Julia Brande Earp

Innovative web use to learn about consumer behavior and online privacy

Consumers are more protective of their personal data than most e-marketers probably ever expected. Indeed, any willingness by consumers to provide certain information online greatly depends on whos doing the asking.

Financial privacy policies and the need for standardization

The authors analyze 40 online privacy policy documents from nine financial institutions to examine their clarity and readability. Their findings show that compliance with the existing legislation and standards is, at best, questionable.

Analyzing Website privacy requirements using a privacy goal taxonomy

Privacy has recently become a prominent issue in the context of electronic commerce websites. Increasingly, Privacy policies posted on such websites are receiving considerable attention from the government and consumers. We have used goal-mining, to extract pre-requirements goals from post-requirements text artifacts, as a technique for analyzing privacy policies. The identified goals are useful for analyzing implicit internal conflicts within privacy policies and conflicts with the corresponding websites and their manner of operation. These goals can be used to reconstruct the implicit requirements met by the privacy policies. This paper interrelates privacy policy and requirements for websites; it introduces a privacy goal taxonomy and reports the analysis of 23 Internet privacy policies for companies in three health care industries: pharmaceutical, health insurance and online drugstores. The evaluated taxonomy provides a valuable framework for requirements engineering practitioners, policy makers and regulatory bodies, and also benefits website users.

Towards understanding user perceptions of authentication technologies

Digital identities are increasingly being used to facilitate the execution of transactions in various domains. When developing and analyzing digital identity technologies, it is important to consider the perceptions and responses of end users. Users are typically concerned about privacy and security, but do not necessarily understand how these issues are impacted by the use of digital identities. In this paper, we discuss preliminary results of a survey regarding authentication technologies used to generate digital identities. Most respondents were unfamiliar with a majority of the technologies in question (e.g. hand geometry scans), and expressed uncertainty about their use. Perceptions were more positive for the use of authentication technologies in the financial domain, and more negative for their use in the retail domain. The results may inform the design of future systems.

Internet privacy law: a comparison between the United States and the European Union

The increasing use of personal information in Internet-based applications has created privacy concerns worldwide. This has led to awareness among policy makers in several countries of the desirability of harmonizing privacy laws. The greatest challenge to privacy legislation from an international perspective arises because, while the Internet is virtually borderless, legislative approaches differ from country to country. This paper presents a functional comparison between current privacy law in the European Union (EU) and in the United States (U.S.), as such laws relate to regulation of websites and online service providers. In addition, similarities and differences between the 2002 EU Directive 2002/58/EC, Directive on Privacy and Electronic Communications, which has been adopted by the EU but not yet implemented, and the proposed U.S. Online Privacy Protection Act, are illuminated. Employing a qualitative approach, we use the Fair Information Practices to organize discussion of comparisons and contrasts between U.S. and EU privacy laws. Our investigation of this topic leads us to conclude that the right to privacy is more strictly protected in the EU than in the U.S. The Online Privacy Protection Act, recently introduced as a bill in Congress, has the potential to significantly affect commercial practices in the U.S. and move the U.S. towards current EU privacy protection laws. This analysis benefits managers as well as security professionals since the results can be used as guidelines in ensuring that an organizations website practices are consistent with requirements imposed by countries with which they exchange information. It also provides information that can guide organizations as they prepare for potential privacy legislation.

An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies

The U.S. legislation at both the federal and state levels mandates certain organizations to inform customers about information uses and disclosures. Such disclosures are typically accomplished through privacy policies, both online and offline. Unfortunately, the policies are not easy to comprehend, and, as a result, online consumers frequently do not read the policies provided at healthcare Web sites. Because these policies are often required by law, they should be clear so that consumers are likely to read them and to ensure that consumers can comprehend these policies. This, in turn, may increase consumer trust and encourage consumers to feel more comfortable when interacting with online organizations. In this paper, we present results of an empirical study, involving 993 Internet users, which compared various ways to present privacy policy information to online consumers. Our findings suggest that users perceive typical, paragraph-form policies to be more secure than other forms of policy representation, yet user comprehension of such paragraph-form policies is poor as compared to other policy representations. The results of this study can help managers create more trustworthy policies, aid compliance officers in detecting deceptive organizations, and serve legislative bodies by providing tangible evidence as to the ineffectiveness of current privacy policies.

