Understanding privacy policies

(A study in empirical analysis of language usage)


Ralf Lämmel and Ekaterina Pek

There is growing recognition that users of web-based systems want to understand, if not control, what customer's data is stored by whom, for what purpose, for what duration, and with whom it is shared. We inform current language-based privacy efforts with an empirical study of P3P--the W3C domain-specific language for privacy policies. We use methods of software language engineering to study usage profiles, correctness of policies, metrics, cloning, and language extensions. The study supports the conclusion that P3P's approach to policy validation is too weak to ensure correct use of the language. The study also discovers common, dominating policies, which may suggest a simpler approach to web privacy. Further, the study investigates a range of metrics for policies in an attempt to discover particularly interesting or complex policies. Finally, the study also attempts to discover symptoms of the need for extending the P3P language, but the found results are not conclusive here.

Web-based systems, Privacy, Privacy policies, P3P, language usage, empirical study, language understanding, domain-specific languages, software metrics, clone detection, software language engineering, software linguistics, policy compliance, policy enforcement

Bibtex entry
 author = "Ralf L{\"a}mmel and Ekaterina Pek",
 title = "{Understanding privacy policies (A study in empirical language usage analysis)}",
 journal = "ESE",
 note = "To appear",
 year  = 2012

  author    = {Ralf L{\"a}mmel and
               Ekaterina Pek},
  title     = "{Vivisection of a Non-Executable, Domain-Specific Language
               - Understanding (the Usage of) the P3P Language}",
  pages     = {104-113},
  booktitle = "{The 18th IEEE International Conference on Program Comprehension,
               ICPC 2010, Braga, Minho, Portugal, June 30-July 2, 2010}",
  publisher = {IEEE Computer Society},
  year      = {2010},

Downloads and links

Website maintained by Ralf Lämmel (Email: rlaemmel@gmail.com)