Submitted this design for the 32nd All India Student’s Design Competition organized by National Design and Research Forum, Institute of Engineers (India), May 2001.
Design of a new Paradigm to encounter the Global Crisis of Data Privacy over the Internet
Present Technological Problems
Design Aims and Objectives
Privacy is a fundamental human right recognized in all major international treaties and agreements on human rights. New technologies are increasingly eroding privacy rights. This includes online data transactions between Businesses and their Customers.
The World Wide Web has become a marketplace, where information is shared, goods are offered and sold, and services are provided, often requiring people's personal information.
Along with the benefits of revealing personal information, there is an increasing risk of people's privacy being violated, combined with a growing complexity of data privacy.
Whole industries and bureaucracies have formed solely to collect and distribute sensitive information that individuals once viewed as under their exclusive control: medical records, personal shopping habits, credit histories. Privacy is the number one concern of Internet users; it is also the top reason why non-users still avoid the Internet. 1
This project introduces a reliable model to simplify online data transactions while enhancing a user's privacy protection.
This paradigm represents a platform- and software-independent resolution towards better privacy protection on the Web, by reducing the complexity of online data transactions and helping the user to manage, transfer, and settle personal information on the Web.
1. Source:“CDT’s guide to Online privacy”, < http://www.cdt.org/privacy/guide/introduction/ >
Here we analyze the problem from various points of view. Any problem can only be systematically solved by careful scrutiny of the situation in the past, present and future.
We have to look into the subsequent implications:
Over the past decade, numerous surveys conducted around the world have found consistently high levels of concern about privacy. The more recent studies have found that this concern is as prevalent in the online environment as it is for physical-world interactions.
It is observed that1:
Despite this wide range of interests in privacy as a topic, we have little idea of the ways in which people in their ordinary lives conceive of privacy and their reactions to the collection and use of personal information.
With this problem definition study, we have tried to better understand the nature of online privacy concerns; we look beyond the fact that people are concerned and attempt to understand what aspects of the problem they are most concerned about.
What the user actually wants2:
As the software engineering community attempts to implement P3P or similar privacy protocols, one of the major issues will be the design of easy-to-use interfaces for users. Users would likely benefit from systems that assist them in identifying situations where a site's privacy practices is counter to their interest and assisting them in reaching agreement and exchanging data where such an interaction is acceptable to the user.
However, a user interface must not only present an extremely complex information and decision space, it must do so seamlessly and without a distracting interface3.
Automatic transfer of data and computerized negotiations with sites are unlikely to be interesting to most consumers.
Designers should permit users to have differing views of -- or ways of looking at -- their information. For instance, while it makes sense to include phone number in a contact information category, respondents considered it more sensitive than postal information.
Additional augmentative assistance to consumers will be useful. Many respondents expressed confusion over potential risks and rewards for their dissemination of personal information.
The data from these studies suggest that a trust-enhancement approach is more effective. Trust can be enhanced by building a reputation for fairness, by communication information sharing policies up front and stressing the relational benefits, and by constantly informing the consumers of the organization's activities to serve them better 4.
Therefore a consortium be built that will foster proper use of their data and will ensure that no data is misused for any other illegitimate purpose.
The development of automatic data processing, which enables vast quantities of data to be transmitted within seconds across national frontiers, and indeed across continents, has made it necessary to consider privacy protection in relation to personal data. To prevent what are considered as violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorized disclosure of such data.
On the other hand, there is a danger that disparities in national legislations could hamper the free flow of personal data across frontiers; these flows have greatly increased in recent years and are bound to grow further with the widespread introduction of new computer and communications technology. Restrictions on these flows could cause serious disruption in important sectors of the economy, such as banking and insurance.
Customers are very concerned about the following points:
It is found that respondents cared a great deal about
Many people are unaware that others are using information services to make decisions about them. If data in a company's file comes from inaccurate public records or has been inaccurately transcribed, a consumer could be harmed.5
A statistical insight has to be taken into this universal crisis in order to go ahead with the designing.