Precluding incongruous behavior by aligning software requirements with security and privacy policies

Keeping sensitive information secure is increasingly important in e-commerce and web-based applications in which personally identifiable information is electronically transmitted and disseminated. This paper discusses techniques to aid in aligning security and privacy policies with system requirements. Early conflict identification between requirements and policies enables analysts to prevent incongruous behavior, misalignments and unfulfilled requirements, ensuring that security and privacy are built in rather than added on as an after-thought. Validated techniques to identify conflicts between system requirements and the governing security and privacy policies are presented. The techniques are generalizable to other domains, in which systems contain sensitive information.

The role of policy and stakeholder privacy values in requirements engineering

Diverse uses of information technology (IT) in organizations affect privacy. Developers of electronic commerce, database management, security mechanisms, telecommunication and collaborative systems should be aware of these effects and acknowledge the need for early privacy planning during the requirements definition activity. Public concerns about the collection of personal information by consumer-based Web sites have led most organizations running such sites to establish and publish privacy policies. However, these policies often fail to align with prevalent societal values on one hand and the operational functioning of Web-based applications on the other. Assuming that such misalignments stem from imperfect appreciation of consequences and not an intent to deceive, we discuss concepts, tools and techniques to help requirements engineers and IT policy makers bring policies and system requirements into better alignment. Our objective is to encourage RE researchers and practitioners to adopt a more holistic view of application and system specification, in which a system or application is seen as an engine of policy enforcement and values attainment.

An experimental economics approach toward quantifying online privacy choices

The importance of personal privacy to Internet users has been extensively researched using a variety of survey techniques. The limitations of survey research are well-known and exist in part because there are no positive or negative consequences to responses provided by survey participants. Such limitations are the motivation for this work. Experimental economics is widely accepted by economists and others as an investigative technique that can provide measures of economic choice-making that are substantially more accurate than those provided by surveys. This paper describes our efforts at applying the techniques of experimental economics to provide a foundation for (a) estimating the values that consumers place on privacy and various forms of security (encryption, HIPAA, etc.) and for (b) quantifying user responses to changes in the Internet environment. The contribution of this study is a better understanding of individual decision-making in the context of benefits and costs of making private information available to Internet sites. Preliminary results from a series of pilot studies are consistent with optimizing behaviors, indicating that continued application of experimental economics techniques in the quantification of Internet user actions in privacy/security space will be illuminating. Our results show that Internet users place great value on security measures, both regulatory and technical, that make identity theft much less likely. Our Web-based experiments indicate that privacy- and security- enhancing protections are likely to be subject to moral hazard responses, as participants in our online experiments became more aggressive in their Internet usage with greater protection in place.

Centralized end-to-end identity and access management and ERP systems: A multi-case analysis using the Technology Organization Environment framework

System security is a top issue facing global organizations. This study investigates the constraints and benefits of a successful centralized end-to-end identity and access management (CIAM) implementation and the moderating role that ERP systems have in the implementation. We apply the Technology Organization Environment (TOE) framework to a case study approach. We find that organizational and technological factors result in lapses in IT governance and act as barriers to CIAM. Environmental factors also hinder CIAM implementation. Additionally, ERP systems facilitate the development of a CIAM due to integration and standardization of identities and automated provisioning. When the ERP system supports CIAM, the organization and its employees experience significant benefits including single sign-on capabilities, increased security and privacy, efficiencies in user provisioning and password management, and audit process improvement. Our results will be of value to any organization implementing CIAM and ERP. Researchers can also use our findings to further study IAM, ERP or extensions to the TOE framework.