ITGumbo: spicing IT up

This intermingling of people has encouraged web service providers to cater to people from different parts of society, honor laws and language of different nations. Web service providers collect visitor personal and context data in order to know about :

• the popularity and reach ability of their service
• the consumer interest to provide better service

The collected data is used internally for marketing research and much useful information is extracted. This information is used by the service provider to advance their business by providing better online service specially implemented for different parts of the world, individualized services for the consumer and may also be released to research organizations for global research. This silent and hidden data collection inflicts fear in consumers that result in either apprehension in use or prohibition of web service. The competition between service providers inhibit sharing of collected data specification. As a result different data may be collected by web service providers and the consumer is unaware about the personal data that is collected by the website. The internet user has many questions:

• What user data is collected by the website?
• What will web service provider do with this data?
• What are the risks in sharing data?
• What are the advantages of sharing data?
• How can provider inform consumer about the data that is collected?
• How can consumer control collection of data?
• How does provider secure collected data?

What user data is collected by the website?

Some samples of data that may be collected by the website are listed here, this is not an exhaustive list of data collected by the website.

• Personal data: Website may silently collect data for traffic statistics, this data is also called log data and include visitor IP address, type of browser used, IRI of web pages visited, time spent per page etc. Website may ask user to input data in online forms, this may be contact information, credit card information or individual interest information.

• Context data: Website may also collect context data based on user behavior such as inlink IRI to know the point of reference to the website, outlink IRI to know how and when the user exits, whether he/she returns back to the website after visiting the external reference. What search terms are entered by the user in the "Google Search" box provided on the website, whether the search is conducted on the WWW or on the website? What external search terms directed the user to this website?

What will web service provider do with this data?

Many business and marketing decisions are driven based on the personal and context data collected by the websites. This data is used in a similar manner as free/paid surveys. If some 'n' number of visits from a region show an interest in a product this reflects the popularity of the product in that area. This may lead to marketing research by the organization to find business opportunity.

• Personal data: Website shall use personal data to provide secure access to information and allow users to save private context data on web servers. Most e-business will provide login/password in order to protect their online data, to collect personal/context data, to allow user to store e-business context information such as current orders, order status, order history etc. Service provider can send new sale intimation to the user e-mail address or home/office address, etc.

• Context data: Website shall use context data to advance their business and provide better service to the consumer. An interest of multiple users in a product that is not available on e-business website may encourage the provider to explore the business opportunity. If a user is not able to find the relevant data on the website or if there is associated information to the user search terms, personalized e-mail may be sent to the user e-mail address.

What are the risks in sharing data?

Spam, spoofing and phishing are some of the risks of online data transactions; consumer apprehension and prohibition are the dangers of data collection. Denial of service by the provider to the consumer due to latter's refusal to share data can be former's policy. Stolen identity may disturb finances and peace.

• User to provider: Log data is the visitor foot print on the internet. In addition to the website data collection, at home or in office the web user activity can be watched. An individual may be targeted by international terrorists or internet culprits by tracking log data. In case of solicited data the consumer consciously provides data by agreeing to the published privacy policy.

• Service provider to 3^rd party: The contract between the two parties governs the data ownership and security policies. The web user who provided the data may not be aware about the identity of the 3^rd party who has access to data. The security breach due to 3^rd party negligence may result in consumer annoyance. The service provider is at the risk of loosing the consumer unless it is ensured that 3^rd party will also honor the consumer interest.

What are the advantages of sharing data?

Consumers can receive personalized service. Data shared is used for research, business advancement and new inventions. If you like thing X with color Y and you search for it on the internet it is very likely that the search term is logged. This search may lead to a new product X with color Y in your vicinity soon. The log data is also used to catch international terrorists and internet culprits such as hackers and spammers.

How can provider inform consumer about the data that is collected?

Most websites will include a "Privacy Policy" web page to inform the user about the data collected. This web page will include human readable text description of the policy and is written in the regional language. The human readable text is to be trusted by the consumer, the service provider may display the regulatory compliance and audit seals and certificates on the website. Web technologies have defined P3P specifications for machine-readable policies. Provider can publish and configure different P3P policies for sections of website or have a single policy for the complete website. If website uses cookies to collect data, the P3P policy must include the policy for the data collected by the cookie. The compact P3P policy is published to control the cookie data collection and is carried in the HTTP response header, the browser can decode this policy and prompt the user according to browser privacy settings. The advantage of providing website P3P policy is that it provides better control to the visitor on the data that is collected by the website. A website that has deployed P3P policy will not collect personal identifiable data with cookies unless the P3P policy has been fetched by the browser and the fetched policy complies with browser privacy setting configured by the user.

P3P specifications provide standard structures for the commonly collected log data and a mechanism by means of EXTENSION element to include proprietary log data structure. The log data structure in P3P policy along with the text description in human readable policy will eliminate the user fear of unknown data collection policy and also educate the web user about the significance of the collected data.

How can consumer control collection of data?

Consumer can control the collection of personal/context data by not visiting the websites that have published data collection policy not amiable to the consumer. Web technologies provide the following mechanisms for consumers to control data collection:

• Set policy preference in browser: The privacy option in internet settings has options to configure the 1^st party and 3^rd party cookie acceptance. This setting will allow/block cookies irrespective of web page P3P policy.

• Access mechanism in P3P policy: The access mechanism in P3P has three options: "always", "opt-in", "opt-out". The data that is flagged as "always" does not provide any option to the website visitor and is always collected. The website visitor can choose to provide or reject request for data that is flagged "opt-in" or "opt-out" respectively, the mechanism to "opt-in" or "opt-out" is specified either in the human readable privacy policy or may be provided dynamically as forms or pop-ups on the website.

• Interactive user interface on website: Websites that do not publish P3P policy support forms & pop-ups to seek user consent for data collection.

How does provider secure collected data?

The collected data is secured by the web service provider:

• During data collection transaction: Data is collected over Secure Socket Layer (SSL) connections. SSL connections encrypt the data and provide checksum, digital certificate protection against data corruption and spoofing.

• In storage during retention period: Data is stored on servers behind firewall to protect against unauthorized access. Strict information security policies are practiced within the organization to avoid security breach due to computer/network system failure or employee mishandling.

After the published data retention period is over the web service provider must destroy the collected data and ensure that destroyed data is not accessible. The compliance of the organization with the necessary security standards and regulatory laws is displayed on the websites in the form of seals and certificates.

Conclusion: Build a website that can infuse confidence in visitors by informing what data is collected, how this data is secured and how this data is used. Unless necessary provide an open access to information on the website and collect minimal data. Many free content websites require user login/e-mail and password to collect user behavior context data, this may inhibit many interested readers. The syndication methods like RSS/ATOM feeds may be used to communicate with visitors. Add machine-readable P3P and human readable text policies to the website to provide better consumer control on data. Web technologies must be used to build simple and secure website. The integration of P3P policies stored on web server with user interface i.e. browser and data storage systems behind the firewall will automate the data collection process and security audits thus infuse trust in the web user. Data rich applications such as "open market" for semantic web and smart stores will provide better data collection policy transparency with integrated P3P policies.