FPF Advisory Board Member Lorrie Cranor Submits CUPS Reports to FTC


FPF Advisory Board member Lorrie Cranor, Director of CUPS (CyLab Usable Privacy and Security Lab) at Carnegie Mellon University informs us that the Lab has issued two new technical reports and submitted them as public comments to the FTC’s exploring privacy roundtable series. Here are the abstracts, but the full studies are definitely worth reading!

Standardizing Privacy Notices: An Online Study of the Nutrition Label
Approach Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, Lorrie Faith Cranor November 10, 2009

Earlier work has shown that consumers cannot effectively find information in privacy policies and that they do not enjoy using them. In our previous research on nutrition labeling and other similar consumer information design processes we developed a standardized table format for privacy policies. We compared this standardized format, and two short variants (one tabular, one text) with the current status quo: full text natural language policies and layered policies. We conducted an online user study of 789 participants to test if these three more intentionally designed, standardized privacy policy formats, assisted by consumer education, can benefit consumers.Our results show that providing standardized privacy policy presentations can have significant positive effects on accuracy of information finding, overall speed, and reader enjoyment with privacy policies.

An Empirical Study of How People Perceive Online Behavioral Advertising
Aleecia M. McDonald and Lorrie Faith Cranor November 10,2009

We performed a series of in-depth qualitative interviews with 14 subjects who answered advertisements to participate in a university study about Internet advertising. Subjects were not informed this study had to do with behavioral advertising privacy, but raised privacy concerns on their own unprompted. We asked, “what are the best and worst things about Internet advertising?” and “what do you think about Internet advertising?” Participants held a wide range of views ranging from enthusiasm about ads that inform them of new products and discounts they would not otherwise know about, to resignation that ads are “a fact of life,” to resentment of ads that they find “insulting.” Many participants raised privacy issues in the first few minutes of discussion without any prompting about privacy. We discovered that many participants have a poor understanding of how Internet advertising works, do not understand the use of first-party cookies,let alone third-party cookies, did not realize that behavioral advertising already takes place, believe that their actions online are completely anonymous unless they are logged into a website, and believe that there are legal protections that prohibit companies from sharing information they collect online. We found that participants have substantial confusion about the results of the actions they take within their browsers, do not understand the technology they work with now, and clear cookies as much out of a notion of hygiene as for privacy. When we asked participants to read the NAI opt-out cookie description, only one understood the text. One participant expressed concern the NAI opt-out program was actually a scam to gather additional personal information. No participants had heard of opt-out cookies or flash cookies. We also found divergent views on what constitutes advertising. Industry self-regulation guidelines assume consumers can distinguish third-party widgets from first-party content, and further assume that consumers understand data flows to third-party advertisers. Instead, we find some people are not even aware of when they are being advertised to, let alone aware of what data is collected or how it is used.