Team Members

Piotr Mitros

Ann Lipton

Teresa Ou

Alexander Macgillivray

David Kelman

Christian Baekkelund

Executive summary by Piotr Mitros

Oral presentation by Alexander Macgillivray

Danger

Most large web sites handle advertising through one of several large brokers. To better target advertising, those brokers commonly track what web sites a person visits, and what that person does on each site. For instance, the first time a user downloads an ad from doubleclick (which handles ads for Altavista, Dilbert and a slew of other popular web sites), doubleclick sets a cookie in the user's web browser. This cookie is used to track the sites a user visits, keywords from Altavista searches and other information. If a user makes a purchase on a site subscribing to doubleclick, doubleclick can potentially match the user's name to the cookie, and sell that profile to direct marketers. All of this typically happens without the user's consent or even knowledge.

Advertising and information brokers are not the only abusers. Individual companies store data on their customers and are free to use that data how they see fit. Amazon, for example, keeps a record of all books individuals purchase. With modern data mining techniques, Amazon could collaborate with other companies to form a correlated detailed profile of a person. As electronic commerce spreads, the amount of information in these profiles will become increasingly complete, and the business of buying and selling this information will become increasingly profitable. The more comprehensive these profiles become, the greater the potential for misuse of the information they contain.

Goals

• Protect individual privacy
• Enable electronic commerce Web business should not be unreasonably burdened.
• Enable common access In order to be accessible to as many people as possible, privacy-enhanced web browsers should be easy and inexpensive to use.
• Stimulate innovation Laws should be flexible enough that programmers can design new protocols to meet the same goals. They should also not place unreasonable legal liability on small programmers.
• Enable collective privacy choices Communities (sovereigns and others) should be able to make and administer collective privacy choices for their populations.
• Encourage diversity Web sites should compete based on varying privacy policies.

Proposal

We begin by envisioning a legal framework whereby the use of information, without permission, carries a statutorily determined minimum penalty. A user who feels his or her rights have been violated may sue the offending company. This might be administered through a government agency responsible for investigating the source of the privacy violation -- an individual, for example, might only know that he or she had received a solicitation without knowing which of the several companies with which he or she had interacted had released information. Alternatively, the user could initiate her own suit through a private right of action.

If a company wishes to use personal information about an individual, it is the company's responsibility to enter into a contract with that individual by asking for permission to use the information and disclosing the intended purposes of the data collection. This can be done either by personal, "manual" interaction, or through the use of a computerized agent. In order for the contract formed by the computerized agent to be legally binding, there must be some evidence that the client was aware of, and authorizing, choices made by its agent. If no such evidence exists, then the contract, or certain provisions therein, would not be enforceable and the company would be potentially liable for use of the personal information.

In order to remove some confusion about which autonomous agent contracts will be enforced, we propose the Autonomous Computer Contracting Privacy Technology (ACCPT) as a framework for enabling users to negotiate privacy preferences with web sites. In a basic ACCPT transaction, the client and server negotiate to reach a mutually acceptable set of privacy practices. If no agreement is reached in an ACCPT transaction, the server can log a failed attempt and sample proposals, but no additional information about the transaction (the user's IP address, etc.).

ACCPT incorporates the elements necessary to ensure that users were aware of the activity of the computerized agents. To the extent that negotiation is governed by a set of preferences entered by the user when the technology is first installed, ACCPT requires that the agent informs users who choose the default settings of the ramifications of that choice, and requires users to assent to that choice. Any company interacting with an agent that identifies itself as ACCPT compliant could rely on the validity of contracts made with that agent despite potential differences between the user's personal preferences and the preferences as expressed by the computerized agent. That liability would be shifted to the authors of agents pledging ACCPT compliance (under negligence standards for deviations from the ACCPT guidelines). If a program does not identify itself as ACCPT, the contracting parties retain liability for reliance on invalid contracts. In that way, a company which collects information from an agent that does not pledge ACCPT compliance is at its own peril and authors of agents that falsely pledge ACCPT compliance are also in peril.

Our proposal also encourages the development of other privacy protecting technologies, such as a framework for anonymous browsing and electronic commerce. This includes an addition to IPv6 for connecting to servers without disclosing one's IP address, an anonymous payment protocol and an anonymous shipping protocol (for delivering goods ordered on-line).

Return to conference page

Send comments about this site to 6805-webmaster@martigny.ai.mit.edu.

Last modified: December 2 1998, 10:35 PM