Pipwatch Toolbar © ISTOCK PHOTO Using Social Navigation to Enhance Privacy Protection and Compliance

PIPWatch Toolbar © ISTOCK PHOTO Using Social Navigation to Enhance Privacy Protection and Compliance

ANDREW CLEMENT, DAVID LEY, TERRY COSTANTINO, DAN KURTZ, AND MIKE TISSENBAUM

Digital Object Identifier 10.1109/MTS.2010.935989

50 | 1932-4529/10/$26.00©2010IEEE IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 epeated public sur- web-browser toolbar allows a com- been the Organization of Economic veys have found that munity of privacy-concerned in- Development’s (OECD) Guidelines people are increas- dividuals to share information on for the Protection of Privacy and ingly concerned about how different websites comply with Transborder fl ows of Personal Data their privacy when Canadian legislative codes and oth- [5]. In Canada, the FIP principles Rengaged in online activities [1]. In er Canadian-centered privacy con- underpin the provisions of the Per- particular, people are concerned cerns. We think that our approach sonal Information and Electronic about how and when information overcomes some of the limitations Documents Act (PIPEDA), which is collected about them, and how of other awareness-raising PETs came into effect for all businesses that information is subsequently such as P3P, while at the same time on January 1, 2004. Under PIPEDA, used. A number of strategies have promoting compliance with and “personal information must be: been developed to assist individuals understanding of a particular set of in protecting their privacy online. privacy regulations. ■ collected with consent and Privacy Enhancing Technologies We have fi nished two rounds of for a reasonable purpose; (PETs) such as the Platform for prototyping of our PIPWatch tool- ■ used and disclosed for the Privacy Preferences (P3P) have bar, which have helped us evaluate limited purpose for which it been developed to help individuals the community concept and gather was collected ; quickly analyze the privacy prac- feedback for the next iteration of ■ accurate; tices of different websites and in the toolbar. ■ accessible for inspection and doing so help raise awareness of correction; privacy risks before submitting sen- Responses To Online ■ stored securely” [6]. sitive personal information. Also, a Privacy Concerns number of jurisdictions have passed It has become increasingly diffi - The PIPEDA legislation further laws and regulations governing the cult for people to understand how requires organizations to publish handling of personal information. their personal data is collected, a statement explaining their infor- In Canada the Personal Information stored, shared and transmitted, mation collecting practices and to Protection and Electronic Docu- and what measures they can take identify one person responsible for ments Act (PIPEDA) governs how to control its use. The proliferation dealing with privacy inquiries. To commercial companies gather and of ways in which one leaves traces comply with these requirements, manage personal data. of activity behind with every com- many websites post a privacy pol- Despite these efforts, people of- mercial transaction raises the pos- icy statement and name a Privacy ten lack suffi cient information to sibility that one’s data will be used Offi cer whose job it is to explain make informed decisions about for undesirable purposes, with the organization’s privacy practices whether they should provide per- consequences ranging from em- to the public. sonal data to a data collector, and barrassment and social sanctions A second broad approach to pri- often trade their privacy for rela- to identity theft, fi nancial loss, and vacy protection suggests that mar- tively small rewards [2]. The use of travel restrictions [3], [4]. ket forces will provide a solution: PETs can be limited by the need for The most prominent strategy companies that respect consumer a high level of technical expertise for protecting privacy has been privacy will gain more customers or by a lack of cooperation on the the adoption of privacy legisla- at the expense of those that don’t part of data collectors. Legislation tion. Once individuals release in- [7]. A marketplace for personal in- can be diffi cult to enforce, espe- formation, they lose control over formation, so it is promised, will cially on the Internet where nation- who uses it and for what purposes. allow individuals to get more ben- al boundaries are blurred. A new Therefore, some argue that it is efi t for handing over their personal approach is needed if PETs are to necessary for governments or other information and encourage compa- be made more usable and relevant, bodies to regulate privacy issues, nies to respect individual privacy and if legislation is to become more and establish guidelines on how preferences [8]. Industries will use widely understood and effective. personal data can be collected, self-regulation to enforce compli- We have built a novel PET that shared, and used. ance with privacy standards. Cer- uses a technique for the sharing of Since the mid-1970s, a set of tifi cation and standards such as information known as social navi- principles known as Fair Informa- eTrust’s privacy seal (http://www. gation to help Internet users deter- tion Practices (FIP) has been de- truste.com/) will give consum- mine if the privacy practices of the veloped and incorporated into the ers confi dence. Websites will post websites they are visiting comply laws and regulations of numerous privacy policies outlining their with Canadian standards of fair in- jurisdictions. The most well known practices surrounding the collec- formation practices. Our PIPWatch encoding of the FIP Principles has tion and management of personal

IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 | 51 information and consumers will about 15% of the top 5000 websites One possible application of so- take those practices into account are P3P-enabled [15]. Even those cial navigation techniques to pri- when evaluating competitors. sites that are P3P compliant still vacy technology would be to set up One serious problem with the decide what information to include some sort of communal rating sys- market approach is that it becomes in their P3P-enabled privacy policy, tem – similar to eBay’s reputation very diffi cult for consumers to as- potentially leaving out information system but focusing exclusively on similate suffi cient information in about the company’s privacy prac- rating the privacy practices of dif- time to make an informed decision. tices that the consumer would want ferent organizations. This would Privacy policy statements are often to know. This lack of uniformity be extremely diffi cult to implement lengthy and complex [9]; they are means that it still can be diffi cult in practice, since most consumers not designed to make it easy for con- to compare different websites using lack the expertise to effectively cri- sumers to compare them. It becomes P3P [16]. tique and compare privacy policies almost impossible for a typical con- of different organizations. If contri- sumer to read the privacy statement Social Navigation butions were restricted to “expert” of every website they visit [10], and Social navigation is a strategy for users, the small number of individ- even harder to intelligently choose using the collective knowledge and uals with suffi cient knowledge and the best among them for a particu- experience of a large community, time to rank and compare privacy lar transaction. Further discourag- integrated into an electronic com- policies would make diffi cult for ing this approach, many consumers munication tool, to guide individu- any system to obtain the necessary do not trust what companies say in al actions and decisions [17]. Social critical mass of users. For these their privacy policies [11]. navigation has been used success- reasons, our PIPWatch tool uses a A third strategy has been to arm fully in online searching, collab- relatively structured and organized individuals with various PETs that orative writing, and e-commerce. system for collecting communal will help them manage and protect Some examples of social navi- data, rather than following the their privacy. These include tools gation or social software include more open-ended designs used by to encrypt e-mail communication, the Google page rank algorithm, other social navigation-based sys- browse the Internet anonymously which ranks web pages higher tems. PIPWatch users are encour- or raise awareness of privacy risks when outside websites link to it – aged to participate in building up when engaging in transactions on- allowing in effect for a wide col- of the utility of the system, but their line. One of the chief complaints lection of people to vote on which efforts are directed towards a set of against many PET tools is that web pages they think provide the very specifi c activities, which we they have focused too much on best content [18]. eBay’s reputation describe in the next section. methods for securing data against system for rating buyers and sellers theft, while ignoring the problem is another example. Wikipedia, one PIPWatch Overview that occurs when users willingly of the largest collaborative, user- The main goal of our project is to give away their information [12]. contributed information resources evaluate the prospects of combining Awareness-based PETs – ones that on the web (www.wikipedia.org) is social navigation techniques into a inform a user of the privacy risks an example of how a community of PET that helps Internet users iden- in the environment around them – interested parties can collaborate tify which websites comply with are meant to help provide enough for the collective good, without the Canadian privacy legislation and to information to individuals to allow need for monetary reward [19]. honor the concerns common among them to make rational choices. In the privacy sphere, a tool de- Canadians who conduct personal One of the most widely touted scribed by Goecks & Mynatt [20] transactions via the web. Our PIP- awareness-based PETs in recent illustrates how social navigation Watch tool allows users to collect years has been P3P. P3P allows could be used to help individuals and share information about the pri- website operators to post a ma- protect their privacy by using col- vacy practices of various websites. chine-readable version of their lective expertise to determine when Our tool works as follows: privacy policy on their site. Users cookies should be accepted. Much can use a “privacy agent” to auto- of the inspiration for our PIPWatch ■ Every time a PIPWatch tool- matically compare and evaluate the tool was drawn from their work. bar user visits a website, the privacy practices of different web- Netcraft’s anti-phishing toolbar server provides the user with sites without having to read all the (http://toolbar.netcraft.com/) is the any information it has about statements [13], [14]. However, P3P only other example we could fi nd the website, which appears requires the cooperation of website of how the resources of a commu- in a bar across the top of operators, and the adoption rate of nity can be used to help identify the browser (Fig. 1) and as P3P has been slow. As of 2006, only privacy risks. a “privacy beaver” icon in

