Privacy Policies Online: further results from a continuing investigation

AUTHOR
Steve McRobb and Simon Rogerson

ABSTRACT

This paper represents an update on the progress of an ongoing research project to investigate the characteristics of online privacy policies, and the ways that a sample of policies have changed over three biennial surveys undertaken in 2000, 2002 and 2004.

Publication of a privacy policy is encouraged by industry groups such as the Online Privacy Alliance, and by online certification bodies such as TRUSTe, since such policies are taken to reassure the wary, and thereby to overcome one of the main presumed disincentives to trading online. Clearly such a view is based on assumptions about the nature and formation of trust between individuals and organisations in an online environment. Our research is founded on a theoretical investigation of trust online, which provides an underpinning to the empirical enquiry.

The research began in 2000 with a selection of 113 websites from a variety of organisations, all of which published a privacy policy that gave (in some cases, attempted to give; in yet other cases, simply failed to give) information about the collection and of data through the organisation’s website and its subsequent use. The organisations in the sample included large and small commercial businesses from many sectors and regions, voluntary sector organisations and a number of government departments and other public sector agencies. Further surveys have been conducted at two year intervals, and the data collected is currently undergoing analysis.

The surveys use a non-judgemental sampling approach that is in keeping with the primarily interpretive thrust of the research. Taken together, the three surveys completed so far provide a unique opportunity to investigate how organisations have shaped their online privacy policies in response to changing perceptions of the importance and role of trust in the decision-making processes of a variety of buyers and browsers. While the direction of the research has been, to a large extent, determined by the findings as they have emerged from the analysis, the results so far indicate an incomparably rich source of data that illuminates the dynamic nature of trust online.

Interim reports on earlier phases of the research have been presented at this conference in 2002 and 2004, and a paper on the first phase to be completed has also subsequently been published in IT and People. These papers highlighted a number of issues that required attention on the part of those organisations that choose to publish an online privacy policy. For example, some privacy policies were so hard to understand that their value as a persuasive tool is open to considerable doubt. Others were so hard to find that there seemed little point in going to the trouble of posting them. The results of the first survey also indicated that many organisations show a great deal of inconsistency in their approach. For example, the most readable policies were not necessarily the easiest to find. There were also surprising regional effects. For example, North American policies scored more favourably on most assessed aspects than did European policies, with the exception of policy visibility. This ran counter to the expected effect, based on European legislation regarding data privacy. As comparative data between consecutive policies has become available, this has revealed some of the major changes in policy content, structure etc. that have taken place in the sample policies in the interval between 2000 and 2002. These changes did not, on first inspection, appear to be minor. Over this two year period, only 12% of policies showed no change, while over half showed ‘significant’ or ‘radical’ changes. Since this period includes a number of significant world events (not least, the World Trade Center attacks, but also the the implementation of the EU Privacy Directive), this is perhaps to be expected. It is anticipated that further investigation will throw more light on the ways that organisations have sought to respond to changes in commercial and regulatory environment. Efforts are currently being focused on a detailed examination of these changes, and this paper will report the latest findings from the analysis.

A further sample was collected late in 2004, and the preliminary results of the analysis of this latest survey will be available in time to report at conference. These are expected to reveal a further step in the evolution of online privacy policies, although at this stage it is not possible to forecast with any confidence what changes may be involved.

What does Globalisation mean to you?

AUTHOR
Mohamed M Begg

ABSTRACT

The word ‘globalisation’ can imply different meanings for different people across the world. This paper examines what ‘globalisation’ means particularly to people living in the East, and especially in the Arab/Muslim world.

According to Walsham (2001, p.18),

“The term globalization has achieved the unusual status, in a relatively short time, of becoming fashionable in academic debates in the social sciences, in the business world, and to some extent in the popular media. However, even a cursory examination of these sources would demonstrate that the term is highly ambiguous, and that it masks a wide variety of opinions on what is happening in the world”.

The term ‘Globalisation’ therefore, attracts various definitions and explanations. Some of these will be considered and explained in this paper.

