Understanding privacy policies

(A study in empirical analysis of language usage)

Status

Final version [.pdf] to appear in the ESE Journal (special issue on ICPC 2010), Version as of 11 March, 2012
Conference publication [.pdf.] published in ICPC 2010 Proceedings (IEEE)

Authors

Ralf Lämmel and Ekaterina Pek

Abstract

There is growing recognition that users of web-based systems want to understand, if not control, what customer's data is stored by whom, for what purpose, for what duration, and with whom it is shared. We inform current language-based privacy efforts with an empirical study of P3P--the W3C domain-specific language for privacy policies. We use methods of software language engineering to study usage profiles, correctness of policies, metrics, cloning, and language extensions. The study supports the conclusion that P3P's approach to policy validation is too weak to ensure correct use of the language. The study also discovers common, dominating policies, which may suggest a simpler approach to web privacy. Further, the study investigates a range of metrics for policies in an attempt to discover particularly interesting or complex policies. Finally, the study also attempts to discover symptoms of the need for extending the P3P language, but the found results are not conclusive here.

Keywords

Web-based systems, Privacy, Privacy policies, P3P, language usage, empirical study, language understanding, domain-specific languages, software metrics, clone detection, software language engineering, software linguistics, policy compliance, policy enforcement

Bibtex entry

@article{LaemmelP12-P3P,
 author = "Ralf L{\"a}mmel and Ekaterina Pek",
 title = "{Understanding privacy policies (A study in empirical language usage analysis)}",
 journal = "ESE",
 note = "To appear",
 year  = 2012
}

@inproceedings{LaemmelP10,
  author    = {Ralf L{\"a}mmel and
               Ekaterina Pek},
  title     = "{Vivisection of a Non-Executable, Domain-Specific Language
               - Understanding (the Usage of) the P3P Language}",
  pages     = {104-113},
  booktitle = "{The 18th IEEE International Conference on Program Comprehension,
               ICPC 2010, Braga, Minho, Portugal, June 30-July 2, 2010}",
  publisher = {IEEE Computer Society},
  year      = {2010},
}

Downloads and links

Full journal paper: [.pdf]
ICPC 2010 paper: [.pdf]
Most recent slide deck: [.pdf]
Public repository: [SourceForge]

Website maintained by Ralf Lämmel (Email: rlaemmel@gmail.com)