15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Homework 6 - due October 7, 2004

Reading Assignment: Cranor - 5, 6 (p. 104-109 optional), 7, 11, Millett paper (Optional: Cranor 12)

1. (30 points, 4 for each summary, 2 for each highlight) Write a short summary of each chapter and article in the reading assignment (2-5 sentences each). After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy.

2. (40 points) Download and try at least two P3P user agents (for example, Privacy Bird, IE6, Netscape 7 -- see http://www.w3.org/P3P/implementations for other choices, but don't review P3P-related software that is not a user agent). Then answer the following:

• (a) (20 points) What are the similarities and differences between the two user agents? (List at least 2 similarities, and at least 2 differences.)
• (b) (20 points) What particular features of each did you like or dislike and why? (Discuss at least 2 features of each of the two user agents.)

Note: You may need to find a Windows machine to complete this question as some P3P user agents only run under Windows.

3. (30 points) In homework 4, you each picked an industry or type of web site and read three privacy policies. As it turns out, some of the sites you picked were P3P-enabled but some were not. Go back to the three sites whose privacy policies you looked at and do the following:

• (a) (12 points) For EACH of the three sites, use the W3C P3P validator to answer these questions:
  • (i) Is the site fully P3P-enabled, partially P3P-enabled (has some but not all required P3P files, has errors in P3P files, has compact policy but not a full policy, etc. - if the site is partially P3P-enabled, explain), or not P3P-enabled at all?
  • (ii) Does the site have a compact P3P policy?
  • (iii) If the site is P3P-enabled, how many P3P policies does it have?
• (b) (18 points) If one of the sites you looked at is fully or partially P3P enabled, compare the P3P policy with the site's human-readable policy. (If more than one site is P3P enabled, just pick one.) Otherwise look at the privacy policy and P3P policy at http://www.attws.com/. Then answer these questions:
  • (i) Do you think the company has accurately captured its privacy policy with its P3P policy? That is, are there any inconsistencies between the two policies? If you think there are inconsistencies, what are they?
  • (ii) What parts of the human-readable privacy policy, if any, are not captured at all by the P3P policy?
  • (iii) Are any of these elements you identified in part ii items that are supposed to be encoded in a P3P policy (that is, did the site make an error, or are they limited by the P3P syntax)?