15-508 / 17-801 / 19-608: Privacy Policy, Law, and Technology

Homework 6 - due February 19, 2004

Reading assignment: Cranor 4, 13, 14, Hochheiser 2002; Byers 2003

1. What are your personal privacy preferences? First express them in English. Then translate them into P3P vocabulary elements (for example, "I don't want companies to share my data. RECIPIENT=ours"). Finally, create an APPEL ruleset that represents your preferences.

2. What does the Byers et al study tell us about the types and extent of profiling on the web? Does profiling tend to be done pseudonymously or in ways that identify users? What types of sites are most likely to engage in profiling? Why do you think these types of sites do more profiling than other sites?

3. Review the explanation of the RECIPIENT element's design in Cranor 11 and the criticisms of the RECIPIENT element in the Hochheiser paper. What is your opinion about this element? What do you think of the alternative approaches that have been suggested? Would you recommend changes to the RECIPIENT element in future versions of P3P? Why or why not?

4. (a) What are the main arguments against P3P that have been raised by privacy advocates? (b) What are the main arguments against P3P that have been raised by businesses? (c) What rationale do P3P developers give for their claim that P3P will likely result in more privacy? (d) Which of these three groups do you agree with the most? Why?

5. Review the P3P policy at http://lorrie.cranor.org/courses/sp04/policy1.xml. What is wrong with this policy? How would you fix this policy so that it describes a web site that collects logfile data and data about a user's font preferences; uses it for system administration, research, and to present the web site in the user's preferred font during the current visit; and has no data retention policy?