1. Hine, Christine and Juliet Eve (1998). Privacy in the marketplace. The Information Society 14(4):253-262.
2. Beyond Concern: Understanding Net Users' Attitudes About Online Privacy <http://www.research.att.com/projects/privacystudy/>
3. Ackerman, Mark S. and Lorrie Cranor. Privacy Critics: UI Components to Safeguard Users’ Privacy. Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'99), short papers (v.2.), in press.
4. Milne, George R. and Maria-Eugenia Boza (September 1998). Trust and Concern in Consumers' Perceptions of Marketing Information Management Practices. Marketing Science Institute Working Paper Report No. 98-117.
5. Industry Responds To Online Community's Outrage Over Widespread Availability Of Personal Information ,Center for Democracy and Technology <http://www.cdt.org/privacy/issues/pii/971218industry.shtml>
92.9% of the sites were collecting personally identifiable information1.
48% said they would be more likely to provide it if there was a law that prevented the site from using the information for any purpose other than processing the request2.
Excerpt from an online poll website3:
Have you personally ever been the victim of what you felt was an improper invasion of privacy, online or elsewhere?
Have been victim 25%
Have not been victim 75%
Registering At Sites 4
Four in five -- 82% -- are not at all comfortable with online activities being merged with personally identifiable information, such as "your income, driver's license, credit data, and medical status."
Customer Attitude towards information collection3:
Respondents were consistently less comfortable allowing a child to provide each of these types of information than they would be providing it themselves, with the biggest differences reported in the number of respondents who said they were always or usually comfortable with a child providing email address (16%) and age (14%).
Source: AT&T Research, April 14, 1999 <http://www.research.att.com/resources/trs/TRs/99/99.4/99.4.3/report.htm>
Source: BW/HARRIS POLL: ONLINE INSECURITY SURVEY of 999 adults, including 408 online users, conducted Feb. 18-23, 1998 for Business Week by Louis Harris & Associates Inc. and Alan Westin, publisher of Privacy & American Business. http://www.businessweek.com/1998/11/b3569107.htm
Source: Graphic, Visualization & Usability Center's (GVU) 6th WWW User Survey, <http://www.cc.gatech.edu/gvu/user_surveys/survey-10-1996.
Technologies designed to meet the information needs of government and business and have effectively deprived private individuals of the power to control their personal information. In addition to facilitating the collection of detailed personal data, communication technologies have enabled collectors to share data between themselves for a wide range of purposes.
Platform for Privacy Preferences Project (P3P)1
On June 21, 2000, major Internet companies offered the first public demonstration of a new generation of Web-browsing software designed to give users more control over their personal information online. The new products are based on the Platform for Privacy Preferences Project (P3P), a set of software-writing guidelines developed by the World Wide Web Consortium (W3C), the standard-setting body for the Web.
P3P is designed to provide Internet users with a clear understanding of how personal information will be used by a particular Web site. Web site operators will be able to use the P3P language to explain their privacy practices to visitors.
Proxies and Firewalls
Proxies and firewalls are barriers between a computer and the Internet. Communications are only allowed under certain circumstances and certain types of communications can be blocked entirely.
The private sector has developed Internet tools that strip out personal information in order to protect user privacy.
National laws may be insufficient, on their own, to provide citizens with privacy protections across borders. Various international bodies, including the European Union and the Organization for Cooperation and Development, have developed privacy rules.
In late 1980, the Organization for Economic Cooperation and Development issued a set of privacy guidelines. Albeit broad, the OECD guidelines set up important standards for future governmental privacy rules. These guidelines, while not enforceable, have influenced international agreements, national laws, and self-regulatory policies.
Online Privacy Alliance (OPA)
The OPA, a group of more than 80 global corporations and associations, is committed to lead and support self-regulatory initiatives that create an environment of trust and that foster the protection of individuals' privacy online and in electronic commerce. The OPA identifies and advances online privacy policies across the private sector, supports the development and use of self-regulatory enforcement mechanisms and activities, as well as user empowerment technology tools designed to protect individuals' privacy, and supports compliance with and strong enforcement of applicable laws and regulations.