Globalisation is not a new concept from the Islamic point of view. First of all the Arabic word for this geographical world is ‘alam’; hence the Qur’anic usage describing the Creator as ‘Rabb al Alamin’ (The Lord of the Worlds), and one of the phrases used to describe the status of the Prophet Muhammad (sws) in the Qur’an is ‘Rahmatullil-alamin’ meaning a ‘mercy to all the worlds’ (regardless of whether everyone accepts him as the last prophet or not). Describing Prophet Muhammad (sws) in such a manner clearly indicates that he had not only a global mission but a universal mission. The global nature of Islam is in fact quite visible to all of us, as Muslims can be found in virtually all parts of the inhabited world. Globalisation is therefore not an alien subject for Muslims, it is the means through which the current process of globalisation is taking place, namely the ICT revolution and satellite television which are raising new hopes and concerns.

According to Robertson (1992, p.8), “Globalisation as a concept refers both to the compression of the world and the intensification of consciousness of the world as a whole”. Walsham (2001, p.18) explains that,

“the first of the two points relates directly to the time-space compression, largely mediated by IT. The second point is, however, somewhat wider than the earlier material, since it refers to the world as a whole rather than Western society. The wide spread of accessibility of communications media such as television, even in remote rural villages in the Third World or underprivileged urban communities anywhere, means that news of happenings in the world as a whole is available to the great majority of the world’s population”.

The result of vast and fast availability of information means events in a remote part of the world can bring immediate response. For example atrocities in the Middle East regions can quickly mobilise people on the other side of the world to start protest marches within hours. The Tsunami disaster in South East Asia is a positive example of how quickly citizens across the world responded both financially and in the form physical arrival with heavy equipment to rescue the victims.

Moving on to a different aspect of ICT developments, the remarks by Nelson Mandela (former President of South Africa) on globalisation at the Labour Party Conference in Brighton on 28th September, 2000 are worth noting. He said, “Anyone who ignores globalisation is like a person who says that he does not know what winter is and will therefore not buy any warm clothes”. He, however, warned those countries who ‘in the name of globalisation are inflicting poverty on other nations’. Some nations becoming richer as a result of ICT and others becoming poorer due to lack of education, poverty and inability to create infrastructure required to use ICT to its full potential means creating inequity, injustice, anger and frustration in the hearts and minds of millions of people across the world. All these issues if not tackled in good time can bring disastrous results not only for the countries concerned but also for the prosperous countries.

Currently, ‘Global Terrorism’ has become a common phrase in most of the news media. Is this yet another form of globalisation? One hopes not and every effort has to be made both by the Western world and the Muslim world and the remaining world to join hands and remove this menace from the face of this earth.

This paper will therefore examine how the ICT revolution is transforming the vision of ‘globalisation’ globally and particularly within the Arab/Muslim world and some third world countries and provide some explanation of the reasons and impact of such a ‘globalisation’ for people living in different parts of the world. It also discusses how an equitable, cohesive, peaceful and co-operative ‘global community’ can be achieved with the help of the new technologies particularly the Internet and satellite TV revolution.

REFERENCES

Robertson, R(1992), Globalization: Social Theory and Global Culture, Sage, London. Walsham, Geoff (2001`), Making a World of Difference – IT in a Global Context, John Wiley & Sons Ltd, Chichester, U.K.

The Data Protection Decade 1995-2005

AUTHOR
Richard Howley, Simon Rogerson, Ben Fairweather and Lawrence Pratchett

ABSTRACT

The ETHICOMP decade may also be seen as the ‘data protection decade’. It was on the 24th October 1995 that the Draft General Directive on ‘the protection of individuals with regard to the processing of personal data and at the free movement of such data’ was adopted by the European Commission (Directive 95/45/EC). This Directive created the foundation for all current European Data Protection legislation and, it can be argued, the foundations for the global trend to the enactment of privacy and data protection legislation. In 1995 a UK Government White Paper concluded that ‘the time had come when those who use computers to handle personal information, however responsible they are, can no longer remain the sole judges of whether their own systems, adequately safeguard privacy’ (Barber 1998). The UK 1998 Data Protection Act came into force on 1 March 2000 thereby allowing for the incorporation of 1995 EC Data Protection Directive and for strengthening and extending the data protection regime created by the UK 1984 Data Protection Act, which it replaced.

