Increasing Awareness of Privacy Policies through Graphical Representation

I've had a few people ask me for information about my research for my MSc; here's an overview of the current state of my research and where I'm headed.

Privacy on the Web Today

The current online landscape is one in which participation is a key component of content. Commonly, social networking sites are examples where the content is almost exclusively from the user base. YouTube is another example of such a site. However, even simpler, less "social" websites are embracing user content. Many software companies have moved to using online forums as their primary means of support, even for official announcements to users. Most ecommerce websites allow users to submit reviews of products they've purchased. Amongst these disparate use cases is one common thread; they all collect user information and they all have privacy policies.

The Privacy Gap

The problem is that users are attentive to physical, and not virtual privacy. For example, users care about someone looking at their monitor, but are indifferent when it is done virtually. Users don't see their privacy as information which has monetary value. Our online culture ignores privacy risks, assuming that there is no privacy lost as everything is stored "in aggregate".

As well, businesses running websites are actively attempting to solicit information from their users. Facebook provides an array of privacy features to limit access to other users, but not to Facebook itself. Users can easily be tricked into disclosing information they didn't intend to disclose, through the minimization of privacy-related UI features or through interactive agents. Users say they care about privacy. Companies say they respect individual privacy rights. No one actually follow through with what they say.

The Simple Privacy Framework (SPF)

Unfortunately, for a variety of reasons, P3P, XACML, and EPAL are not appropriate languages for describing simple and verbose privacy policies within websites. A new XML language needed to be created to allow website developers to easily describe privacy policies within their website as related to website elements.

Here is a simple example of SPF as currently described:

<privacy>
  <statement>
    <source>Cell Phone Number</source>
    <receivers>
      <role>Trusted Companies</role>
      <relation from="Trusted Companies">Third Party Advertisers</relation>
      <entity>Acme Anvil Company</entity>
    </receivers>
    <action>call</action>
    <action>text message</action>
  </statement>
  ...
</privacy>

When attached to a form on a website, it becomes possible for user agents to automatically parse this and inform the user as needed. Or, a user agent could modify the website to disable elements not matching the user's policies. The user is in control of how their private information is protected online.

Multimodal Communication

One of the interesting side effects of such a scheme is that it becomes possible to modify the actual method of communication. Just as how XHTML can be presented in a variety of useful and unintended ways, an SPF description could be communicated in virtually any method. Privacy statements can be unbound from the legalese of privacy policies. The next phase of my research will explore the implications of this further.

Next Steps

I am finishing analyzing some data from a pre-survey I ran, as well as brushing up on my stats knowledge (using this book) so I can have some valid metrics for measuring that data. Next, I plan to run an experiment to test some of my theories above in practice. If you're interested in this research, be sure to follow my RSS feed, or feel free to contact me for collaboration or references.