15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Homework 6 - due October 12, 2005

Reading Assignment:
- Cranor 11, 13
- [Optional: User Interfaces for Privacy Agents (Cranor, Guduru, and Arjula)]

1. Write a short summary of each chapter and article in the reading assignment (2-5 sentences each). After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy. [20 points]

2. [40 points] In homework 3, you each picked an industry or type of web site and read three privacy policies. Some of the sites you picked were P3P-enabled but some were not. Go back to the three sites whose privacy policies you looked at and do the following:

a) For EACH of the three sites, use the W3C P3P validator to answer these questions:
- (i) Is the site fully P3P-enabled, partially P3P-enabled (has some but not all required P3P files, has errors in P3P files, has compact policy but not a full policy, etc. - if the site is partially P3P-enabled, explain), or not P3P-enabled at all?
- (ii) Does the site have a compact P3P policy?
- (iii) If the site is P3P-enabled, how many P3P policies does it have?
b) Pick one of the P3P-enabled sites and compare the P3P policy with the site's human-readable policy. Then answer these questions:
- (i) Do you think the company has accurately captured its privacy policy with its P3P policy? That is, are there any inconsistencies between the two policies? If you think there are inconsistencies, what are they?
- (ii) What parts of the human-readable privacy policy, if any, are not captured at all by the P3P policy?
- (iii) Are any of these elements you identified in part ii items that are supposed to be encoded in a P3P policy (that is, did the site make an error, or are they limited by the P3P syntax)?

3. Do part 2 of the privacy policy project. [40 points]