The ETHICOMP decade has witnessed many changes in the use of data in business, administration and marketing. In the last ten years the volume of data and the uses to which it can be put have grown rapidly to accompany and to exploit the business opportunities that are present in the Internet age. Data is global, it is highly ‘greased’, it is shared, it is abused and it has become a key element of national defence in a war on terror. Each of these developments present huge challenges to those that seek to use and protect data and those that seek to establish and maintain national and trans-national schemes for the protection of data. In the light of these challenges and given that it is now a decade since the EU directive on data protection was adopted it is an appropriate time to examine how organisations, and their computing staff in particular, have responded to legislation that increasing regulates their use and management of data.

The last decade has also seen an increasing recognition that information systems and information systems staff are key players in the provision of data protection. A major focus of UK research in this area has been on the importance of the systems design stage of the development process. This research resulted in the production of a set of ‘Best Practice Guidelines in Systems Design’. Other research has sought insights into levels of awareness regarding data protection and how information systems staff can and do contribute to it. This research discovered that information systems staff actively support data protection provision within organisations generally and within the systems development process specifically. The same research found that awareness of data protection amongst information systems staff was relatively low leading to the conclusion that their contribution to the ‘data protection decade’ may be less than it otherwise could be.

Building on these quantitative research findings case study research has been designed and implemented by the authors during 2004/5 into how three UK organisations have and are responded to data protection legislation and the challenges outlines above. These organisations are all UK local authorities (Local Councils) and as such they are all large data users. They are significantly accountable to their data subjects and they are the custodians of a wide variety of data ranging from non-personal to the highly personal and sensitive. Using interviews, observations and discussions with Data Protection Officers, IT Directors, IT Managers within Service Departments and Information Systems Development staff detailed insights at all levels of these organisations were gained in the following areas:

  • How data protection is provided for and managed within these organisations and an evaluation of the effectiveness of these processes.
  • The relationship between organisations structures and processes and information systems staff in the provision for data protection.
  • The contribution that information systems staff can and do make to the provision of data protection and an evaluation of their contribution.
  • The views of information systems staff to their increasing responsibilities in the area of data protection.
  • Specific insights were sought into how information systems development practices can and do support the creation of systems that are supportive of data protection.

This paper provides more detail regarding the methods used, the research design, including the case study protocol and reports the findings of the research. It concludes by relating those findings to a consideration of the progress made in this ‘data protection decade’ and in the context of the wider social changes and events that have and continue to define the ETHICOMP decade.

E – Cultural diffusion in informative society

AUTHOR
Piotr Pawlak

ABSTRACT

The undertaken by me subject is placed in the area of problems of communication field, in its intercultural dimension. I would like to devote attention of my report to the process of cultural diffusion in informative society. I will treat the Internet as main tool as well as platform for that phenomenon.

The community of netizens of which one of the main motive power of appearing and development was natural need for communication, exists beyond all borders and different kinds of barriers of cultural nature, possessing its own culture (in spite of its creator members being representatives of different “mother” cultures). Processes similar to the ones we have witnessed in traditional field take place within it. Obviously the specific of these processes is different from their prototypes as well as their dynamics, observed and described by explorers in reference to “traditional” communication. Phenomenon to which I would like to bestow attention is cultural diffusion taking place in range of intercultural group creating widely understood network community, functioning thanks to the Internet. The cultural diffusion is the process of cultural changes possible in conditions of] intercultural contact, which relies on permeation of works of one culture to the other one leading to cultural adopted ideas, which in consequence cause the growth of similarities between cultures ” I would like to explain the specificity of the process in conditions of the Internet; among other things – whether it has indirect character (due to even to large distances) whether direct (through direct contact of its members), what influence if has on cultural consciousness of its participants (if it is then unintentional process, or else in a sense a controlled one). As well as what content, value or areas become its part. I think that what matters is the aspect shape of communication having important influence on shape of informative society. I would like to introduce the participants of network communication in character of transmitters of cultural diffusion – taking place within the,, Internet community “, transferring its results on the ground of “mother” cultures. The process itself is essential both for the community itself and its culture, as well as for “mother” cultures of its members. It supports the widely understood process of intercultural communication. And so, in this conception the members of network community become the specific carriers of particular values, behavioral patterns, or the notion patterns. The Internet in larger degree becomes one of the main sources from which the contemporary man derives knowledge about the world and other cultures. It becomes even more essential tool of socialization process.

So as to sum up; I shall try to bring closer the specific process of cultural changes inside the community, the main communication channel of which (enabling cultural contact) is the Internet. The process which by means of users of net can influence individual cultures of national, regional or religious character. Apart from the main aim, that is introduction of the described above process and the demonstration of its significance as well as positive influence on intercultural communication,my lecture will also be a glance at matter of general culture of the Internet, as well as approach at the image of its creating community.

Archiving and Categorization of E-Mail Systems

AUTHOR
Nicholas A. Wagner and Ian H. MacGregor

ABSTRACT

With most adults in the western world now transitioned into e-mail use, an untold amount of textual information is available on personal interests and preferences. The vast majority of such e-mail, whether private or job-related, belongs to corporations. Whether the e-mail account in question is set up through a person’s employer or through commercial agents such as Yahoo or Hotmail, usage contracts generally identify the e-mail as belonging to the corporation. Even deleting e-mail from an account provides no guarantee that the e-mail is actually removed from the storage source.

While it has always been clear that e-mail information represents a potential privacy concern, analysis of the information has not been commercially viable, thereby providing a sense of privacy to the end-user. While e-mail systems have provided reasonable (if mostly inadequate) security systems to protect the privacy of individuals, the corporate owners of the e-mails have access to all messages sent and received. Given the availability of a commercially viable method for extract consumer marketing data, it is likely just a matter of time before corporations will attempt to capitalize on the available information.

The main focus of this paper was to determine whether automatic analysis of e-mails is becoming a viable option for corporations. Using a new text analysis tool named Latent Categorization Method (LCM) developed by Larsen and Monarchi (2004), the study aimed to collect the ‘sent e-mail’ of volunteers (sent e-mail was used to get a true measure of interest rather than any e-mail received, which could be spam) and attempt to create personas for marketing purposes. The personas were based on characteristics that were determined by the most frequently occurring latent semantic topics in the volunteers’ outgoing electronic mail.

The analysis tool, LCM, had previously been used to categorize the occurring topics in academic journal abstracts. The process begins by creating an ASCII text file of all of the data, which in this case is a collection of e-mail message bodies provided by volunteers. Each message is identified with bits of code that identify its author, so that the interpreted data is matched to them. Next, a parser removed all of the words that have little or no relevance to building a persona, such as ‘has,’ ‘go,’ ‘you,’ ‘as,’ and many more. Further, proper names were removed by creating a database of the items to be removed by the parser.

Another database is created to properly group words together with similar meanings. For example, if an e-mail spoke of the sport of running, all variations of the word (running, ran, etc) would have to be pointed to its root stem, run. The words that made it through the parser and the stemming functions were then analyzed and the visual representations were created. The next steps include weighing of terms, decomposition of matrices, as well as clustering of texts (e-mails). It should be noted that LCM does not simply examine simple counts of words, but rather examines latent semantic relationships between sets of co-occurring words.

The volunteers that provided e-mails for the analysis were mostly teaching assistants, and therefore their e-mail tended to focus on academically related topics. Frequently occurring stems were ‘recit’ (for recitation), ‘paper,’ and ‘career.’ The process of associating the misspelled words and ‘spoken’ words could have been a bit more precise so that the meaning would have been stemmed rather than discarded from the data set. Also, a larger volunteer base should have been used to see what kinds of different topics would come up. A more diverse volunteer base would have helped in the variety aspect as well. However, aside from what could have been improved, the results were still very interesting and informative.