Network Advertisers Initiative (NAI)
The Initiative is committed to providing consumers with a clear explanation of what data the advertisers collect, how they use it, and why use of data can benefit consumers' experience online.
It can be found that the technical aspect of data privacy is so far handled by P3P and APPEL. These technological paradigms have their own confines and they will be discussed in the next section. In addition, Online Privacy Alliance has only set their policy and appliance of their policies is done by a meager number of companies. Since membership to this alliance is not obligatory, many businesses overlook their policies.
PRESENT TECHNOLOGICAL PROBLEMS
Besides privacy problems regarding legal protection, there are several other types of problems. During online transactions Web sites can gather a lot of information, which can be either personal information or information derived by tracking people's online activities. People are concerned about the privacy of such information because it is often difficult for them to learn about a Web site's information practices. Some Web sites have started publishing their privacy policies online but in a lot of cases people cannot find them, do not trust them, or simply do not understand them. Thus, people often do not know the consequences of releasing personal information.
It requires us to use all of the tools at our disposal -- international agreements, legislation, self-regulation, public education, and the technology itself -- to protect the right to privacy of Internet users.
These are some of the targeted problems faced in the present era
The nature of the Internet poses a variety of challenges to our traditional, top-down methods of implementing policy and controlling behavior. Regulating online privacy has been a difficult challenge for the government. The government's interests is in fostering economic growth and protecting its citizens, and the self-interest of individuals. Thus, the government has to amend right policies that are beneficial to both parties.
No proper body that will examine online profiling, the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online, and using the resulting profiles to create targeted advertising on Web sites.
A need for a stronger encryption, which is the backbone of technological protections for privacy.
Cookies are a major source of information hence the following aspects have to be taken care of1:
The user is unaware that a cookie is being maintained.
The user doesn’t have the ability to delete cookies associated with a Web visit at any time.
The information obtained through the cookie about the user is at times disclosed to other parties without the user's explicit consent.
Cookie information itself contains sensitive information and is used to obtain sensitive information that is not otherwise available to an eavesdropper.
Proxies and Firewalls not very competent in blocking communications such as cookies, junk e-mail, Java, ad banners, the types of communications used by intruders attempting to hack into computers, and others.
International agreements have to be more forceful and rigid.
Absence of industry self-regulation.
Customers are often unclear why and for what purpose a Web site collects personal information during an online transaction1. For example, it is not obvious why a Web site wants to collect a person's phone number while offering a subscription to a mailing list. One reason is that information such as this is very valuable to Web sites, especially to those who offer free Web services. The collected information can be used for advertising or marketing.
All of these problems indicate that people need help and better protection regarding privacy on the Web.
How to manage, negotiate, and transfer personal information on the Web. <http://wwwcssrv.almaden.ibm.com/wbi/p3p/TOC.html>
AIMS AND OBJECTIVES
The design implements the following set of principles in order to sustain data privacy:
Collection Constraint Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection.
Data Application Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified by the business organization.
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Candidness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
This design demands an in-depth understanding of the whole issue and the players involved in it. These players can also be termed as ‘Existing Privacy Protectors’. They are as follows:
Legislation and Law.
Technical Initiatives like P3P, APPEL, Proxies and Firewalls, Anonymizers and cookies.
International Agreements like Organization for Economic Cooperation and Development (OECD) and EU Data Protection Directive.
Industry Self-Regulation like Online Privacy Alliance and Network Advertisers Initiative (NAI).
This design is a new paradigm and is composed of many components. These components are the various requirements that make data privacy free from discrepancy. They are nothing but each of the players mentioned above. The only difference here is that they don’t act as independent domains but as one constituent of the architecture, with conceptual alterations.
The components of the model are as follows:
Data Wallet Factory
Data Well Center
Figure1: Architecture of the proposed model
The customer is the primary source of information. This model assumes that the customer fill’s in valid data without maintaining any anonymity. This is done just to make the model simple and uncomplicated.
The Business taking part in this model may be of any sort unless and until they demand information from the customer through the Internet medium. The Business involved here has to be a registrant of the Online Privacy Alliance. This will guarantee Industry self-regulation. Also unsolicited businesses like pornographic groups, buyers/sellers of illegal material etc. will be highly discouraged to join this forum.
The transaction is first initiated by the business in the form of HTML Form, Queries etc.
Transaction walls are proxy interfaces that will form as a hurdle before customer-related data reaches the business. The Transaction Walls are arranged in such a way that the most critical interfaces are first encountered. The various types of Transaction walls proposed are as follows:
1. Security Check: This Transaction Wall is the first and the most imperative type of blockage. The data entered from the user faces this check. Here the data is scanned and any personally identifiable data (rules are set to recognize data as personally identifiable data in P3P) is stopped (i.e. converted into a Data_Serial_No.) from further passage to the next walls.
The P3P and APPEL mechanism are brought into picture and they will only handle the exchange of data between the Transaction walls and the Customer, instead of Business and Customer. This will enable more control over the aims and application of P3P. P3P isn’t a success, as majority of business are not implementing this practice in their transactions. Now with the concept of walls, one can resourcefully execute P3P at the transaction wall level.
2. Policy Agreement: Here the policy agreement between the Customer and the business is confirmed. These Policies are the basis for current data protection and online privacy views, laws and practices. This policy has to be set-aside in common by an international body, so that every respective country abides by it and takes appropriate legal action.
3. OPA agreement: This is a self-regulatory step where every business if verified for OPA membership. For more preciseness of OPA policies, please refer back to the Present technology section.
4. Transborder Flow Agreement: The development of automatic data processing, which enables vast quantities of data to be transmitted within seconds across national frontiers, and indeed across continents, has made it necessary to consider privacy protection in relation to personal data. "Transborder flows of personal data" means movements of personal data across national borders
Issues involved in deciding the Transborder flow of data policy3:
That automatic processing and transborder flows of personal data create new forms of relationships among countries and requires the development of compatible rules and practices;
Contribution of transborder flows of personal data to economic and social development;
Domestic legislation concerning privacy protection and transborder flows of personal data may hinder such transborder flows
If there is any error occurrence when the data flows through the transaction wall both the parties i.e., customer and the business have to be informed. The business has to be provided with more information about the error because that will help them rectify it.
Data Wallet Factory
The data hops from one wall to another before it finally reached the Data Wallet Factory. When in the process of reaching the factory, the data is encrypted using the Data Encryption Algorithm. The summary of the algorithm is given below:
Analysis of Data Encryption Algorithm
1. Valid data is received.
a. Test whether the Personal identifiable Data is in Data_Serial_No. format or not.
i. If No, then encrypt it into a Data_Serial_No.
// Data_Serial_No is the only uniquely //identifying field.
ii. If Yes, then continue to the next step.
b. Collect all the customer information and associate each data with the Field table.
// Field table links each filled field with the //standard Field titles. For e.g.:
// 1.à Age
// 2.à Hobby etc
c. Store it into a data structure called data_package.
d. Attach the date and time of the data transaction.
e. Pass the data_package prefixed with the Data_Serial_No., date and time to the Data Wallet Factory.
2. If valid data is not received, then inform the Customer and the Business about the aborted data transaction.
a. Pass the error interrupt to the business for further rectification.
End of Data Encryption Algorithm
Data Wallet Factory
This is a mechanism where the raw data received is further simplified before it is converted into a Data Wallet. Data Wallet is nothing but an operation where data obtained from the Data Encryption Algorithm is classified systematically.
In the Data Wallet Factory, the security is optimum because it has to be sent to a data repository called Data Well Center. A copy of the data wallet is distributed to the Business and to the Data Well Center. The contents of a Data Wallet are shown below:
Figure 2:Data Wallet
The very essential element about Data Wallet is its first field, which specifies the destination of the Data Wallet. However, undercover this destination address is something called the Data Cease Algorithm.
