15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Homework 7/8 - due October 26, 2005

Reading Assignment 7:
- Cranor Foreword, 4
- The Platform for Privacy Preferences as a social protocol (Hochheiser)
- [Optional: Automoated analysis of P3P-enabled Web sites (Byers, Cranor, and Kormann)]
- [Optional: Cranor 14]

Reading Assignment 8:
- Solove 6
- Identity Theft (Givens)
- NAS Report, Chapters 1 and 2
- Security without Identification (Chaum 1987)
- Anonymous Web transactions with Crowds (Reiter and Rubin)
- [Optional: The architecture of robust publishing systems (Waldman, Rubin, and Cranor)]
- [Optional: Off-the-record communication (Borisov, Goldberg, and Brewer)]

1. Write a short summary of each chapter or article in the reading assignment (2-5 sentences each). After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy. (You can combine the two NAS chapters into a single summary.) [50 points]

2. [50 points] What are your personal privacy preferences?

• a) First express them in English as a set of 3 to 5 rules. For example one rule might be "I don't want companies to share my data." If you can't capture all of your privacy preferences in 5 rules, just write down the 5 rules you consider most important.
• b) Translate your rules into P3P vocabulary elements (for example, the above rule would translate to "RECIPIENT=ours").
• c) Create an APPEL ruleset that represents your set of 3 to 5 privacy preference rules (plus a catch-all rule).

3. For ONE of the sites you looked at in homework 6 that is not P3P enabled, create a P3P policy for the site based on information provided in that site's privacy policy. You do not need to try to research or guess anything that is not included in the privacy policy. If the site offers many services that each have their own privacy considerations, you only need to cover the main services in your policy (make a note of what you are omitting, however). If you find that the site's privacy policy does not provide enough information for you to create a complete policy, make a list of questions that would have to be answered to complete the policy. Feel free to use a P3P policy editor to create your P3P policy (recommended: JRC policy editor - see online help - and IBM policy editor). Turn in the XML policy file you created, as well as your list of questions. [50 points]

4. Should people always be allowed to be anonymous on the Internet? If so, how can illegal, irresponsible, or anti-social behavior be prevented? If not, why not and when should anonymity be prohibited? What level of identification is appropriate for various types of Internet interactions? Use some of the class readings or other articles to support your argument. [50 points]