The results yielded predictable profile conclusions given the knowledge of the participating volunteers, which allowed the results to be verified as to the accuracy. Upon analysis, remarkable similarities between each individual and profile were seen, especially when the limited scope of e-mails and small volunteer base were taken into account. Considering all volunteers were students, 87.5 percent of which teaching assistants, and all e-mails collected from university e-mail accounts, the results were very much in line with typical correspondence between teachers and students or on subjects relating to class work. An example is volunteer 1 (labeled P1). The results indicated the most frequently occurring semantic topics were paper, assign, recit (recitation), class, and busi (business), among others. The topic ‘paper’ alone accounts for a little over 10% of the most important topics. Thus it is safe to deduce that this volunteer discusses class papers relating to business and teaches a recitation. For a consumer e-mail situation, this topic might be of more importance; if a topic relating to complaining about vacuuming and cleaning appears, the individual would likely be a perfect recipient of the Roomba Robotic vacuum product. More details are discussed in the paper and includes the possibility of matching like personalities.

With technological advances in data processing, storing, and interpretation such as the LCM approach coupled to an e-mail system, there are numerous ethical implications. The authors have related the Individual versus Community paradigm, as illustrated in Rushworth M. Kidder’s book, How Good People Make Tough Choices: Resolving the Dillemas of Ethical Living (1995). However, the authors in this case prefer the term Company versus Community, since the issues at hand deal with an organization that provides e-mail services. The possible monetary gains for the employer in using LCM with their e-mail systems can only be realized after an extensive evaluation of their commitment to service and the through the commitments to privacy (if any) in their terms of service agreement.

What if there are ambiguous statements, a privacy policy has been omitted, or e-mail categorization practices do not correspond to the company’s commitment to service? The company would be in a situation that would require the analysis of whether categorization would intrude on their users’ privacy, and whether they are willing to set the example for other e-mail vendors. Would they be willing to accept the responsibility of contributing to the reinforcing loop of keeping up with competitors who also analyze their e-mail systems?

In conclusion, the study shows that mass analysis of e-mail for the purpose of creating personas is no longer a future scenario, but currently plausible, probable, and commercially viable. Not only does such analysis promise to be available to corporations, but the profiles created using such text analysis tools are likely to be of a quality surpassing all other consumer profile techniques currently available. This conclusion takes on added validity when network analysis of e-mail addresses is added to the mix of available information, further developing maps of profile interactions. To head off the potential meltdown of privacy protection represented by the approaches described in this paper, privacy advocates must act in an expeditious manner.

REFERENCES

Kidder, Rushworth M. “How Good People Make Tough Choices: Resolving the Dilemma of Wthical Thinking.” New York: William Morrow and Company.

Larsen, Kai R. and Monarchi, David E. “A Mathematical Approach to Categorizations and Labeling of Qualitative Data: The Latent Categorization Method.” Sociological Methodology, 20(1), pp. 349-400.

Developing An Ethics Policy for Research that Uses ICT

AUTHOR
Andy Bissett

ABSTRACT

Most institutions that carry out research, whether involving human subjects or not, are formulating ethical policies to cover their research if they have not already done so. Indeed, apart from encouraging and advertising good ethical ‘health’, many major research funding organisations (the Wellcome Trust, the European Community under Framework 6, to name two) will no longer make funds available to institutions (such as universities and research institutes) that do not have a publicly promulgated research ethics policy.

No doubt this is partly due to a series of distressing scandals in the UK during the last decade, often involving unethical medical research, that has severely shaken public assumptions about the nature of scientific research. Probably a wish to avoid litigation has also fuelled the growth of research ethics policies. Nonetheless, computer ethicists will welcome this important sea-change, albeit recognising that a policy in itself is only a necessary starting point. Following on from the inception of a policy there must be debate, elaboration, and means put in place to promote and ‘operationalise’ the policy.

Scientific disciplines such as biotechnology, pharmaceuticals, psychology and medicine, along with many social scientific fields of inquiry, have long since promoted their own scrupulous guidelines for ethical research. The ‘Helsinki Principles’ (WMA, 2004) have provided a sound basis for most if not all of these endeavours since their initial appearance in 1964. A valuable contribution to the development and promotion of ethical research appears in the King’s College (University of London) report on research ethics committees (Tinker & Coomber, 2004). Equally, most responsible organisations whether publicly funded or in the private sector have guidelines that promote the proper use of their information and communication technology (ICT) resources. However, there remains a gap in ethical policy in the circumstances of research that utilises ITC, or in which ITC is itself the subject. It is believed that the development of such a policy is a task that many organisations have yet to undertake, and therefore that this paper will be of distinct interest – and it is hoped use – to the participants of ETHICOMP and their sponsoring organisations.

The professional codes of conduct of both the British Computer Society (UK) and the Association for Computing Machinery (USA) urge consideration of the human consequences of computer systems, supporting, therefore, the ‘Helsinki principles’ of beneficence and non-malfeasance in research. Computer technology can provide a valuable vehicle for research in many fields and is also a rich area for research in its own right. However, as with any science or technology, care should be taken with the unintended possibility for negative consequences alongside the desire of the researcher to ‘do good’ and to ‘not cause harm’. Two major areas create distinct problems when researching with ICT. Firstly the ‘distancing’ effect of technologies such as the Internet enforce the ‘subject-object’ division and may encourage unethical behaviour, such as identity concealment; the Association of Internet Researchers has initiated important policy here (AoIR, 2002). Secondly, research into ICT as a subject itself may generate hazards, as in the self-inflicted attack by NATO anti-virus experimenters (Nathan, 2000).

This paper describes how a research ethics policy for research involving ICT was developed at the author’s own institution, starting from a background of the Helsinki Principles and other germane (usually legal) policies. The resulting policy (SHU, 2004) is outlined in the paper for further discussion, but is not held up as ‘the final word’ or a definitive document. The practical aim is to provoke an enriching debate, a kind of ‘action research’, in this relatively immature area.

The policy was adopted in December 2004 after a gestation of (appropriately) some nine months during which it was reviewed and critiqued. It contains thirteen sections, although each of these is highly modular and addresses a specific research topic; the aim was to achieve a ‘lightweight touch’ rather than a large, proscriptive handbook that nobody would want to read, much less use! Along with brief guidelines on obvious issues such as privacy, IPR, research utilising on-line surveys, research employing ‘external’ (to the institution) computer systems, and the computer processing of experimental results, some more exotic areas such as virtual reality and identity hiding were also addressed.

Problematical areas in the policy include experiments with computer viruses, the discovery of loopholes in computer security, and studies of cyberterrorism. Some of these proved controversial in the reviewing process before final adoption, and it may be expected that they will be subject to change, or at least interpretation, in the light of experience. This is normal and healthy for any organization concerned about its ethical practices, and wide and open discussion is vital. Presentation at ETHICOMP would be a key part of this discussion.

The questions that arise for research using ICT are not always obvious, and this paper has two very practical purposes; firstly, to air and encourage discussion of tricky areas, and secondly, to assist other interested parties and institutions to define their own policies for research that uses ICT. A set of guidelines or a policy such as this is, by its nature, an ongoing work, subject to critique and revision, and it is hoped that a lively and fruitful discussion will be initiated, both during and following the conference.

REFERENCES

AoIR (2002) Association of Internet Researchers: Ethical Decision-Making and Internet Research. Available at: http://www.aoir.org/reports/ethics.pdf

SHU (2004) Guidelines on Ethical Aspects of Research using Information and Communication Technology, Enterprise Centre, Sheffield Hallam University.

Nathan, A. (2000) Nato creates computer virus that reveals its secrets, Guardian, 18th June.

Tinker, A. and Coomber, V. (2004) University Research Ethics Committees: their role, remit and conduct, Kings College London. Available at: http://www.kcl.ac.uk/depsta/ppro/reports/URECreport.pdf

WMA (2004) The World Medical Association Declaration of Helsinki: ethical principles for medical research involving human subjects. Available at: http://www.wma.net/e/policy/b3.htm