Data Cease Algorithm
Taking into consideration the amount of data collected due to this system of data privacy, this algorithm came into being. If data is accumulated at the rate at which it is anticipated, then it is practically not feasible to have a data repository of this sort. Fundamentally speaking every customer data should have a life period. After the elapse of that life period, the data ought to be ceased. No data will be made available after that period. This period is decided by the Other Businesses (it will be discussed later in this section.). Economically, the charges for data storage are directly dependent on the amount of time it has to be stored.
Analysis of Data Cease Algorithm
1. Receive the data_package.
2. Categorize the Data based on type of Business and assign it category_no.
3. Register the Data_Serial_No., category_no., Date, Time separately in a database.
4. Get the Business life_period.
//life_period is the time the business needs an access to //the data
5. Based on the Business life_period calculate the Cease_date and Cease_time.
6. Add Cease_date and Cease_time as new attributes to database.
7. Send the Customer data to a separate database.
8. Create a channel for the Business to use the customer information for a stipulated time.
9. Keep a counter for the number of times the data is used.
10.Delete the data.
a. If the Business has reached its maximum limit of data usage.
b. If the life_period is over.
11.Update the database after deletion.
End of Data Cease Algorithm
Data Well Center
This is a universal organization, which has several functions in terms of Data Privacy and Issues. An analogy can be drawn between Data Well Center and ICANN as far as their functioning is concerned. They have to set the rules and operate accordingly. The various sub-components of Data Well Center are as follows:
OPA Membership: It is a prerequisite that the Business is a member of OPA. Other wise no transaction is encouraged by the Center. Only after the registration, the business can go ahead with their data collection process.
Data Storage: The center possesses a huge database to cater to several thousand entries that are recycled everyday, thereby finding a solution to the increasing demand of storage.
Data Delivery: The center delivers the data to the members of this association and maintains a temporary channel of communication with them. No data is transferred to any Business. However, the Business can always access the data that is the center’s resource. Thus, an individual is fully convinced that his data is safe and secure.
Data Cease Algorithm: This algorithm is also prevalent in the center as one copy of the Data Wallet is received. This helps in recycling of data and creation of storage space.
It is found in many cases that data once collected from a customer is sometimes sold/circulated to other Business organizations for marketing purposes. Therefore, it is observed that a communication is initiated by that Business with which you have no familiarity. This forms once reason why people hesitate to disclose their data. Such type of Business can be termed as Indirect Business, as they are not straightforwardly associated with the customer.
Thus, if we have a framework where even these Businesses professionally come forward and register their needs, then the mechanism of work is more transparent. The center can extend their services at a cost thereby taking care of their infrastructure expenses. Hence, it is apparent that even the demand of Businesses for Customer data is satisfied.
Privacy and Human Rights, <http://www.gilc.org/privacy/survey/surveyak.html>
CDT’s guide to Online Privacy, Chapter Three: Existing Privacy Protections <http://www.cdt.org/privacy/guide/protect/>
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM>
This model is an original design that integrates the present technology with future ideas. World Wide Web requires a global agreement in this issue. This debate has put E-Commerce and E-Business in jeopardy. This paradigm caters to all these issues thus setting a platform for safe, secure and protected data exchange between Businesses and their Customer.
The final test of this design is the liaison between Problem Demand-Aims and Objectives of the design-Design Concept. If this holds good for all cases then this design can be considered as competent. This table will decide whether the solution to the problem has been sort or not.
Aims and Objectives
Data Application Limitation Principle
Levels of Data privacy
Data Quality Principle
Transaction Walls and Data Encryption Algorithm
Understanding of Data Collection
Purpose Specification Principle
Data Well Center
Security Safeguards Principle
Policy Agreement Transaction Wall
Universal Governing Body
Collection Constraint Principle
Data Well Center
Usage of the data
Data Application Limitation Principle
OPA agreement Transaction Wall
Security Safeguards Principle
Data Wallet Factory
Page Uploaded: 29th October 2001