Communicating with End Users about Privacy Policies

• Privacy Finder
• User Studies

Once organizations have determined and defined their privacy policies, they must find some way to communicate their privacy practices to their customers.  If people cannot understand these privacy policies, they are essentially useless. The Platform for Privacy Preferences (P3P), a machine-readable format for privacy policies, was developed in 2002 to facilitate user access to privacy information. We are developing a P3P-enhanced search interface, named Privacy Finder, to help users more easily understand privacy policies.  Like a nutrition label for privacy, Privacy Finder offers a privacy report that summarizes the most important and relevant information use elements present in the privacy policy.

Privacy Finder

The World Wide Web Consortium (W3C) developed the Platform for Privacy Preferences (P3P) to make privacy policies more usable. P3P is a standard machine-readable format for privacy policies. Companies can adopt that standard to post online privacy policies readable by P3P-enabled web browsers and P3P “user agents” that present the privacy policies in simplified formats. Privacy Finder (http://privacyfinder.org), a P3P-enabled search engine, annotates search results with privacy information derived from P3P policies and generates “privacy reports” for P3P-enabled websites.

Figure 1: Privacy Finder Interface

Figure 2: Privacy policy summary generated for BarnesandNoble.com

Privacy Finder submits search queries to Google and Yahoo!, obtains the results, and checks for P3P policies. It then displays the results annotated with privacy indicators or “privacy icons” that graphically represent how well a website’s P3P policy matches the privacy preferences specified by the user. The icons represent a five-point privacy “meter” (see Table 1). The meter is composed of a set of four boxes that are shown as green (filled) or white (empty) based on an algorithm that accounts for the number of privacy preference mismatches. Thus, a site that violates most of the user’s preferences will have zero or one box filled, while a site with only a few mismatches might have two or three filled boxes. Sites without P3P policies are not annotated with a privacy icon.

One version of Privacy Finder, designed for online shopping, submits search queries via the Google and Yahoo! shopping interfaces and returns search results annotated with product photographs and price information, in addition to the privacy information described above.

User Studies

Privacy Bird

This study employed an earlier version of Privacy Finder named Privacy Bird. Participants came to the CUPS lab and were asked to purchase two items, a privacy-sensitive item (Trojan condoms), and a non-privacy sensitive item (a power strip). We found preliminary evidence that when privacy policy information is made available in search engines; online shoppers seek out more privacy-friendly websites. Of note: study participants were reimbursed for their purchases, and thus had no direct incentive to consider price in their purchasing decisions.

Privacy Finder Shopping

In this experiment, we used the Privacy Finder Shopping interface and examined whether online shoppers would purchase from sites with prominent privacy information (privacy icons) and pay a premium to make their purchases from the more privacy-friendly merchants when provided with a price incentive.  In this study, we offered participants a “lump sum” payment; any money remaining after their purchases was theirs to keep. We found that for both privacy-sensitive items (a vibrating sex toy), and non-privacy sensitive items (AA batteries), participants shown the privacy information were more likely to purchase from sites that cost more and offered better privacy protections. 

Future Work

To continue to investigate the effectiveness of usable privacy communication, we plan to do the following:

• Conduct a Privacy Finder Usage Study
• Premium Preferences Study
• Privacy Information Timing Study

Privacy Finder Usage Study
We will conduct an empirical study to determine the extent to which privacy information in search engine results influences users’ browsing behavior.  As opposed to a lab setting, we will conduct a field study to examine the impact of a privacy-enhanced search engine (Privacy Finder) on normal everyday search patterns. We will track and analyze the usage of the search engine including the search terms, the results, they number of sites with P3P policies, the links followed, and views of the Privacy Report and privacy policies.  (All results and log files will be kept confidential.)
Premium Preferences Survey
To better pinpoint the tradeoff between the level of privacy and the prices people are willing to pay when purchasing items online, we will conduct an online survey where display screen shots of shopping search results.  We will ask participants from which site they would purchase the product. The results from this survey will help inform the design of the Privacy Information Timing Study.
Privacy Information Timing Study
The privacy timing purchase study allows us to experimentally test the premiums and privacy preferences derived from the premium preferences study. In this study, participants will be solicited to participate in an online shopping study where they will be presented with websites in a search engine interface that are annotated with privacy icons, presented with a privacy icon once they visit a particular site from the list of search results, or presented with no privacy information at all.  This will allow us to examine the impact of providing or not providing this privacy information.