the ‘paippsi’ research project « pour une analyse interdisciplinaire des ‘privacy policies’...
TRANSCRIPT
The ‘PAIPPSI’ Research Project« Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet »
‘An interdisciplinary analysis of 'Privacy Policies' on Websites’
F. Le GuelRITM
Université Paris [email protected]
Colloque ISN La protection des données personnelles : approche pluridisciplinaire
Jeudi 18 décembre 2014Les Colombages, 12 rue Arthur Rozier, 75019 Paris
PAIPPSI : an exploratory project
PAIPPSI is a ‘PEPS’ project : ‘Projet Exploratoire Premier Soutien’Funding : CNRS-Idex Paris-SaclayDecember 2014/December 2015
• An exploratory project aims to promote original interactions between Social Sciences and other sciences such as mathematics, computer science, engineering, etc…
• to initiate scientific and technological communities in Saclay,
• with the ability to associate corporate industrial laboratories or start-ups
PAIPPSI : an interdisciplinary project
• Economists : Grazia Cecere, Nicolas Soulié, Matthieu Manant, Serge Pajak, Alain Rallet, Fabrice Rochelandet, Jean-Michel Etienne, Nessrine Omrani (RITM, U. Paris Sud)
• Lawyers : Célia Zolinsky, Ola Mohty (DANTE, UVSQ), Alexandra Bensamoun, David Forest, Julie Groffe (CERDI – U. Paris Sud), Claire Levallois-Barth (TPT - Institut Mines-Télécom)
• Computer scientists : Sophie Chabridon (TSP - Institut Mines-Télécom)
• Consumers' Association : François Carlier (CLCV - Association nationale de défense des consommateurs et usagers)
PAIPPSI : « Pour une Analyse Interdisciplinaire des ‘Privacy Policies’ sur les Sites Internet »
‘Privacy policy’: « charte de vie privée », « Politique de confidentialité » (Google), « Politique d’utilisation des données » (Facebook), « Respect de la vie privée », « Vos données », « Informations vous concernant », etc…
‘An interdisciplinary analysis of 'Privacy Policies' on Websites’
What is a ‘privacy policy’ ?
• But, in practice, in the European Community, there is no law or regulation requiring the publication of such a document and certainly not that define the content
• A priori, a privacy policy is a document that discloses some or all of the ways a party gathers, uses, discloses and manages a web user or client's data
• The only requirement for a website is to respect the law concerning the processing of personal data!
So why do websites display a privacy policy while there is no legal obligation to do that ?
Is it not paradoxical ?
The ‘privacy paradox’ (A. Acquisti)'privacy paradox' : while Internet users are concerned about privacy, their
behaviors do not mirror those concerns
Discrepancy between stated privacy concerns and actual privacy settings
For websites : a ‘privacy policy paradox’ ?
i.e., a gap between what is reported by the website (via the privacy policy ) and what is actually observed ?
Issues
We talk about the best way to inform citizens about the collection and processing of personal data ...
... in the age of the ‘Internet of Things’ and ‘Big Data’...
... while legislation is evolving…
... at the time of criticisms of companies like Facebook, Twitter or Google's…
... but without undermining the economic growth !
The firm’s behavior:
Two examples of the gap between what is announced by the firm and what it actually does
• Ghostery
• TRUSTe
What is announced by ‘Ghostery’
(MIT Technology Review)
GhostRank takes note of ads encountered and blocked, and sends that information back to advertisers so they can better formulate their ads to avoid being blocked
… and what Ghostery actually does
TRUSTe : an online trust certification :
Gap between what is announced by TRUSTe and what it actually does
Our project aims to analyze the potential mismatch between what is announced (by analyzing privacy policies) and what
is observed:
• Is there a risk of ‘adverse selection’ ?
• What should you look for in a ‘good privacy policy’ ?
• How to insure that the website does what it says ?
IT IS ALMOST IMPOSSIBLE TO ANSWER THESE QUESTIONS SCIENTIFICALLY WITHOUT AN INTERDICIPLINARY APPROACH
The liar’s paradox : « I say that i am lying »
The contribution of lawyers
For lawyers: the content analysis of privacy policies aims to see if what is said by the website is consistent with what the law requires
It is needed to qualify (to code, for subsequent statistical processing) the content of a sample of privacy policies in the light of the law:
• Constitution, convention n° 108 du Conseil de l’Europe du 28 janvier 1981, • charte des droits fondamentaux de l’Union européenne, • directive n° 95/46/CE et loi du 6 janvier 1978 modifiée…
… including the lessons learnt from past experiences: for example, ‘PrimeLife’, ‘P3P’, ‘Privacy Dictionary’; the littérature (i.e. Cranor and al.), article 29 (G29) working party…
The contribution of economists
For economists, a privacy policy can be seen as a signal (cf. the signaling theory) in the on-line world, where web transactions are inherently asymmetrical vis-à-vis information privacy : the website has more knowledge than the visitor of what they will do to protect consumer privacy (c.f. Reay & al., 2009)
3 assumptions concerning the type of signal:
1. As there is no legal obligation, some websites may display nothing (no privacy policy), then, the signal is null (but this information is a signal!)
2. The content of a privacy policy is not 'random', this content shows a strategic behavior
3. The content of a privacy policy could result from a ‘herd behavior’ where a group of websites has adopted the same privacy policy
The contribution of computer scientists
1. to analyze websites tracking (for example by using and testing confidentiality tools such as ‘LightBeam’ or 'Privacy Dashboard'),
2. to study the collapse of the Platform for Privacy Preferences (P3P) protocol (cf. L. Cranor, 2012), a mechanism to help privacy protection on the Web. “This mechanism relies on the use of machine-readable privacy policies, posted on a website, and interpreted by client-side browser extension.”
3. to define and test a ‘privacy dictionary’ (cf. A. J. Gill & al., 2011).
Our partnership with the CLCV
While the citizen is at the center of the debate and remains the supplier of personal data, users’ behavior is often set aside !
Our partnership with CLCV will enable us to focus our analysis in web user behavior
Afterwards ?
• ANR project-based research• H2020 : The EU Framework Program for Research and Innovation
• New partnerships • A new workshop (2015)
Thanks a lot !