying web sites with favorable privacy policies. In addition, P3P functionality might be built into electronic wallets and identity management systems that assist users in filling out forms and transferring data to web sites. There have been a number of infomediary
services that have come and gone over the past few years that might have benefited from the use of P3P. P3P-enabled search engines and identity managers were not available as of July 2002, although they are feasible from a technical perspective.
P3P adoption by web sites has proceeded at an encouraging pace since P3P became an official W3C Recommendation in April 2002. Over a third of the top 100 web sites are P3P enabled. However, as P3P adoption is entirely voluntary, many sites do not view P3P as a high priority. As consumer P3P tools are improved and consumers become more familiar with them, web sites may have more incentives to adopt P3P. If P3P policies were either mandated or listed as a possible compliance option for web sites in regulated sectors where privacy policies are required (and for government agencies), P3P adoption would likely increase more rapidly.
While P3P is useful for informing consumers about web site privacy policies, it does not directly improve the privacy protections offered by these policies. Because of the increased transparency that comes as a result of companies using P3P, some improvements in web site privacy policies are likely. In addition, the systematic process web sites must go through to create P3P policies may help them uncover gaps in their existing privacy policies. Thus, P3P may indirectly help to improve web site privacy policies in jurisdictions where there are few legal requirements for privacy policies. In jurisdictions that have legal requirements that mandate baseline privacy levels, P3P tools can assist in monitoring compliance and help consumers identify sites that provide protections beyond the baseline standards.
P3P allows companies to communicate about their privacy policies, but it offers no guarantee that companies will actually follow their policies. For some companies it may even be difficult for them to determine for themselves whether they are in full compliance with their own policies. Privacy audits can assist companies in maintaining compliance. Automated tools are emerging that allow companies to monitor their own data flows to identify potential policy violations and bring them to the attention of company officials who can check them out and intervene if necessary. Currently available tools focus on data flows to and from corporate web sites, monitoring form submissions and cookie usage, and looking for web pages that may accidentally reveal personal information. In the future, tools are expected that allow data to be tagged with privacy-related information that follows it wherever it goes. Whenever such tagged data is accessed, access control software would first check to make sure the access is consistent with the corresponding privacy policy.
Privacy auditing tools generally cannot offer a comprehensive audit, due to the many places that data may flow into and out of a company and the fact that many data uses may occur outside the reach of the tracking system. As companies build new databases that are designed with privacy in mind, they will have an easier time both complying with their own privacy policies and monitoring their own compliance. However, companies will likely be using legacy databases for many years to come that will make comprehensive tracking of data flows fairly difficult. Even so, automated privacy auditing tools may be very useful for many companies even if they are not comprehensive.
One of the most frequent privacy invasions experienced by most Internet users is unwanted email, often referred to as spam. Not only does unwanted email clog electronic mail boxes, it frequently contains deceptive advertisements or explicit pornographic content. A number of tools exist that can assist individuals or their ISPs in filtering spam. Unfortunately there is no foolproof way to filter spam with complete accuracy. Spammers continually come up with new techniques to defeat spam filters, and legitimate emailers frequently send email that resembles spam. Spam filtering tools can assist in managing spam, but they are not a complete solution to the spam problem. Technical solutions have been proposed that would greatly increase the effectiveness of spam filtering, but they all have unresolved practical issues. For example, a variety of email postage schemes have been proposed, but it is not clear how such a scheme would be imposed world wide, or how those who choose to adopt it would be able to receive email from those who haven't adopted it. It is unclear whether current spam filtering solutions will prove good enough
in the long term or whether new types of solutions will ultimately be needed. The effectiveness of proposed legislative solutions is also unclear due to the fact that a large percentage of spam originates outside the United States.
Cookie cutters are utility programs that prevent web browsers form exchanging cookies with web sites. Some cookie cutters block all cookies, others can be configured to selectively block certain cookies, and still others are useful for removing cookies periodically. Some cookie cutters also block the sending of HTTP headers that may reveal personal information but may not be necessary to access a web site, and some block banner ads, pop-up windows, animated graphics, or other unwanted web elements. Some tools are designed specifically to look for invisible images that set cookies (called web beacons or web bugs) and programs that users may inadvertently download that are designed to gather information about the user and send it to a web site (called spyware).
Cookie cutters and related tools are widely available for free or at very low prices. Some basic cookie blocking functionality is now built into most web browsers, although anecdotal evidence suggests that most users never use it (beyond any cookie blocking capabilities that are activated by default). The user interfaces for cookie blocking tools are relatively easy to use, however, most Internet users do not fully understand what a cookie is, why they might want to block some cookies, and how they would go about doing so.
Anonymizers are tools and services designed to help individuals surf the web or send email anonymously. These tools focus on minimizing the risk that web requests or email messages can be linked to an IP address from which a user can be identified. Some of these services rely on a trusted third-party that strips off identifying information and forwards requests on behalf of a user. A variety of these anonymous proxy
services are currently available as both free and fee-based services. More robust anonymity services that do not depend on a trusted party are technically feasible and have been deployed experimentally and as commercial services. However, most have been taken out of operation because they have not been found to be financially viable.
Anonymizers are a useful tool to ensure that identifying information is not transferred during online interactions in which no personal information need be revealed. However, they are of limited use for transactions in which personal information must be explicitly revealed.
Perhaps the best approach to safeguarding personal information is to minimize the need for collecting such information in the first place. Cryptographic techniques can be used to allow purchases to be carried out with anonymous electronic cash. In addition, we can use cryptography to develop credentialing systems that allow individuals to prove that they possess certain credentials Ð authorization to enter a building, age appropriate to be served alcohol, high school diploma, citizenship of a particular state, etc. Ð without revealing their identity. Used in conjunction with anonymizers, a widely deployed transaction system based on these techniques could alleviate most online privacy concerns. Most of these techniques were initially developed over twenty years ago, and while they appear to be technically feasible, they have seen limited adoption. Since most businesses benefit from the collection of information about their customers they have had little motivation to deploy such systems. Financial institutions have shown little interest in offering payment mechanisms that limit their ability to track individuals' purchases, and governments have raised concerns about anonymous cash systems.
New privacy-related consumer products appear in the marketplace all the time. These products include software to clean up files left behind on a computer by web browsers and email programs, and privacy related features in security products. Software designed to block adult web site content from children includes privacy-related features that can prevent children from providing personal information to web sites.
A promising new area of privacy enhancing technologies that have not yet come to market are tools to de-identify information in databases. These include tools to selectively scrub
data so that just enough data is removed to insure that it is non-identifiable (including removing entries that might identify an individual because they describe characteristics that are likely unique to that individual). In addition, research is underway on techniques for adding randomness to data before it is added to a database in such a way that individual data is not reliable but aggregate data remains useful.
Privacy enhancing technologies can go a long way toward helping individuals protect their own privacy. However, these technologies alone cannot prevent data provided by individuals from being used in privacy-invasive ways. Currently, the power of privacy enhancing technologies lies in their ability to complement regulatory and self-regulatory privacy initiatives. The usefulness of privacy enhancing technologies is also limited due to the cumbersome nature of most of these tools. Improved user interfaces and seamless integration into other tools (so that individuals can use them without having to do anything), would greatly increase the effectiveness of privacy enhancing technologies.
As long as the transfer of personal data remains a requirement for most routine transactions, privacy enhancing technologies will offer only limited privacy protection. Technology could be used to a much greater privacy enhancing benefit if the architecture of our transaction systems were changed to support transactions that reveal much less information. While such changes are technically feasible, there appear to be significant obstacles to adoption.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |