2.

LITERATURE REVIEW INTRODUCTION:

The literature review of the study in the Security and Cryptography in the World Wide Web (WWW) will make it easier for us to understand how the Internet started and how it works in the past up until in the present situation. This literature review will be very helpful because it will tackle about ideas that are already known in a specific area of study, it will somehow, answer some questions left unanswered and will identify why this research needs to be studied further. The researcher will be using the different steps that are part of the process that are involved in making the Literature View in a research. We will first SEARCH the information/ideas that are present and is related with the topic. SECOND would be, we need to administer the details already found. THIRD is to combine the ideas with the literature review and LAST is to write the overall output of it. Here are some examples of Literature Reviews:

World Wide Web Literacy

World Wide Web literacy, hereafter referred to as Web literacy, can be thought of as a subset of information literacy where the need for information is identified, located, evaluated. As computer literacy has increased throughout the educational system, Web literacy has increased as well and has shifted from one stage to another in a logical procession. Computer literacy is the knowledge of how to use a computer. It does not refer to the information that can be gleaned and extracted from the computer (Farah, 1995). Basically, it is a working knowledge of how to turn the computer on and off, effective keyboarding skills, word processing, spreadsheet, and database applications, and so forth. Web literacy on the other hand, refers specifically to skills and knowledge that is gained from the use of the Web. Several authors (Carrigan, 1997; Descy, 1996; Farah, 1995) have described the progression of Internet literacy in relation to Web literacy. In summary, those progressive steps can be categorized into three stages. The first stage of Internet literacy is learning protocols, history, and navigation of the Internet. During this stage, students do not necessarily become comfortable with the Internet, but become aware of its existence and potential in information seeking. It is during the second stage of the Internet literacy that students become more comfortable with their search skills, refining the search strategies for navigating through the various databases and Web sites online. Currently, many educators and professionals believe that Internet literacy is in its

third stage. In this stage, becoming knowledgeable users is at the forefront of this progression where a critical eye is turned on information found online and how that information is evaluated.

Web Privacy Measurement

Web privacy measurement is a nascent field, with significant contributions developed by academic computer scientists and others interested in discovering tracking vectors and quantifying them. At Web Privacy Measurement 2012, leaders in the field will attempted to formalize these efforts. The Electronic Privacy Information Center made the earliest attempts to enumerate privacy practices in a systematic fashion. In June 1997, it released Surfer Beware: Personal Privacy and the Internet, a survey of the top 100 websites. Only 17 of the top 100 websites had privacy policies. Twenty-three sites used cookies, although it appears that EPIC used a surface crawl to detect those cookies, meaning that it only visited the homepage of the site and did not click other links. By 2009, Soltani et al. found cookies on 98 of the top 100 sites, and by 2011, Ayenson et al. found cookies on all 100 most popular sites (see discussion below). In Surfer Beware II: Notice is Not Enough, published in June 1998, EPIC surveyed websites of companies that had recently joined the Direct Marketing Association. At the time, the Direct Marketing Association (DMA) had committed to basic privacy protections, including notice and an ability for consumers to opt out. EPIC found that there were 76 new members of the DMA, but only 40 had websites. Of those 40, all collected personal information. Only eight of the sites had a privacy policy The Federal Trade Commission conducted the first large-scale privacy measurement study in Privacy Online: A Report to Congress. Released in June 1998, the Commission studied the privacy practices of 1,402 websites, using a sophisticated sample procedure to ensure that a variety of consumer-oriented websites were studied (health, retail, financial, sites directed to children, and the most popular websites). The FTC found that, the vast majority of Web sites -- upward of 85% -- collect personal information from consumers. Few of the sites -- only 14% in the Commission's random sample of commercial Web sites -- provide any notice with respect to their information practices, and fewer still -- approximately 2% -- provide notice by means of a comprehensive privacy policy. In EPICs Surfer Beware III: Privacy Policies without Privacy Protection, the group surveyed the practices of 100 ecommerce sites. This was the most comprehensive, but last of the EPIC surveys. It evaluated sites for compliance with a full range of fair information practices, such as whether the site collected personal information, whether the site linked to a privacy policy, whether the site had agreed to a seal program, and whether users had access and correction rights for personal information. Eighty-six of the sites used cookies, 18 lacked privacy policies, and 35 had some form of network advertiser active on the site. The text of the report makes it clear that EPIC evaluated both the privacy politics of these sites and tested them to see whether they were setting

cookies. However, it is unclear whether EPIC performed a surface crawl of just the homepage or a deeper crawl that explored more of the site. In May 2000, the Federal Trade Commission released a survey of sites that detected third party cookies. In its study, the FTC drew from two groups of websites: those with over 39,000 visits a month and a second sample of popular sites (91 of the top 100). The FTC found that, 57% of the sites in the Random Sample and 78% of the sites in the Most Popular Group allow the placement of cookies by third parties. The majority of the third- party cookies in the Random Sample and in the Most Popular Group are from network advertising companies that engage in online profiling. In a multiple-year study of 1,200 websites, Bala Krishnamurthy and Craig Wills found increasing collection of information about users from an increasingly concentrated group of tracking companies. Krishnamurthy and Wills describe what we call DNS aliasing in their paper (this was also described in their 2006 paper), a practice where, what appeared to be a server in one organization (e.g. w88.go.com) was actually a DNS CNAME alias to a server (go.com.112.2o7.net) in another organization (Omniture). They found a massive increase in such aliasing: the percentage of first-party servers with multiple top third-party domains has risen from 24% in Oct05 to 52% in Sep08 This increase is significant because it shows that now for a majority of these first-party servers, users are being tracked by two and more third-party entities. It is also significant because through DNS aliasing, tracking companies can present cookies to users directly as first parties, thereby circumventing third party cookie blocking. Through decoding aliased domains, Krishnamurthy and Wills found that third party trackers were becoming more concentrated. Sampling from five periods, concentration grew from 40% in October 2005 to 70% in September 2008. Further, they found that, The overall share of the top-five families: Google, Omniture, Microsoft, Yahoo and AOL extends to more than 75% of our core test set with Google alone having a penetration of nearly 60%. In June 2009, Gomez et al. published the KnowPrivacy report. The report focused on several areas of consumer privacy, and featured a large-scale crawl of sites based upon data from Ghostery. Google-owned trackers were present on over 88% of a sample of 393,829 distinct domains. Further, in a survey of the top 100 sites, Google Analytics appeared on 81 of them. In August 2009, Soltani et al. Demonstrated that popular websites were using Flash cookies to track users. Some advertisers had adopted this technology because it allowed persistent tracking even where users had taken steps to avoid web profiling. Soltani et al. also demonstrated respawning on top sites with Flash technology. This allowed sites to reinstate HTTP cookies deleted by a user, making tracking more resistant to users privacy-seeking behaviors. In a survey of the top 100 sites according to Quantcast, Soltani et al. found 3602 cookies set on 98 of the top 100 sites. They also found 281 Flash Cookies set on 54 of the top 100 sites. In July 2010, Julia Angwin, Tom McGinty, and Ashkan Soltani of the Wall Street Journal reported that in a scan of the top 50 sites, 3,180 tracking files (this comprised HTTP

cookies, Flash cookies, and web beacons) were detected. Twelve sites set over 100 each. In 2010, Michael Coates surveyed the top 1,000 websites in order to determine how many were using HTTPS. Coates sent a basic HTTPS request to these sites, and they responded with 559 cookies. Coates method appeared to not collect any third party cookies. Flash cookies have become a major focus of research. In 2001, McDonald and Cranor of Carnegie Mellon investigated the presence of Flash cookies on websites. They found a dramatic decline from the Soltani et al. investigation in 2009. McDonald and Cranor found Flash cookies on only 20 of the top 100 sites. They were also careful to attempt to determine whether Flash cookie values were unique or notsix of the top 100 sites had Flash cookies that were not unique, and thus probably not used to track individuals. Krishnamurthy et al. have made significant contributions to the study of privacy leakage. In a study of websites that required registration, they found that a majority of the popular sites they analyzed directly leak sensitive and identifiable information to third-party aggregators. The problem they identified was widespread: 56% of the 120 popular sites in our study (75% if we include userids) directly leak sensitive and identifiable in formation to third-party aggregators. In July 2011, Stanford Law/Computer Science graduate student Jonathan Mayer released FourthParty, an open-source platform for measuring dynamic web content. Mayer has posted the raw data from web crawls made with the platform, and has released two reports flowing from the system. In the first, Mayer tested how members of the Network Advertising Initiative (NAI) interpret opt outs. The NAI considers the scope of opt out rights to pertain only to targeting ads, not to tracking. Thus, if a consumer opts out, NAI members may still track them. Mayer found that half of the NAI members tested (N=64) still used tracking cookies after an opt out was expressed. In the second, Mayer found that in developing FourthParty, he detected browser history stealing. This is a practice where a website, exploits link styling to learn a user's web browsing history. The approach is simple: to test whether the user has visited a link, add it to a page and check how it's styled. In August 2011, Ayenson et al. Surveyed the top 100 web sites, simulating a user session by clicking on 10 random links on each site. Cookies were detected on all top 100 sites. The group found 5,675 cookies, 4,615 of which were set by third parties. Sixhundred third-party hosts were detected. Google-controlled cookies were present on 97 of the top 100 sites, including popular government websites. Ayenson et al. found that 17 sites were using HTML5 local storage, and seven of those sites had HTML5 local storage and HTTP cookies with matching values. Flash cookies were present on 37 of the top 100 sites. In October 2011, Jonathan Mayer tested signup and interaction on 185 of the Quantcast top 250 sites. He found 113 of the sample leaked userids or usernames to third parties.

