Introduction

"This task will develop an open source browser extension for a privacy dashboard that will enable users to manage their identities, credentials, and privacy preferences, and enable them to track disclosures of personal data to websites"

• Motivated by reviewers' comments on need for open source deliverables that expose PrimeLife ideas to the broader community and which can be widely deployed in the near term
• Illustrate what can be done with today's websites without modications
• Demo the potential of new approaches that have yet to be deployed
• Implemented as Firefox add-on plus server modules as needed
  • Using Mozilla open source license to facilitate adoption

More details in the PrimeLife Wiki

Draft Development Plan

• tracking data entered via forms together with UI for querying this data log, means to store this along with other personal data locally or on server. Authenticating user for each browser session for shared computers. This will build upon ideas in Weave
• block 3rd party cookies e.g. if site doesn't have P3P policy etc. Provide a privacy gauge in status bar with use of white lists and certificates (demo certs)
• identity management so that users don't need to create or remember user ids/passwords, motivation is to make it harder to track users across sites and to discourage identity theft. This will build upon ideas in Weave
• credential management as alternative to entering personal data in forms (demo with server code)
• HTTP Link header and support for policies and activity 5.3 pre-matching processing (demo with server code)
• dashboard for social websites: privacy and analytics with some Elgg specific extensions for demo purposes

Background Work

• Related work in PrimeLife
• Personal dashboard for the social web
• AttentionTrust
• Prime DataTrack
• Mozilla Labs - Weave
• SuperGenPass
• PrivacyChoice
• Understandable Privacy Policies
• Right to subject access
• Oversight for trusted identity providers

Related work in PrimeLife

• D4.1.2 Low Level Prototypes
• H4.1.2 HCI Pattern Collection v1
• D4.2.1 Trust and Assurance Control – UI Prototypes
• D4.3.1 UI prototypes: Policy administration and presentation v1
• D3.4.2 Second Report on Standardisation and Interoperability
• H 5.3.2 Second Design for Policy Languages and Protocols

Note: lack of resources for full blown implementation of client and server side components for 5.3. Moreover, that isn't something we could widely deploy in the near term. Instead focus on demoing some aspects of 5.3 work, e.g. pre-matching.

Personal Dashboard for the Social Web

Liz Ganne's blog "My wish for 2010"

• Privacy: a better idea of what's publicly known about me
• Analytics: checking my stats and trends as a content publisher

This led me to Knx.to, a web app using OAuth to access your profile and social contacts on Twitter, facebook, LinkedIn, Flickr, GoogleMail and Yahoo! Mail.

• The app makes it easy for you to log into each of above sites and grant knx.to temporary access to your personal information
• This is stored locally on your browser and not on the Knx.to site
• Provides a proof of concept for how a privacy dashboard could access your social websites and present information about specific friends.

AttentionTrust

AttentionTrust believes that we all have the right 1) to own at least a copy of our data, 2) to store that data where we want and move it when we want, 3) to exchange it for something of value to us, and 4) to know what others intend to do with our data, so that we can make informed decisions about who should have access to it.

• Firefox add-on that records your browsing history and saves it to local and remote service
• For each web page you visit it saves the web page’s URL, the web page’s title, the HTTP response code, and whether that web page read or wrote any cookies, but not the cookies themselves

No longer under development, but still informative.

Prime DataTrack

• DataTrack is a tool integrated into the PRIME Console to display information about personal data disclosures
• Initial implementation was done with JavaScript and XUL, and later ported to Java
• Main view is a graphical slider that zooms through the history of disclosures, showing the revealed information in a card-like fashion
• Data is obtained via a Web service from the PRIME client core
• Other views show a table of all information sent through PRIME to any contact
• Further work on DataTrack in PrimeLife
  • Including support for viewing and correcting data held by servers and accessed via the Prime core

Java source code available.

Mozilla Labs - Weave

• Project to integrate web services into Firefox by allowing users to securely share their data with other instances of their own software, other users and 3rd parties
• Includes a Firefox add-on, a server component, and data sharing APIs
• Enable users to carry their browser context with them, to whichever computer that they are currently using
• Weave Account Manager help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc.
• Users never need to type their password, and Weave will allow users to change all of their managed passwords with a single operation
• Opportunity to share ideas and code with Mozilla Labs, and the potential for a privacy dashboard to be included as part of Firefox, and subsequent adoption by other browser vendors

SuperGenPass

• Allows you to type a single password and transform it into a site specific password at the click of a button
• Implemented as cross-browser bookmarklet
• Convenience of a single master password with the use of strong site specific passwords
• Weakness is that your master password will be revealed to the website if you forget to click the SuperGenPass button
• Better yet would be to avoid sending passwords and instead use some kind of identity proof

PrivacyChoice

A service that gives users the means to opt-out of behavioral targeted ads, either completely or to restrict such ads to companies that are accountable to the best privacy practices.