52 | IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 Fig. 1. The PIPWatch toolbar.

the lower right hand corner, which changes color accord- Table I ing to an overall privacy risk Privacy Beaver Icons (Table I). Icon Color Meaning ■ PIPWatch users are invited Grey The PIPWatch system has been to contribute small pieces turned off of key information about the Grey The privacy officer not been websites they visit (Fig. 2). identified or contacted ■ The PIPWatch tool includes an interface to send an email Grey The privacy officer has not responded to the questionnaire to the Privacy Offi cer of a website, asking them to fi ll Red The current website’s privacy practices DOES NOT match the user’s out a short questionnaire preferences about their privacy practices. Yellow The current website’s privacy The key information gathered practices PARTIALLY matches the beforehand by PIPWatch us- user’s preferences ers makes this task easy to Green The current website’s privacy accomplish. practices matches the user’s ■ Responses by the various preferences Privacy Offi cers are stored on the central users, they are among those server. Whenever a most frequently mentioned. PIPWatch user visits a We decided that starting with website where a ques- a small number of questions tionnaire has been com- would improve the likelihood pleted, they are provid- of cooperation by Privacy Of- ed with the responses fi cers. Since the PIPEDA leg- via the toolbar and the islation calls for organizations beaver. to appoint a Privacy Offi cer ■ With responses of sev- who is responsible for fi eld- eral businesses in the ing questions from the public, same sector displayed there should by law be some- in a readily compa- one at every Canadian-operat- rable format, it is easy ed commercial website able to to choose from among answer the questions posed. them the one that best We do not expect every suits one’s privacy website to be PIPEDA compli- preferences (Fig. 3). ant. Indeed, since a majority of websites are not located in The current implementa- Canada, we expect that most tion of PIPWatch includes website operators will not three questions on the ques- even know what PIPEDA is. tionnaire sent to Privacy Of- We expect that some such op- fi cers (Table II). erators who are not obliged to While these three ques- do so will nevertheless want to tions are by no means an attract business from Canadi- exhaustive list of the con- ans. Others that have interna- cerns of Canadian Internet Fig. 2. Key information dialog box. tional clientele will want or

IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 | 53 need to comply with the com- stronger privacy protection, parable European Data Pro- that will exert new market tection Directive, and should pressure to improve privacy have little diffi culty meeting protection. the Canadian criteria. To assist non-Canadian operators, Other PIPWatch we include information in Features the questionnaire indicating P3P tools such as Privacy- what PIPEDA is and how to Bird (http://www.privacy- achieve compliance. bird.com/) allow users to In addition to the main specify their privacy set- goal of testing the feasibility tings, and give a warning of PIPWatch, the project has when a website does not several additional sub-goals match the user’s stated pref- in the areas of privacy re- erences. PIPWatch adopts a search, education, and advo- similar strategy with our cacy. Some past research has Privacy Beaver. In their indicated problems with the privacy preferences, each adoption of privacy regula- user can specify the degree tions, noting that “the imple- of their concern about each mentation of PIPEDA has Fig. 3. Website comparison dialog box. of the three privacy ques- been ad hoc at best and non- tions. These preferences, existent at worst” [21]. A high coupled with a privacy of- response rate from Privacy Offi cers PIPWatch tool works in educating fi cer’s responses to these ques- would indicate a high compliance users who are concerned about pri- tions, determine how the Privacy with at least one aspect of PIPEDA: vacy issues but may not know spe- Beaver is displayed in the bottom the requirement for openness about cifi c details. right corner of the user’s Firefox an organization’s privacy policies. Lastly, it will be interesting to browser and the website compari- Their specifi c answers will further see if the PIPWatch tool encour- son dialog box (Fig. 3). The degree help indicate how well Canadian ages compliance on the part of of risk is calculated as the sum of companies are complying with websites. When websites receive the Yes/No answers to each ques- other aspects of PIPEDA. the emailed questionnaires, they tion, weighted by the numerical PIPWatch has also been de- may be prompted to review their preference score and is indicated signed with an educational purpose privacy policies to determine if by both the color of the beaver as in mind. Information screens about they are PIPEDA compliant. Fur- well as the numerical score out of PIPEDA and other privacy issues thermore, if consumers prefer 10. The range of possible states are embedded in the toolbar. It will sites that are more forthcoming in and meaning of the beaver icons be useful to evaluate how well the their responses and demonstrate are displayed in Table I.