REVERSE TIMELINE

Study Mayer

Year Major Finding

Sample Size

2011 Most popular websites were "leaking" 185 of the usernames and userids to third parties. Quantcast top 250 2011 5675 HTTP cookies detected, 4615 of which were third party. 37 sites with 100 Flash cookies detected. All top websites had cookies. Top 100 sites, 10click user session simulated

Ayenson et al.

Mayer

2011 Network Advertising Initiative members 64 of the Network continued to use tracking cookies after Advertising opt out Initiative Members 2011 Majority of popular websites with registration leaking personal data to third parties Array of popular websites that required registration

Krishnamurthy & Wills

McDonald & Cranor 2011 Flash cookies present on 20 of top 100 Surface crawl of sites homepages of top 100 sites Coates 201 559 first party cookies detected 0 Limited HTTPS request to top 1,000 sites Top 50 sites, 20click user session simulated 393,829 unique domains

Angwin et al. (Wall 201 3,180 tracking mechanisms detected. Street Journal What 0 Only one site lacked cookies. They Know) Gomez et al. (KnowPrivacy Report) Soltani et al. 200 Google-owned web beacons were 9 present on 88% of a large sample of websites 200 3602 HTTP cookies detected, 281 9 Flash cookies detected. 98 of the top

Top 100 sites, 10click user session

100 sites had cookies.

simulated

Krishnamurthy et al. 200 Large increase in DNS aliasing; 1,200 sites 9 penetration of major third party trackers scanned over four to 75% of sample sites years FTC 200 57% of the sites in the Random Sample Random sample of 0 and 78% of the sites in the Most 335 sites and 91 of Popular Group set cookies. top 100 sites 100 ecommerce sites

EPIC Surfer Beware 199 86 used cookies. III 9 FTC Privacy Online

199 Most websites collect personal info, but 1,400 8 only 14% have privacy notices New DMA members Top 100

EPIC Surfer Beware 199 Few of the newest DMA members had II 8 privacy policies EPIC Surfer Beware 199 Homepages of 23 sites used cookies I 7

The state of Internet privacy in 2013: Research roundup

Concerns about the decline in personal privacy have long troubled citizens, scholars and politicians. The issue was most famously raised in The Right to Privacy, published in the Harvard Law Review in 1890 by jurists Samuel D. Warren and Louis Brandeis, the future Supreme Court justice. While Web 2.0 has empowered users to chat freely with friends, speak directly to customer service reps, check store stock online and a host of other innovations, these transactions typically leave a digital trail that can compromise a users privacy and security. Online users now routinely access the names of friends and family members, work histories, relationship status, credit card information, and bank statements via the Internet. Even ones reading materials once considered a bulwark of intellectual freedom are now in the public domain as articles are circulated and books are recommended on sites like Facebook and Amazon. Julia Angwin of the Wall Street Journal has written the What They Know series since 2010, documenting new cutting-edge uses of tracking technology and analyzes what the rise of ubiquitous surveillance means for consumers and society. Much of Angwins work focuses on digital surveillance and related concerns, including the dangers web

tracking, corporate resistance to privacy regulations and ways individuals can protect themselves from digital prying eyes. Angwin spoke about her work at the Shorenstein Center in February 2013: As technologies advance and as the mobile world rapidly emerges as a central arena there are worries that laws and policies are not keeping up. In February 2013, the U.S. Federal Trade Commission issued a report, Mobile Privacy Disclosures: Building Trust Through Transparency, that raised serious questions about data collection and mobile apps. Regulators note that, because so much commerce is moving to mobile, increased oversight is necessary in this space.For more on the future of federal policy see the 2013 paper The Next Generation Communications Privacy Act, by Orin S. Kerr of George Washington University. Of course, young persons are a group of particular concern. A 2013 report from Harvards Berkman Center on Internet & Society and the Pew Internet & American Life Project examines how teens seek online privacy information. In an September 2013 survey, Pew found that 86% of people said they had taken steps online to remove or mask their digital footprintsranging from clearing cookies to encrypting their email, from avoiding using their name to using virtual networks that mask their internet protocol (IP) address. Fully one-fifth of respondents said they had experienced having a social media or email account compromised. According to another survey, more Americans are expressing concern about protecting their privacy online, but they continue to share more personal data than ever. Meanwhile, data mining and other aggressive information-capturing techniques have become commonplace for businesses large and small. Facebook not only uses personal information shared by users to deploy targeted advertising, but it also sells it to external vendors. The company also introduced Facebook Graph Search, which allows users to capitalize on its site data to conduct complex searches of people, places, interests and other data. A 2013 study in the Proceedings of the National Academy of Sciences showed that surprisingly accurate guesses regarding an individuals gender, sexuality and ethnic origin can be made from Facebook data. Companies large and small are on guard against thieves, hackers and spambots, but security breaches are anything but rare: In April 2013 alone, data losses were reported by LivingSocial, a Kmart pharmacy in Arkansas, an upstate New York hospital, Blue Cross Blue Shield of Ohio and Indiana and, ironically, a site dedicated to protecting online reputations. Mobile technologies and public Wi-Fi hotspots have proven to be particularly vulnerable to malicious mischief. The damage from pirated information can range from lost job prospects to serious financial troubles if Social Security and credit card numbers are stolen. Businesses and governments can be forced to fund costly security upgrades to infrastructures to fend off cybercriminals. Research has shown that security breaches depress user engagement online, which is bad news for businesses and governments alike.

Even with the best of protections, the era of Big Data may increasingly make privacy algorithmically impossible, as a May 2013 article in the MIT Technology Review suggests. In terms of state intrusion and the increasing possibilities for Big Brother dynamics, see the article No Warrant, No Problem: How the Government Can Still Get Your Digital Data, by Theodoric Meyer and Peter Maas of ProPublica. Of course, revelations about the U.S. National Security Agency (NSA) and its practice of examining some citizen data from major Internet companies including Google, Microsoft, Facebook, Skype, Apple and Yahoo complicate this picture even further. For a sweeping overview, see The Public and the Private at the United States Border with Cyberspace, by John Palfrey, then of Harvard Law School. The article, published in the Mississippi Law Journal, explains both the technical details of surveillance and raises broad theoretical questions about the changing nature of privacy. The article serves as an accessible but comprehensive primer. What are the ways that online privacy can be breached, and what are some strategies individual users and companies use to protect online privacy? In the struggle to maintain online privacy, who has the greater responsibility, users or companies? The following are recent academic research studies and reports that address issues relating to digital privacy: _________ Digital Literacy and Privacy Behavior Online Park, Yong Jin. Communication Research, April 2013, Vol. 40, No. 2, 215-236. doi: 10.1177/0093650211418338 Abstract: This study examined the impact of three dimensions of digital literacy on privacy-related online behaviors: (a) familiarity with technical aspects of the Internet, (b) awareness of common institutional practices, and (c) understanding of current privacy policy. Hierarchical regression models analyzed data from a national sample of 419 adult Internet users. The analyses showed strong predictive powers of user knowledge, as indicated by the three discrete dimensions, on privacy control behavior. However, the findings were mixed when accounting for the interaction between knowledge and Internet experiences. There were limitations on the extents of knowledge and action related to personalized information. Furthermore, those limitations divided with sociodemographic characteristics such as age, gender, income, and education. Ramifications for the current status of the FTC policy are discussed.

Big Brother Knows Your Friends: On Privacy of Social Communities in Pervasive Networks Bilogrevic, Igor; Jadliwala, Murtuza; Lam, Istvan; Aad, Imad, Ginzboorg, Philip; Niemi, Valtteri; Bindschaedler, Laurent; Hubaux, Jean-Pierre. Pervasive Computing Lecture

Notes in Computer Science, 2012, Vol. 7319, 370-387. doi: 10.1007/978-3-642-312052_23. Abstract: In this paper, we address the important issue of privacy in pervasive communities by experimentally evaluating the accuracy of an adversary-owned set of wireless sniffing stations in reconstructing the communities of mobile users. During a four-month trial, 80 participants carried mobile devices and were eavesdropped on by an adversarial wireless mesh network on a university campus. Our results provide empirical evidence about the two distinct levels of community information leakage to external observers, who may be able to infer with high accuracy the different social groups and generic communities of people in pervasive networks, while being much less accurate in determining the affiliation of any particular individual to a community.

Youth, Privacy and Reputation (Literature Review) Marwick, Alice E.; Murgia-Diaz, Diego; Palfrey Jr., John G. Berkman Center Research Publication No. 2010-5 and Harvard Public Law Working Paper No. 10-29. 2010. Abstract: The scope of this literature review is to map out what is currently understood about the intersections of youth, reputation, and privacy online, focusing on youth attitudes and practices. We summarize both key empirical studies from quantitative and qualitative perspectives and the legal issues involved in regulating privacy and reputation. This project includes studies of children, teenagers, and younger college students. For the purposes of this document, we use teenagers or adolescents to refer to young people ages 13-19; children are considered to be 0-12 years old. However, due to a lack of large-scale empirical research on this topic, and the prevalence of empirical studies on college students, we selectively included studies that discussed age or included age as a variable. Due to language issues, the majority of this literature covers the United States, the United Kingdom, the European Union, and Canada.

Location-Sharing Technologies: Privacy Risks and Controls Tsai, Janice; Kelley, Patrick Gage; Cranor, Lorrie Faith; Sadeh, Norman. Telecommunications Policy Research Conference, 2009. Abstract: Due to the ability of cell phone providers to use cell phone towers to pinpoint users locations, federal E911 requirements, the increasing popularity of GPS capabilities in cellular phones, and the rise of cellular phones for Internet use, a plethora of new applications have been developed that share users real-time location information online We find that although the majority of our respondents had heard of location-sharing technologies (72.4%), they do not yet understand the potential value of these applications, and they have concerns about sharing their location information online. Most importantly, participants are extremely concerned about controlling who

has access to their location. Generally, respondents feel the risks of using locationsharing technologies outweigh the benefits. Respondents felt that the most likely harms would stem from revealing the location of their home to others or being stalked. People felt the strongest benefit were being able to find people in an emergency and being able to track their children. We then analyzed existing commercial location-sharing applications privacy controls (n = 89). We find that while location-sharing applications do not offer their users a diverse set of rules to control the disclosure of their location, they offer a modicum of privacy.

Parents, Teens and Online Privacy Madden, Mary; Cortessi, Sandra; Gasser, Urs; Lenhart, Amanda; Duggen, Maeve. Pew Internet and American Life Project and the Berkman Center for Internet and Society at Harvard University, November 7, 2012. Findings: Eighty-one percent of parents of online teens say they are concerned about how much information advertisers can learn about their childs online behavior, with some 46% being very concerned. Seventy-two percent of parents of online teens are concerned about how their child interacts online with people they do not know, with some 53% of parents being very concerned. Sixty-nine percent of parents of online teens are concerned about how their childs online activity might affect their future academic or employment opportunities, with some 44% being very concerned about that. Sixty-nine percent of parents of online teens are concerned about how their child manages his or her reputation online, with some 49% being very concerned about that. Some of these expressions of concern are particularly acute for the parents of younger teens; 63% of parents of teens ages 12-13 say they are very concerned about their childs interactions with people they do not know online and 57% say they are very concerned about how their child manages his or her reputation online.

Privacy Management on Social Media Sites Madden, Mary. Pew Internet and American Life Project, February 2012. Overview: Social network users are becoming more active in pruning and managing their accounts. Women and younger users tend to unfriend more than others. About two-thirds of Internet users use social networking sites (SNS) and all the major metrics for profile management are up, compared to 2009: 63% of them have deleted people from their friends lists, up from 56% in 2009; 44% have deleted comments made by others on their profile; and 37% have removed their names from photos that were tagged to identify them. Some 67% of women who maintain a profile say they have deleted people from their network, compared with 58% of men. Likewise, young adults are more active unfrienders when compared with older users.

Is Online Trust and Trust in Social Institutions Associated with Online Disclosure of Identifiable Information Online? Mesch, Gustavo S. Computers in Human Behavior, July 2012, Vol. 28, No. 4, 14711477. doi: http://dx.doi.org/10.1016/j.chb.2012.03.010. Abstract: This study investigated the association between trust in individuals, social institutions and online trust on the disclosure of personal identifiable information online. Using the Internet attributes approach that argues that some structural characteristics of the Internet such as lack of social cues and controllability are conducive to a disinhibitive behavior it was expected that face-to-face trust and online trust will not be associated. In contrast with the Internet attribute approach, the effect of trust in individuals and institutions was indirectly associated with the disclosure of identifiable information online. Trust in individuals and institutions were found to be associated with online trust. However, online trust only was found to be associated with the disclosure of personal identifiable information. While trust online encourages the disclosure of identifiable information, perception of privacy risks predicted refraining from posting identifiable information online. The results show a complex picture of the association of offline and online characteristics on online behavior.

Privacy Is Dead: The Birth of Social Media Background Checks Saunders, Sherry Denise. Southern University Law Review, March 2012. Abstract: For years employers have used social networking sites (SNS) such as Facebook, Twitter, MySpace, Google and LinkedIn to dig up incriminating evidence on prospective or current employees. Now credit reporting agencies (CRA) may conduct social media background checks on employees as well. The Federal Trade Commission (FTC) has given companies, like Social Intelligence, the stamp of approval to rummage around the Internet for anything a potential job candidate has done or said online in the past seven years. Both CRAs and employers must comply with the Fair Credit Reporting Act (FCRA). This article addresses the legal ramifications of social media background checks and the difficulty in applying the FCRA to this new employment practice.

The Writing on the (Facebook) Wall: The Use of Social Networking Sites in Hiring Decisions Brown, Victoria R.; Vaughn, E. Daly. Journal of Business and Psychology, June 2011, Vol. 26, No. 2, 219-225. doi: 10.1007/s10869-011-9221-x. Abstract: The popular media has reported an increase in the use of social networking sites (SNSs) such as Facebook by hiring managers and human-resource professionals attempting to find more detailed information about job applicants. Within the peerreviewed literature, cursory empirical evidence exists indicating that others judgments

of characteristics or attributes of an individual based on information obtained from SNSs may be accurate. Although this predictor method provides a potentially promising source of applicant information on predictor constructs of interest, it is also fraught with potential limitations and legal challenges. The level of publicly available data obtainable by employers is highly unstandardized across applicants, as some applicants will choose not to use SNSs at all while those choosing to use SNSs customize the degree to which information they share is made public to those outside of their network. It is also unclear how decision makers are currently utilizing the available information. Potential discrimination may result through employers access to publicly available pictures, videos, biographical information, or other shared information that often allows easy identification of applicant membership to a protected class.

Personalization and Privacy: A Survey of Privacy Risks and Remedies in Personalization-Based Systems Toch, Eran; Wang, Yang; Cranor, Lorrie Faith. User Modeling and User-Adapted Interaction, April 2012, Vol. 22, No. 102, 203-220. doi: 10.1007/s11257-011-9110-z. Findings: This article has reviewed several privacy risks related to personalization and discussed technologies and architectures that can help designers build privacypreserving personalization systems. While no silver bullet exists there are technologies and principles that can be used to eliminate, reduce and mitigate privacy risks. Furthermore, existing approaches are not mutually exclusive and should be considered as complementary in protecting users privacy in personalized systems. Pseudonymous profiles and aggregation can be used when personalization information need not be tied to an identifiable user profile. Client-side profiles are useful when personalization services can be performed locally. User controls should always be considered on top of other technical approaches as they will likely make the personalized system more usable and trustworthy. We envision advances in all of these areas and more systems that incorporate multiple techniques in their privacy protection mechanisms.

Real Name Verification Law on the Internet: A Poison or Cure for Privacy? Cho, Daegon. Economics of Information Security and Privacy III, 2013, 239-261. doi: 10.1007/978-1-4614-1981-5_11. Abstract: This study examines the effects of Real Name Verification Law in several aspects. By applying content analysis to abundant data of postings in a leading discussion forum that is subject to the law, the results suggest that Real Name Verification Law has a dampening effect on overall participation in the short-term, but the law did not affect the participation in the long term. Also, identification of postings had significant effects on reducing uninhibited behaviors, suggesting that Real Name Verification Law encouraged users behavioral changes in the positive direction to some

extent. The impact is greater for Heavy User group than for Light and Middle User groups. Also, discussion participants with their real names showed more discreet behaviors regardless of the enforcement of the law. By analyzing the effect of this policy at the forefront of Internet trends of South Korea, this paper can shed light on some useful implications and information to policy makers of other countries that may consider certain type of Internet regulations in terms of privacy and anonymity.

The Impact of Information Security Failure on Customer Behaviors: A Study on a Large-Scale Hacking Incident on the Internet Lee, Min Jae; Lee, Jin Kyu. Information Systems Frontiers, April 2013, Vol. 14, No. 2, 375-393. doi: 10.1007/s10796-010-9253-1. Abstract: This research examines the responses of online customers to a publicized information security incident and develops a model of retreative behaviors triggered by such a security incident. The model is empirically tested using survey data from 192 users of a recently compromised website. The results of the data analyses suggest that an information security incident can cause a measurable negative impact on customer behaviors, although the impact seems to be largely limited to that particular website. The tested model of retreative behaviors indicates that perceived damage and availability of alternative shopping sources can significantly increase retreative behaviors of victimized customers, while perceived relative usefulness and ease-of-use of the website show limited effects in reducing such behaviors.

Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising Balebako, Rebecca; Leon, Pedro G.; Shay, Richard; Ur, Blas; Wang, Yang; Cranor, Lorrie Faith. Web 2.0 Workshop on Security and Privacy, May 2012 [scroll down for a link to the paper]. Abstract: Online Behavioral Advertising (OBA) is the practice of tailoring ads based on an individuals activities online. Users have expressed privacy concerns regarding this practice, and both the advertising industry and third parties offer tools for users to control the OBA they receive. We provide the first systematic method for evaluating the effectiveness of these tools in limiting OBA. We first present a methodology for measuring behavioral targeting based on web history, which we support with a case study showing that some text ads are currently being tailored based on browsing history. We then present a methodology for evaluating the effectiveness of tools, regardless of how they are implemented, for limiting OBA. Using this methodology, we show differences in the effectiveness of six tools at limiting text-based behavioral ads by Google. These tools include opt-out webpages, browser Do Not Track (DNT) headers, and tools that block blacklisted domains. Although both opt-out cookies and blocking

tools were effective at limiting OBA in our limited case study, the DNT headers that are being used by millions of Firefox users were not effective.

Understanding What They Do With What They Know Wills, Craig E.; Tatar, Can. Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, 13-18. doi: 10.1145/2381966.2381969. Abstract: This work seeks to understand what they (Web advertisers) actually do with the information available to them. We analyze the ads shown to users during controlled browsing as well as examine the inferred demographics and interests shown in Ad Preference Managers provided by advertisers. In an initial study of ad networks and a focused study of the Google ad network, we found many expected contextual, behavioral and location-based ads along with combinations of these types of ads. We also observed profile-based ads. Most behavioral ads were shown as categories in the Ad Preference Manager (APM) of the ad network, but we found unexpected cases where the interests were not visible in the APM. We also found unexpected behavior for the Google ad network in that non-contextual ads were shown related to induced sensitive topics regarding sexual orientation, health and financial matters. In a smaller study of Facebook, we did not find clear evidence that a users browsing behavior on non-Facebook sites influences the ads shown to the user on Facebook, but we did observe such influence when the Facebook Like button is used to express interest in content. We did observe Facebook ads appearing to target users for sensitive interests with some ads even asserting such sensitive information, which appears to be a violation of Facebooks stated policy.

A Personalized Approach to Web Privacy: Awareness, Attitudes and Actions Willis, Craig E. Zeljkovic, Mihajlo. Information Management & Computer Security, Vol. 1, No. 1, 53-73. doi: 10.1108/09685221111115863. Findings: It was found that 63% of users agreed with a statement of concern for third parties monitoring activities, about half of the respondents agreed with a concern for knowledge about a users location and a little more than half agreed to concern about inference of demographic information. It was found that females are more concerned about these issues than males. In terms of possible actions, a majority of users report using an ad blocker tool and even more delete cookies at least some amount of time. Using an opt-out mechanism or removing browser history is done by less than 20% of users. Despite expressing more concern for information known by third parties, females are not significantly more likely to take actions that may limit what is leaked to these third parties. A contributor to this discrepancy is that females were much less likely to know their settings for many of the actions, indicating less familiarity with them.

Personal Information Privacy and Emerging Technologies Conger, Sue; Pratt, Joanne H.; Loch, Karen D. Information Systems Journal, May 2012. doi: 10.1111/j.1365-2575.2012.00402.x. Summary: Existing privacy research analyses transactions between individuals and organisations. The expanded model presented in this paper includes the other organisations that are parties to those transactions. The model also allows for a new aspect of PIP that personal data have a life of their own. After its movement from first party individual to second party vendor/provider, data move to third party integrators who develop an individual history that incorporates significant public and private data. The model highlights interorganisational data sharing and enables discussion of shortcomings of current privacy practices. Emerging technologies, demonstrate how new nano-sized technologies for location awareness and programmable remote action continue to evolve privacy issues. The perspective is that personal privacy is important but it must counterbalance realities of escalating terrorism and a need for some personal privacy erosion in the interest of social good. However, maintaining a balance between individual control of personal information and protection of societal needs should be a public discussion informed by further privacy research. - See more at: http://journalistsresource.org/studies/society/internet/the-state-ofinternet-privacy-in-2013-research-roundup#sthash.S1o2sHKT.dpuf Sources: http://www2.hawaii.edu/~nguyen/web/literature2.htm
http://www.w3.org/History.html

References Julia Angwin, The Web's New Gold Mine: Your Secrets, A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers, Wall Street Journal, Jul. 30, 2010, available at http://online.wsj.com/article/SB10001424052748703940904575395073512989404.ht ml. Ayenson, Mika, Wambach, Dietrich James, Soltani, Ashkan, Good, Nathan and Hoofnagle, Chris Jay, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011)available at: http://ssrn.com/abstract=1898390. Michael Coates, A Study of HTTPOnly and Secure Cookie Flags for the Top 1000 Websites, Dec. 28, 2010, available at http://michaelcoates.blogspot.com/2010/12/study-of-httponly-and-secure-cookie.html. Electronic Privacy Information Center, Surfer Beware: Personal Privacy and the Internet, Jun. 1997, available at https://epic.org/reports/surfer-beware.html. Electronic Privacy Information Center, Surfer Beware II: Notice is Not Enough, Jun. 1998, available at https://epic.org/reports/surfer-beware2.html. Electronic Privacy Information Center, Surfer Beware III: Privacy Policies without Privacy Protection, Dec. 1999, available at https://epic.org/reports/surfer-beware3.html.

Federal Trade Commission, Privacy Online: A Report to Congress, Jun. 1998 http://www.ftc.gov/reports/privacy3/toc.shtm. Federal Trade Commission, Privacy Online: Fair Information Practices In the Electronic Marketplace: A Report to Congress, May 2000, available at http://www.ftc.gov/reports/privacy2000/privacy2000.pdf. Joshua Gomez, Travis Pinnick, and Ashkan Soltani, KnowPrivacy (Jun. 1, 2009), available at http://www.knowprivacy.org/report/KnowPrivacy_Final_Report.pdf. Krishnamurthy, B., & Wills, C., Privacy diffusion on the web: A longitudinal perspective, Proceedings of the 18th ACM international conference on World wide web (2009)(p. 541-550), available at http://portal.acm.org/citation.cfm?id=1526782. Krishnamurthy, B., Naryshkin, K., & Wills, C. E., Privacy leakage vs. Protection measures: the growing disconnect, presented at W2SP 2011: WEB 2.0 SECURITY AND PRIVACY 2011 (2011), available at http://www.cs.wpi.edu/~cew/papers/w2sp11.pdf. Jonathan Mayer, FourthParty, available at http://fourthparty.info/. Jonathan Mayer, Tracking the Trackers: Early Results, Jul. 12, 2011, available at http://cyberlaw.stanford.edu/node/6694. Jonathan Mayer, Tracking the Trackers: To Catch a History Thief, Jul. 19, 2011, available at http://cyberlaw.stanford.edu/node/6695. Jonathan Mayer, Tracking the trackers: Where everybody knows your username, Oct. 11, 2011, available at http://cyberlaw.stanford.edu/node/6740. McDonald, A. M., & Cranor, L. F., A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies, CMU-CyLab-11-001 (2011), available at http://www.casos.cs.cmu.edu/publications/papers/CMUCyLab11001.pdf. Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle, Flash Cookies and Privacy, Aug. 10, 2009, available at: http://ssrn.com/abstract=1446862, accepted for publication at AAAI Spring Symposium on Intelligent Information Privacy Management, CodeX: The Stanford Center of Computers and Law.