You have a choice of opting out with:

• PrivacyChoice which hosts an industry-wide database of ad-targeting companies
• The Network Advertising Initiative, you still get ads, but these are no longer tailored to your Web preferences and usage patterns
• The TACO Firefox add-on which prevents 90 different online advertising networks (including Google, Microsoft and Yahoo) from displaying highly targeted advertisements using the detailed information on users' web surfing habits which they quietly collect all across the Web

Note: the EFF has worked with Google to provide an alternative solution, involving a browser add-on which allows users to permanently opt out of the DoubleClick cookie, which is an advertising cookie that Google uses.

Understandable Privacy Policies

• Aza Razkin's blog post Making Privacy Policies not Suck describes the challenges in making privacy policies easier to understand
• Mozilla Drumbeat is a project with a mission to build community of people who create tools that help others understand, participate and take control of their internet lives. A Japanese design company has been contracted to do some initial design work on a simple set of icons
• The CyLab Usable Privacy and Security Laboratory (CUPS) at Carnegie Mellon University is working on privacy labels, inspired by work in nutritional labels and a study of how people react to behavioral advertising. See CHI 2009 slides
• facebook's privacy policy is written in plain language, but is lengthy and not something that most users would read. It adhere's to the Safe Harbor principles negotiated between the US and EU
• Opportunity for machine interpretable policy in XML that can be translated into plain language for use in dashboard
  • P3P as a starting point, but see criticisms
  • H5.3.2 as a further example

Right to subject access

This EU right allows a data subject to be informed of the information held about them and to discover to whom it has been disclosed. The request for access must be made in writing (including fax and email) and an institution must respond to the request within a period of 40 calendar days.

• Surely, we can do better than paper mail, fax and email?
• Websites could provide an online means for users to exercise their right to be informed of the information held about them, etc.
• Necessitate some form of authentication to ensure that only legitimate requests are handled
• Cost to an institution for handling requests could be further reduced by using some kind of semantic model of personal data and a standard way to query for it
• Such an interface could then be used by a privacy dashboard to facilitate users wishing to view the personal data that is held on them by different organizations and to make any necessary corrections
  • Legal right to correct errors in PII but not to delete it except when unlawful use can be proved

Notifications

• Privacy Policies may include obligations to notify the data subject when various events occur, e.g.
  • when personal data is used to specific purposes
  • When personal data is passed to third parties
  • when personal data is deleted at the end of the retention period
• Email may not be the best way to deliver notifications
  • Easy for data controller, but inconvenient for users to manage lots of notifications
  • May be perceived as "spam"
• Possibility for including notifications as part of the Dashboard
  • Integrated with data track UI for holistic view
  • User preferences for controlling when UI signals new notifications
  • Notifications sent via web service
  • End point provided by user along with her PII

Oversight for trusted identity providers

See America's plan for national broadband

• users entrust personal data with identity provider
• FCC concerned with providing backstop in the case that an identity provider ceases to operate
• The Federal Deposit Insurance Corporation (FDIC) as an analog
  • Guarantees bank deposits of individuals up to certain levels
  • Oversight of banks in respect to standards and risk taking
  • Gives individuals confidence to invest funds in banking system
• What analogous framework is needed for identity providers?
• Europe shouldn't be left behind...

Policy Pre-Matching

• How to find out what privacy policy is in place, before making an HTTP request to a website?
  • HTTP requests leak personal data, e.g. IP address, Cookies, user-agent, ...
• P3P Safezone concept
• HTTP Link header for URI for page's policy
• Privacy enhanced search results
• Matching user preferences to policies
  • Use H5.3.2 policy language
  • Use web service to avoid integrating matching code within the Firefox add-in
  • Alternatively, see if it is practical to re-use P3P or to define a new very simple policy mechanism

Support for Credentials

• Use of credentials as alternative to filling out personal details
  • Attestation e.g. that user is over 18 years old, or is a member of some organization
  • Benefits to both users and websites
• Want to demo something that would appeal to Mozilla Labs and potential websites
• Probably restricted to something simple by amount of development time available, although idemix and u-prove are potentially interesting
• May be worth considering digitally signed credentials where a mutually trusted 3rd party dynamically attests to properties of a user for a given session id provided by the website
  • Easy to demo using PHP scripts and available libraries
  • Would allow for a degree of anonymity although users could still be identified via cookies or even their IP address, so the anonymity would be limited without the use of anonymizing proxies
  • UI would require explicit permission of user before release of credentials
  • Dashboard would track to whom and when credentials are released

Support for Credentials

A simple credential system

• Website X trusts identity providers who have valid certificates from example.com
• The web page from site X includes metadata stating
  • example.com is a trusted certification agency
  • requirements on which properties need credentials
  • the session id that the credential needs to bind to
• Dashboard recognizes the metadata
  • Checks if user's identity provider has matching certificate
  • Asks user for permission for the identity provider to generate a credential for the requested user properties
  • Passes an authorization token to website X enabling it to get the corresponding credential from the identity provider

Dashboard UI

Needs to be informed by experience of PrimeLife team

• Clearly part of the browser chrome
• Dashboard submenu in Tools menu
• Status bar contains button and gauge
  • Footprint button invokes Dashboard panel
  • Gauge provides indication of privacy risk
• Dashboard panel with multiple tabs
  • Preferences settings including identity management
  • Privacy footprint review (aka datatrack)
  • Page specific privacy info
  • Credential authorizations