ABSTRACT
Governments are now enacting comprehensive legislation that regulates how organizations collect and protect sensitive data about individuals. Typically, such legislation has focused on the relationship between consumer and business to ensure proper consent is obtained, procedures exist to safeguard data, and the consumer has recourse to challenge the business. In practice, such legislation places the entire administrative burden of tracking compliance on both the consumer and the business. More significantly, the legislation does not adequately address the sharing of private information between businesses that cooperate in providing services to consumers. In this paper, we introduce the concept of an "information transfer registry" as a mechanism to track compliance in a business to business network that is complementary to existing legislation and technical standards. We show that the concept has the added benefit of reducing the administrative burden on consumers and businesses.
- Ackerman L., Kempf, J., Miki, T., Wireless Location Privacy: Law and Policy in the U.S., EU and Japan, Internet Society, 2003. http://www.isoc.org/briefings/015/index.shtmlGoogle Scholar
- Arnesen, R. and Danielsson, J., "A Framework for Enforcement of Privacy Policies", Nordic Security Workshop 2003. http://publications.nr.no/A_Framework_for_Enforcement_of_Privacy_Policies.pdf R@<3>Children's Online Privacy Protection Act of 1998, Federal Trade Commission, United States. http://www.ftc.gov/ogc/coppal.htmGoogle Scholar
- L. Cranor, J. Reagle, Designing a Social Protocol: Lessons Learned from the Platform for Privacy Preferences, Telecommunications Policy Research Conference, Alexandria, VA, 1998 http://www.w3.org/People/Reagle/papers/tprc97/tprcf2m3.htmlGoogle Scholar
- L. Cranor and J. Reidenberg, Can user agents accurately represent privacy notices?, Proceedings of the 30th Research Conference on Communication, Information, and Internet Policy, MIT Press, 2002. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=328860Google Scholar
- I. Dinur and K. Nissim, Revealing Information while Preserving Privacy, PODS'03 conference, 2003 http://www.acm.org/sigmod/pods/proc03/online/177-nissim.pdf Google ScholarDigital Library
- Directive on Privacy and Electronic Communications, European Union, 2002. http://europa.eu.int/eurlex/pri/en/oj/dat/2002/1_201/1_20120020731 en00370047.pdfGoogle Scholar
- The Financial Modernization Act, Federal Trade Commission, United States, 1999. http://www.ftc.gov/privacy/glbact/Google Scholar
- Frichman, R. G., Cronin, M. J., Information-Rich Commerce at a Crossroads: Business and Technology Adoption Requirements, Communications of the ACM Sept. 2003, Vol. 46, No. 9 Google ScholarDigital Library
- F. Gandon and N. Sadeh, A Semantic e-Wallet to Reconcile Privacy and Context Awareness, Second International Semantic Web Conference, 2003, USA. http://www2.cs.cmu.edu/~sadeh/Publications/Small Selection/ISWC2003_camera_ready.pdfGoogle ScholarDigital Library
- Health Insurance Portability and Accountability Act (HIPAA), United States, 1996. http://www.hipaa.org/Google Scholar
- T. Hogg, B. Huberman, M Franklin, Protecting Privacy While Sharing Information in Electronic Communities, Proceedings of the tenth conference on Computers, freedom and privacy: challenging the assumptions, Toronto, Ontario, Canada, 2000 http://www.cfp2000.org/papers/hogg.pdf Google ScholarDigital Library
- J. Hong, J. Landay, An Architecture for Privacy-Sensitive Ubiquitous Computing, Berkeley EECS Annual Research Symposium 2004 www.eecs.berkeley.edu/BEARS/STARS/final/hong.pdfGoogle Scholar
- M. Kudo and S. Hada, XML Document Security based on Provisional Authorization, 7th ACM Conference on Computer and Communication Security 2000. www.trl.ibm.com/projects/xml/xacl/ccs2k-kudo.pdf Google ScholarDigital Library
- M. Mont, S. Pearson, P. Bramhall, Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services, 8th European Symposium on Research in Computer Security, Norway, 2003. http://www.hpl.hp.com/techreports/2003/HPL-2003-49.pdfGoogle Scholar
- The Personal Information Protection and Electronic Documents Act (PIPEDA), Department of Justice, Canada, 2000. http://e-com.ic.gc.ca/epic/internet/inecicceac.nsf/vwGeneratedInterE/h_gv00045e.htmlGoogle Scholar
- The Platform for Privacy Preferences 1.0 Specification, World Wide Web Consortium Recommendation, April 2002. http://www.w3.org/TR/P3P/Google Scholar
- Schunter M., Van Herreweghen E., Waidner M., Translating EPAL to P3P, IBM, March 2003, http://www.w3.org/2003/p3p-ws/pp/ibm2.htmlGoogle Scholar
- Schunter M., Powell C., The Enterprise Privacy Authorization Language (EPAL), IBM, June, 2003. http://www.zurich.ibm.com/security/enterprise-privacy/epal/Google Scholar
- M. Zuidweg, J. Filho, M. van Sinderen, Using P3P in a web services-based context aware application platform, Ninth EUNICE Workshop on Next Generation Networks, Hungary, Budapest, September, 2003.www.w3.org/2003/p3p-ws/pp/utwente.pdfGoogle Scholar
Index Terms
- Tracking privacy compliance in B2B networks
Recommendations
Visualization for privacy compliance
VizSEC '06: Proceedings of the 3rd international workshop on Visualization for computer securityThe growth of the Internet has been accompanied by the growth of e-services (e.g. e-commerce, e-health). This proliferation of e-services has put large quantities of consumer private information in the hands of the service providers, who in many cases ...
Servicization of Australian Privacy Act for Improving Business Compliance
ICWS '12: Proceedings of the 2012 IEEE 19th International Conference on Web ServicesOrganizations of handling personal or sensitive information have the pressure of complying with relevant privacy laws or regulations. Since the laws or regulations are always written with complex legal terms, it is not easy for information system ...
Personal data protection in electronic business
ICEC '05: Proceedings of the 7th international conference on Electronic commerceThe paper review the personal data protection law, the right to privacy and related torts in cyberspace, the legal proposals have been suggested, it is important to construct a legal system for protection of the right to privacy. The data protection ...
Comments