CyLab's Dr. Lorrie Cranor delivered the keynote for the 13th Annual Privacy Enhancing Technologies Symposium (Bloomington, Indiana), Wednesday, July 10, 2013.
Dr. Cranor is Director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program and Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University.
She spoke on "Privacy Notice and Choice in Practice."
"Notice and choice" are key principles of modern information privacy protection. The various sets of fair information practice principles and the privacy laws based on these principles include requirements for providing notice about data practices and allowing individuals to exercise control over those practices. In the United States, privacy self-regulatory efforts focus heavily on notice and choice. However, there has been little follow-up to evaluate the effectiveness of notice and choice efforts in practice -- to determine whether individuals provided with notice are able to make informed choices that align with their expectations of privacy...
Dr. Cranor's CUPS team has conducted empirical evaluations of a variety of notice and choice mechanisms, including privacy policies, the Platform for Privacy Preferences (P3P), online behavioral advertising opt-out tools, privacy nutrition labels, the AdChoices icon, and the standard form privacy notice for financial institutions.
In her keynote, Dr. Cranor provided background on notice and choice and presented several of of her team's empirical studies, highlighting both areas where notice and choice approaches show promise, as well as areas where existing notice and choice tools appear to be largely ineffective. In addition to discussing features of the notices and tools themselves, she also discussed the problems of incentives and enforcement, which continue to plague notice and choice efforts.
The full presentation in .pdf format can be viewed here.
Studies referenced in Dr. Cranor's keynote included:
Necessary But Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice
Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising
What Do Online Behavioral Advertising Disclosures Communicate to Users?
Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising
Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices