Abstract
Their is growing recognition that users of web-based systems want to understand, if not control, what customer’s data is stored by whom, for what purpose, for what duration, and with whom it is shared. We inform current language-based privacy efforts with an empirical study of P3P—the W3C domain-specific language for privacy policies. We use methods of software language engineering to study usage profiles, correctness of policies, metrics, cloning, and language extensions. The study supports the conclusion that P3P’s approach to policy validation is too weak to ensure correct use of the language. The study also discovers common, dominating policies, which may suggest a simpler approach to web privacy. Further, the study investigates a range of metrics for policies in an attempt to discover particularly interesting or complex policies. Finally, the study also attempts to discover symptoms of the need for extending the P3P language, but the found results are not conclusive here.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Please note that the NON-IDENTIFIABLE element can also be used in a statement in combination with data references. In such case, the element signifies that “all of the data referenced by that STATEMENT will be anonymized upon collection” (W3C 2006).
ODP website: http://www.dmoz.org/
In the conference version of this paper (ICPC 2010), we referred to the now defunct Google directory as the source of our corpus. Google directory used to render essentially ODP as a set of websites.
According to W3C’s P3P specification (W3C 2006), the policy reference file may be located by either of the following options. The file may be located in a predefined “well-known” location, which is essentially [WebSiteURL]/w3c/p3p.xml. Also, the website may contain the HTML/XHTML tag <link> indicating the location of the file. Finally, an HTTP response from the server may contain the reference.
Comprehensive, concrete syntax definitions of P3P are available in different forms:
“Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)” (W3C 2006).
For precision’s sake, this number is based on the semantical equality as introduced in Section 3.3 without taking into account extra equations due to ‘\({{\leq_{\mathit{sem}}}}\)’ as of Section 3.4. However, the difference is insignificant. That is, there is 1 policy that is unequal to any other policy at the level of normal forms while it is equal to another policy when taking into account Fig. 12.
During the review phase of the paper, some of the policies disappeared from the Internet (see Appendix A.3). This is also the case for the bold policies at hand. All policies are preserved in our online corpus at the http://slps.svn.sourceforge.net/viewvc/slps/topics/privacy/p3p/.
A reviewer of this paper suggested a new domain term to cover this sort of policy: ‘NoRightsReserved’ in legal language.
One might argue that ‘same’ decreases privacy, when compared to just ‘ours’ since data is shared with another entity. This would mean that we essentially trust the primary entity more than the other entity.
References
Agrawal R, Kiernan J, Srikant R, Xu Y (2003) An XPath-based preference language for P3P. In: Proceedings of WWW 2003. ACM, pp 629–639
Agrawal R, Kiernan J, Srikant R, Xu Y (2005a) XPref: a preference language for P3P. Comput Netw 48(5):809–827
Agrawal R, Bird P, Grandison T, Kiernan J, Logan S, Rjaibi W (2005b) Extending relational database systems to automatically enforce privacy policies. In: ICDE ’05: proceedings of the 21st international conference on data engineering. IEEE Computer Society, pp 1013–1022
Ashley P (2004) Enforcement of a P3P privacy policy. In: Proceedings of the 2nd Australian information security management conference, securing the future. School of Computer and Information Science, Edith Cowan University, Western Australia, pp 11–26
Balazinska M, Merlo E, Dagenais M, Laguë B, Kontogiannis K (2000) Advanced clone-analysis to support object-oriented system refactoring. In: Proceedings of the seventh working conference on reverse engineering (WCRE’00). IEEE Computer Society, pp 98–107
Baxter ID, Yahin A, Moura L, Sant’Anna M, Bier L (1998) Clone detection using abstract syntax trees. In: Proceedings of ICSM 1998. IEEE Computer Society, p 368
Baxter G, Frean M, Noble J, Rickerby M, Smith H, Visser M, Melton H, Tempero E (2006) Understanding the shape of Java software. In: Proceedings of OOPSLA 2006. ACM, pp 397–412
Bierman GM, Meijer E, Schulte W (2005) The essence of data access in Comega. In: ECOOP 2005—object-oriented programming, 19th European conference, proceedings, ser. LNCS, vol 3586. Springer, pp 287–311
Chevance RJ, Heidet T (1978) Static profile and dynamic behavior of COBOL programs. SIGPLAN Not 13(4):44–57
Collberg CS, Myles G, Stepp M (2007) An empirical study of Java bytecode programs. Softw Pract Exp 37(6):581–641
Cook RP, Lee I (1982) A contextual analysis of Pascal programs. Softw Pract Exp 12(2):195–203
Cranor LF (2002) Web privacy with P3P. O’Reilly & Associates
Cranor LF (2011) Re: comments on federal trade commission preliminary staff report. Protecting consumer privacy in an era of rapid change: a proposed framework for businesses and policymakers. Available online at http://www.ftc.gov/os/comments/privacyreportframework/00453-58003.pdf
Cranor LF, Egelman S, Sheng S, McDonald AM, Chowdhury A (2008) P3P deployment on websites. Electron. Commer. Rec. Appl. 7(3):274–293
Egelman S, Cranor LF, Chowdhury A (2006) An analysis of P3P-enabled Web sites among top-20 search results. In: Fox MS, Spencer B (eds) ICEC, ser. ACM international conference proceeding series, vol 156. ACM, pp 197–207
Falke R, Frenzel P, Koschke R (2008) Empirical evaluation of clone detection using syntax suffix trees. Empir Software Eng 13:601–643
Favre J-M, Gasevic D, Lämmel R, Pek E (2011) Empirical language analysis in software linguistics. In: Software language engineering—third international conference, SLE 2010, Eindhoven, revised selected papers, ser. LNCS, vol 6563. Springer, pp 316–326
Fenton NE, Pfleeger SL (1996) Software metrics: a rigorous and practical approach, 2nd edn. PWS Publishing Co
Fisler K, Krishnamurthi S (2009) Escape from the matrix: lessons from a case-study in access-control requirements. In: Proceedings of the 5th symposium on usable privacy and security, SOUPS 2009, Mountain View, CA, USA, 15–17 July 2009. ACM, extended text available as TR (Fisler K, Krishnamurthi S (2009b) Escape from the matrix: lessons from a case-study in access-control requirements. Brown University, Tech. Rep. CS-09-05)
Fisler K, Krishnamurthi S, Dougherty DJ (2010) Embracing policy engineering. In: Proceedings of the FSE/SDP workshop on future of software engineering research, ser. FoSER ’10. ACM, pp 109–110
Ghazinour K, Barker K (2011) Capturing P3P semantics using an enforceable lattice-based structure. In: Proceedings of the 4th international workshop on privacy and anonymity in the information society, ser. PAIS ’11. ACM, pp 4:1–4:6
Gil JY, Maman I (2005) Micro patterns in Java code. In: Proceedings of OOPSLA 2005. ACM, pp 97–116
Hayati K, Abadi M (2005) Language-based enforcement of privacy policies. In: Privacy enhancing technologies, 4th international workshop, PET 2004, revised selected papers, ser. LNCS, vol 3424. Springer, pp 302–313
Hogben G, Jackson T, Wilikens M (2002) A fully compliant research implementation of the P3P standard for privacy protection: experiences and recommendations. In: Proceedings of ESORICS 2002, ser. LNCS, vol 2502. Springer, pp 104–125
Kapser C, Godfrey MW (2003) Toward a taxonomy of clones in source code: a case study. In: Proceedings of evolution of large scale industrial software architectures, ELISA workshop, pp 67–78
Karjoth G, Schunter M, Waidner M (2003) Platform for enterprise privacy practices: privacy-enabled management of customer data. In: PET ’02: proceedings of the 2nd international conference on privacy enhancing technologies. Springer, pp 69–84
Kart J, Karat C-M, Bertino E, Li N, Ni Q, Brodie C, Lobo J, Calo SB, Cranor LF, Kumaraguru P, Reeder RW (2009) Policy framework for security and privacy management. IBM J Res Dev 53:242–255
Kaser O, Lemire D (2007) Tag-cloud drawing: algorithms for cloud visualization. CoRR, vol abs/cs/0703109
Kelley PG, Bresee J, Cranor LF, Reeder RW (2009) A “nutrition label” for privacy. In: Proceedings of the 5th symposium on usable privacy and security, ser. SOUPS ’09. ACM, pp 4:1–4:12
Knuth DE (1971) An empirical study of FORTRAN programs. Softw Pract Exp 1(2):105–133
Koschke R (2008) Identifying and removing software clones. In: Software evolution. Springer, pp 15–36
Kwon O (2010) A pervasive P3P-based negotiation mechanism for privacy-aware pervasive e-commerce. Decis Support Syst 50:213–221
Lämmel R, Kitsis S, Remy D (2005) Analysis of XML schema usage. In: Conference proceedings XML 2005
Malone P, McLaughlin M, Leenes R, Ferronato P, Lockett N, Guillen PB, Heistracher T, Russello G (2010) ENDORSE: a legal technical framework for privacy preserving data management. In: Proceedings of the 2010 workshop on governance of technology, information and policies, ser. GTIP ’10. ACM, pp 27–34
McCabe TJ (1976) A complexity measure. IEEE Trans Softw Eng 2(4):308–320
Mernik M, Heering J, Sloane AM (2005) When and how to develop domain-specific languages. ACM Comput Surv 37(4):316–344
Mont MC, Thyne R (2006) Privacy policy enforcement in enterprises with identity management solutions. In: Proceedings of the 2006 international conference on privacy, security and trust: bridge the gap between PST technologies and business services. ser. PST ’06. ACM, pp 25:1–25:12
Mozilla’s Privacy Icons Project (2011) https://wiki.mozilla.org/Drumbeat/Challenges/Privacy_Icons. Visited July 2011
Reay I, Beatty P, Dick S, Miller J (2007) A survey and analysis of the P3P protocol’s agents, adoption, maintenance, and future. IEEE Trans. Dependable Secur. Comput. 4(2):151–164
Reay I, Dick S, Miller J (2009) A large-scale empirical study of P3P privacy policies: stated actions vs. legal obligations. ACM Trans Web (TWEB) 3(2):6:1–6:34
Ringelstein C, Staab S (2011) PAPEL: provenance-aware policy definition and execution. IEEE Internet Comput. 15:49–58
Robinson SK, Torsun IS (1976) An empirical analysis of FORTRAN programs. Comput J 19(1):56–62
Roy CK, Cordy JR, Koschke R (2009) Comparison and evaluation of code clone detection techniques and tools: a qualitative approach. Sci Comput Program 74(7):470–495
Saal HJ, Weiss Z (1977) An empirical study of APL programs. Comput Lang 2:47–59
Salim F, Sheppard NP, Safavi-Naini R (2007) Enforcing P3P policies using a digital rights management system. In: PET’07: proceedings of the 7th international conference on privacy enhancing technologies. Springer, pp 200–217
Schwartz A (2009) Looking back at P3P: lessons for the future. http://www.cdt.org/files/pdfs/P3P_Retro_Final_0.pdf. Visited July 2011
Siméon J, Wadler P (2003) The essence of XML. In: POPL, pp 1–13
Steele GL Jr (1999) Growing a language. Higher-Order Symb Comput 12(3):221–236
The Center for Information Policy Leadership (2004) Multi-layered notices explained. http://aimp.apec.org/Documents/2005/ECSG/DPM1/05_ecsg_dpm1_003.pdf. Visited July 2011
The Center for Information Policy Leadership (2005) Ten steps to develop a multilayered privacy notice. http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Ten_Steps_whitepaper.pdf. Visited July 2011
TRUSTe (2011) http://www.truste.com. Visited July 2011
Uustalu T, Vene V (2005) The essence of dataflow programming. In: Programming languages and systems, APLAS 2005, proceedings, ser. LNCS, vol 3780. Springer, pp 2–18
Wadler P (1992) The essence of functional programming. In: POPL, pp 1–14
Wile DS (2004) Lessons learned from real DSL experiments. Sci Comput Program 51(3):265–290
W3C (2002) A P3P preference exchange language 1.0 (APPEL1.0), W3C working draft. http://www.w3.org/TR/P3P-preferences/
W3C (2006) The platform for privacy preferences 1.1 (P3P1.1) specification. http://www.w3.org/TR/P3P11/
Yu T, Li N, Antón AI (2004) A formal semantics for P3P. In: Proceedings of SWS 2004. ACM, pp 1–8
Author information
Authors and Affiliations
Corresponding author
Additional information
Editors: Giulio Antoniol and Keith Brian Gallagher
Appendices
Appendix
1.1 A.1 Additional Information on ODP
The catalog of Open Directory Project (ODP) is subdivided into categories and subcategories through multiple levels. There are these top-level categories: Arts, Business, Computers, Games, Health, Home, Kids and Teens, News, Recreation, Reference, Regional, Science, Shopping, Society, Sports,World. There are two special top-level categories: World and Regional. The following discussion of these two special categories should be helpful when trying to understand ODP in general and its overall coverage of the WWW.
Consider the World category: these are “sites in languages other than English” where languages actually serve as subcategories of World.Footnote 24 Also: “If a site’s content is available in more than one language, the site may be listed in more than one language category. For example, if a site is in English, German, and French, the site may be listed in an English-only category, World/Deutsch, and World/Francais”.Footnote 25 The term ‘English-only category’ refers to the top-level categories other than World and Regional.
Consider the Regional category: this “category lists sites specific to a particular geographic area. The Regional category as a whole organizes sites according to their geographic focus and relevance to a particular regional population. To this end, individual Regional categories become mini-web directories in their own right, while remaining functionally part of the larger Open Directory.”Footnote 26
There may be multiple occurrences of a URL within the directory. That is, a URL may have more than one associated category.Footnote 27 However, ODP’s rules seem to stipulate preference of fitting each site into one category, if there is a best match. Special reasons for overlapping apply to the categories World and Regional. That is, World can overlap with the rest of the directory when a site has an English version, and Regional can overlap with the rest of the directory when “sites are relevant to a subject category and a specific local geographic area”.
A.2 Additional Information on Corpus Diversity
Table 22 breaks down all policies in terms of the top-level domain of the policy URL (i.e., the URL found in the policy reference file). The larger part of policies resides in the com domain. The domains gov, org and net are popular, too. The seven first top-level domains cover about 90% of all policies. We show such information here merely as a short indication of the corpus’ diversity, as it was obtained from ODP. This information must not be misunderstood as being part of the study, which is not concerned with P3P adoption by domain, country, or other means of breakdown; see Section 6.
Figure 30 shows the distribution of policies over ODP’s website categories. Nearly half of all policies are (also) regional policies. Figure 31 shows the distribution of policies in terms of the numbers of associated categories; 81.20% of all policies are associated with only one category. Table 23 shows the distribution of policies over subcategories of World—that is, over languages. Please note the category English is not included here because it is not a valid subcategory of World in ODP’s sense. Table also shows number of websites and percentage of policies per subcategory.
Number of policies per ODP category
Number of ODP categories per policy
A.3 Additional Information on Disappeared Policies
The corpus of the paper was originally downloaded in Dec 2009–Sep 2010. We verified the availability of the corpus’ policies in Jan 2012. We found that 1,578 policies (out of 6,182) cannot be obtained anymore. Those disappeared policies come from 1,395 different websites. We also checked if the sites themselves still exist; it turned out that 173 sites disappeared. Such information may be useful in making claims about the potential decline of P3P. Such claims are not central though to the contribution of the present paper.
We analyzed the disappeared policies while only considering those policies whose sites still exist. We looked into clone group information and syntactical size. Figure 32 shows the results of the analysis as follows:
-
Subfigure (a) shows how disappeared policies are distributed over textual clone groups where the x axis shows the clone group’s cardinality and the y axis shows the percentage of disappeared policies. Large (red) dots show positions of top-ten textual clone groups. We observe that top-ten groups were mostly only slightly affected (losing up to 20% of their clones). There is one top-ten clone group that was eliminated almost completely. This effect can be associated with a particular hosting service.
-
Subfigure (b) applies to syntactical clone groups instead of textual ones.
Disappeared policies: a Textual cloning; b Syntactical cloning
A.4 Additional Information on ‘\({{\leq_{\mathit{sem}}}}\)’
1.1 A.4.1 ‘\({{\leq_{\mathit{sem}}}}\)’ for Retention Levels
The value ‘no retention’ (i.e., not storing data at all) implies the most privacy; the value ‘indefinite retention’ (i.e., storing data forever) implies the least privacy. All other values are hard to differentiate in terms of privacy. Hence, we group them between top and bottom.
1.2 A.4.2 ‘\({{\leq_{\mathit{sem}}}}\)’ for Recipients
The value ‘ours’ (i.e., essentially the corresponding system itself) implies the most privacy if we assume that adding any further recipient decreases privacy. In fact, P3P anticipates recipients that use the ‘same’ policy, and hence we group ‘same’ and ‘ours’ together at the bottom.Footnote 28 The value ‘public’ clearly implies the least privacy. All the other recipients are hard to differentiate in terms of privacy since we simply do not know anything about their privacy policies. Hence, we group them between top and bottom.
1.3 A.4.3 ‘\({{\leq_{\mathit{sem}}}}\)’ for Purposes
The value ‘current’ implies the most privacy since it models use of the system for its primary purpose. We treat the values ‘admin’ and ‘develop’ as equal; these are activities internal to the corresponding system. The value ‘tailoring’ further decreases privacy in that the system is adapted for the user based on data from the current session. For instance, the website’s content or design may be adapted. There are several purposes for ‘analysis’ and ‘decision’ that we all consider to maintain less privacy than ‘tailoring’. A purpose with analysis in the name targets at “research, analysis and reporting” whereas a purpose with decision in the name targets at “a decision that directly affects that individual” (W3C 2006).Footnote 29 We contend that ‘analysis’ implies less exposure than ‘decision’, and the prefix ‘pseudo’ provides implies less exposure than prefix ‘individual’. At the top, we have purposes ‘contact’, ‘historical’, and ‘telemarketing’, as they are typically the least related to the original purpose of the system.
A.5 Additional Information on Semantically Distinct Policies
We are left with 1,385 semantically distinct policies of 4,869 semantically valid policies of a total of 6,182 policies in the corpus. This remaining diversity can be further characterized on the grounds of the partial order for the degree of exposure; see Section 3.4. That is, all the semantically distinct policies combined with ‘\({{\leq_{\mathit{sem}}}}\)’ define a Hasse diagram with the ‘full privacy’ policy as bottom element. Alas, the diagram is too large for inclusion, but we can discuss it in an abstract manner.
-
Number of nodes = 1,385 (= number of semantically distinct policies)
-
Number of edges = 2,102
-
Number of maximal elements = 983
-
Longest chain length = 12
As an illustration, Fig. 33 shows the chains for the policy with the ‘greatest height’ in the Hasse diagram. (This is the policy with the longest chain length = 12; there happens to be only one such policy.) The nodes either refer to clone groups (specified by number and cardinality) or to specific (say, unique) policies. The edges are labeled with the relation between smaller and greater element in compliance with ‘\({{\leq_{\mathit{sem}}}}\)’. We propose that an inspection of the Hasse diagram, as exercised here, may be helpful in deciding replacements of uncommon policies by common ones. This may be useful for privacy approaches that stipulate a smaller number of ‘common privacy scenarios’.
The longest partially ordered chain(s) of semantically distinct policies
Figure 34 shows the distribution of longest paths from the bottom element no non-bottom elements. About half of all semantically distinct policies are ‘alone’; they are not approximated by any policies but the bottom element; they do not approximate any policies. One may expect a top element in the Hasse diagram—something like ‘no privacy’ (as opposed to ‘full privacy’). This top element is not exercised and this may be impractical because of P3P’s variable-category data elements. The number of edges is an indicator that many policies serve as joins because the lowest possible number of edges in a partially ordered set with a bottom element equals the number of elements − 1. This means that if uncommon policies are close (in terms of ‘\({{\leq_{\mathit{sem}}}}\)’) to a common policy, then one could decide to adopt the common policy in favor of the uncommon one. Future work on the diversity of P3P policies is needed.
Distribution of longest paths for semantically distinct policies
A.6 Additional Information on Diversity of Extensions
To understand the diversity of policies that use extensions other than ‘group-info’, we examined the domains of the underlying websites. All these sites use distinct domains. Table 24 lists frequency of top-level domains. Hence, most cases of non-trivial usage of the extension mechanism come from websites of the Republic of Korea and from commercial websites.
We further examined the domains. We observed a few cases of shared subdomains: (cii.samsung.co.kr, shi.samsung.co.kr), (cops.usdoj.gov, usdoj.gov), (hoam.samsungfoundation.org, kids.samsungfoundation.org), (ec21.com, ec21.net). Also, we observed the case of a company, Samsung, with several websites using domains without shared subdomains: cii.samsung.co.kr, hoam.samsungfoundation.org, kids.samsungfoundation.org, samsungengineering.co.kr, samsungengineering.com, samsungtechwin.com, sem.samsung.com, shi.samsung.co.kr. Further screening of all domains with top-level domains .kr and .com confirmed that indeed diverse entities appear in those lists. A noticeable number of commercial sites concerned Korean companies. Hence, we found that most non-trivial extension usage concentrates on Korea while exercising various companies and non-commercial entities. At the time of writing, we do not know the reasons for such non-proportional use of extensions in Korea. One possible reason could be a particular, national legislation.
Rights and permissions
About this article
Cite this article
Lämmel, R., Pek, E. Understanding privacy policies. Empir Software Eng 18, 310–374 (2013). https://doi.org/10.1007/s10664-012-9204-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-012-9204-1