Implementation Details Table II The PIPWatch toolbar is built as Privacy Questions and Icons an add-on extension for the Firefox 1. Do your organization’s policies and procedures browser using the XML User Inter- comply with Canadian privacy laws and regulations? In particular, do they comply with the provisions of face Language (XUL). The toolbar the Personal Information Protection and Electronic resides in the user’s browser window Documents Act (PIPEDA), or with similar legislation in and communicates with the PIP- the provinces of British Columbia, Alberta and Quebec? Watch server when the user requests 2. Do you take reasonable measures to ensure that a page. The server interface to the personal information you collect from Canadians will toolbar runs a web services appli- only be shared with organizations that are compliant with PIPEDA (or similar provincial legislation)? cation currently written in Java and connected to a MySQL database. 3. All data that is stored in or transmitted through the United States or processed by a company covered by The servlet assembles responses by US laws, is subject to the provisions of the USA Patriot querying this database containing in- Act. Do you take reasonable measures to ensure that all formation about users and sites. personal information you collect from Canadians will not become subject to the USA Patriot Act? This database is also used by the public-facing PIPWatch.ca website.

54 | IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 The website, created with the Drupal dicator was added – the numerical PIPWatch is not yet an effective content management system, is score of out 10. and self-sustaining tool for en- where users can learn about the Currently the user community hancing personal privacy. A ma- system, register as members, and is small, with about 100 partici- jor shortcoming has already been download the toolbar. pants registered, but fewer than identifi ed – the lack of response The site also includes a forum, that are active. Cumulatively they by privacy offi cers. But there are a where users can discuss with each have already visited more than number of other problems: other and with the research team 60 000 websites, thereby anony- various aspects of PIPWatch and mously building the database. ■ The questions posed are the sites they visit. The current ver- PIPWatch users have explicitly general and limited in scope, sion of the toolbar can be found and contributed information about more allowing only coarse com- tested at the project website: http:// than 400 websites and made over parisons. PIPWatch.ca 200 requests to privacy offi cers, ■ The privacy ratings depend some repeatedly. However, so far exclusively on how privacy Design Justification only 31 Privacy Offi cers have an- offi cers respond. There are and Discussion swered our questionnaire. This no other independent sources During our initial discussion with lack of responsiveness by Privacy of assessment. prospective users of PIPWatch, Offi cers is currently the most se- ■ The toolbar only operates there was some concern raised rious challenge for us, since the with Mozilla Firefox 2, not about the prospect of the “screen value of the tool comes from the with the more common Inter- real estate” being used up by the information they provide, and net Explorer web browser. PIPWatch toolbar. Other options user interest wanes when there ■ The user base is not yet of were considered, including host- is no basis for differentiating be- suffi cient size to generate ing a website with detailed ratings tween sites. new content on an ongoing for each website in our database. In essence, like social net- basis. Other users expressed the desire working sites more generally, ■ The contributions by individ- for a “beginner” and “expert” view, we face a chicken-and-egg prob- ual users are not suffi ciently with the former having one small lem. Until there is a signifi- visible to give recognition to icon only (similar to the Privacy cant amount of useful material, regulars and to give encour- Bird) and the latter with more PIPWatch will not be attractive agement to newcomers. detailed feedback. We felt that a to new members, but gathering ■ There is little sense of a re- web-browser toolbar was the most these materials requires contri- warding collective enter- appropriate method for embedding butions from previous members. prise. signals to give users instant feed- In our case, this difficulty is back on the privacy practices of the compounded by the indifference Most of these limitations refl ect website they are currently visiting and even active resistance from the still early stage of development, as well to invite them to contribute a key component of the user and in some cases are deliberate, information when needed. base – privacy officers. One way intended to keep matters manage- Usability testing was undertaken to get around this is to target ably simple. The next steps are to on the fi rst prototype and resulted the high-profile sites that many signifi cantly expand the capabil- in a number of design changes. The PIPWatch visit regularly, and ities of the toolbar and to recruit a Key Information dialog box was by pooling our efforts put pres- larger user community. reworked, making the pieces of sure on these sites to avoid bad information independent. The pri- publicity and reap some benefit Future Plans vacy offi cer response dialog boxes by being recognized as setting a A priority is to recruiting individu- were merged into one dialog box. good example. als to use the PIPWatch toolbar, ask- The Privacy Beaver indicator was We have had some success in ing them to gather key information de-coupled from the toolbar so that turning up the pressure on non- and to send questionnaires to priva- it is visible even when the toolbar responding offi cers. The CPO of cy offi cers. We adopt a participatory is hidden. Facebook, the most popular site action research approach to actively During usability testing, a par- among PIPWatch users, finally engage these individuals in using ticipant pointed out that exclusive answered our questionnaire after the toolbar and providing feedback use of color to indicate the privacy having received 28 requests fol- about the subject matter, the inter- risk would not be accessible for lowed-up by direct personal contact. face design, and the technical de- color-blind individuals. Based on While the current operation re- sign. To address the shortcomings this feedback, a redundant risk in- fl ects a notable proof-of-concept, we have identifi ed so far, we will:

IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 | 55 ■ Provide users with summa- is to extend the technical capabili- on the practices of web-owning rized information about parties and build a user community. organizations as reported by a col- ticular websites, drawn from We want to assess how Privacy laborative community of fellow a significantly wider range Offi cers respond when faced with users – offers a model for organi- of sources, such as more a community of concerned and zational accountability in other ar- detailed questions posed to mobilized users. The degree and eas where users want to selectively privacy offi cers, news reports, kind of cooperation from Privacy exercise their consumer preferenc- consumer complaints, industry Offi cers (or the lack of coopera- es based on organizational behav- awards, Privacy Commissioner tion) will indicate the effectiveness ior. It is not hard to imagine how rulings, expert assessments, of our tool, and will also give us a watch-dog communities focused and ratings by other PIPWatch sense of how Privacy Offi cers are on such issues as pollution, global users. complying with the openness and warming, labor practices, civil lib- ■ Give greater prominence to accountability principles of the erties, and human rights, may find the contributions of users who PIPEDA legislation. this approach useful in pooling wish to be recognized. An expanded member base and their experiences in a way that it is ■ Enable users to register a more refi ned privacy assessment readily available at the moment of specifi c complaints and com- tool will be needed for proper re- a web transaction. pliments about the organiza- search about the effectiveness of tions’ privacy practices, and this approach and about individual Acknowledgment track any response to users’ and privacy offi cer behavior. But, We thank the volunteers who have complaints and compliments. some preliminary conclusions can contributed vital information to the ■ Develop a more substantial be made about these issues. We PIPWatch database, who have so- rating system, where users have shown that people can install licited answers to key privacy ques- can rate websites on their pri- and use the toolbar with relative tions from website privacy offi cers, vacy practices. ease, and will do so even when who have posted comments in the ■ Incorporate a “Privacy Wiki” there is little immediate reward. discussion forum, and who have re- functionality similar to the Users will also provide some basic sponded to our recurring requests Wikipedia approach, where site information and send messages for feedback. The fi rst version of users can construct and share to privacy offi cers at least for an the PIPWatch software developed their own evaluation schemes initial trial period. by David Ley was subsequently about privacy issues and More challenging is the reluc- refi ned and expanded by Jeff Or- practices. tance of privacy offi cers to respond chard, Afshin Lotfi and Parsa Sha- ■ Collaborate with willing pri- to member queries, even when re- bani. This work has been supported vacy offi cers in refi ning the peatedly reminded that they are not fi nancially by the Social Sciences questionnaire and related data fulfi lling their legal obligation to and Humanities Research Council gathering tools. be open about their privacy prac- as well as by Bell University Labs tices. As has been noted in other re- at the University of Toronto. We Novel On-Line Privacy search, privacy compliance is often appreciate the comments of the Protection Approach grudging and more oriented to giv- anonymous reviewers in revising The PIPWatch tool is a novel ap- ing the appearance than delivering this paper. proach to the problem of protecting the substance of privacy protection privacy online. By combining social [9]. Evidently, at the current low Author Information navigation techniques into a PET, level of PIPWatch activity, privacy The authors are with the Univer- the tool allows a group of privacy- offi cers conclude they can safely sity of Toronto, Toronto, Ont., concerned users to evaluate the pri- ignore the mild negative public- Canada. Email: andrew.clement@ vacy practices of websites they visit ity. This does not mean the tool utoronto.ca. and to encourage compliance when cannot succeed, and demonstrates it is lacking. Previous approaches to the need for some form of more References privacy protection have suggested effective consumer mobilization – [1] Electronic Privacy Information Center, “Public opinion on privacy,” Epic.org, Oct. 9, that a solution lies with legislation something the PIPWatch toolbar 2005; http://www.epic.org/privacy/survey/. or with market pressures or with still holds promise of providing. [2] A. Acquisti and J. Grossklags, “Privacy PETs. We argue that PIPWatch In addition to its potential value and rationality in individual decision mak- combines these three approaches. in the privacy area, the underly- ing”, IEEE Security & Privacy, vol. 3, no. 1, pp. 26–33, 2005. With a working prototype that ing technology of PIPWatch – a [3] S. Garfi nkel, Database Nation: The Death has undergone several rounds of browser embedded toolbar display- of Privacy in the 21st Century. Beijing, China, testing with users, the next stage ing convenient, real-time feedback and Cambridge, MA: O’Reilly & Assoc., 2001.

56 | IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 [4] D. Solove, The Digital Person. New York, [11] Ernst & Young, “Privacy promises are [17] K. Höök, D. Benyon, and A.J. Munro. De- NY: New York Univ, Press, 2004. not enough,” 2001; HYPERLINK “http:// signing Information Spaces: The Social Naviga- www.ey.com/global/download.nsf/” http:// . London, U.K.: Springer, 2003. [5] OECD, Guidelines on the Protection of tion Approach www.ey.com/global/download.nsf/US/Pri- Privacy and Transborder Flows of Personal [18] S. Brin and L. Page, “The anatomy of a vacy_Promises/$file/EYPrivacy%20Prom- Data, Organisation for Economic Cooperation large-scale hypertextual Web search engine,” and Development, 1980; http://www.oecd.org/ ises.pdf. in Seventh Int. World Wide Web Conf., Bris- dsti/sti/it/secur/prod/PRIV-en.htm. [12] H. Burkert, “Privacy-enhancing technolo- bane, Australia: Elsevier, 1998. gies: Typology, critique, vision,” in Technol- [6] Industry Canada, PIPEDA Overview: What. [19] A. Lih, “Wikipedia as participatory jour- ogy and Privacy: The New Landscape, P. Agre 2004; http://privacyforbusiness.ic.gc.ca. nalism: reliable sources? Metrics for evaluat- and M. Rotenberg, Eds. London, U.K.: M.I.T. ing collaborative media as a news resource,” in [7] A. Cavoukian and T. Hamilton, The Pri- Press, 1997. Proc. 5th Int. Symp.Online Journalism (Austin, vacy Payoff: How Successful Businesses [13] L.F. Cranor, Web Privacy with P3P. TX), April 16–17, 2004; http://journalism. Build Customer Trust. McGraw-Hill Ryerson, O’Reilly & Assoc., 2002. utexas.edu/onlinejournalism/wikipedia.pdf. 2002. [14] W3C, The Platform for Privacy Prefer- [20] J. Goecks and E.D. Mynatt, “Support- [8] K. Laudon, “Markets and privacy,” Com- ences. World Wide Web Consortium Initia- ing privacy management via community ex- mun. ACM, vol. 39, no. 9, pp. 92–104, 1996. tives, 2005; http://www.w3.org/P3P/. perience and expertise,” in Communities and [9] C. Jensen, and C. Potts, “Privacy policies [15] L.F. Cranor, A.M. McDonald, S.Egelman, Technologies, Proc. Second Communities and as decision-making tools: An evaluation of and S. Sheng, CyLab Privacy Interest Group Technologies Conf. (Milano, Italy), P. van den online privacy notices,” in Computer Human 2006 Privacy Policy Trends Report, 2007; Besselaar, G. de Michelis, J. Preece, and C. Si- Interaction. Vienna, 2004. http://www.chariotsfire.com/pub/cpig- mone, Eds., 2005. [10] T. Vila, R. Greenstadt, and D. Molnar, jan2007.pdf. [21] R. Akalu, “Implementing PIPEDA: A re- “Why we can’t be bothered to read privacy [16] EPIC & Junkbusters, Pretty Poor Privacy: view of internet privacy statements and on-line policies: Models of privacy economics as a An Assessment of P3P and Internet Privacy, practices,” Ofﬁ ce of the Privacy Commission- lemons market,” in Proc. 5th Int. Conf. Elec- 2000; http://www.epic.org/reports/prettypoor- er of Canada, 2005; http://pipedaproject.atrc. tronic Commerce, Pittsburg, PA, 2003. privacy.html. utoronto.ca/upload/PIPEDAﬁ nal.pdf.

IEEE TECHNOLOGY AND SOCIETY MAGAZINE | SPRING 2010 | 57