Media Contacts:
Dr. Annie Antón, 919/515-5764
Mick Kulikowski, News Services, 919/515-3470

Nov. 17, 2003

Computer Engineer Gets NSF Grant to Study Web Privacy, Security

FOR IMMEDIATE RELEASE

It’s only fair to assume that, when you go online to buy a plane ticket or pharmaceuticals, your personal information will be used only for those specific purposes, right?

Unfortunately, says Dr. Annie Antón, associate professor of software engineering at North Carolina State University and an expert in Web security and privacy issues, in the rush to provide online services, many companies have failed to consider privacy and security issues, and therefore have privacy policies, software systems and enforcement policies that are misaligned.

Antón is the principal investigator for a new, four-year, $920,000 grant from the National Science Foundation that will attempt to provide concepts, software tools and techniques to address Web-based privacy issues. Further, Antón hopes to help consumers, software engineers and companies speak the same language when talking about privacy and security.

“The project focuses on how you specify privacy policy; how you specify the requirements for the software systems those privacy policies govern; how you ensure the requirements are in compliance with policies, and how you enforce those policies,” Antón says.

The project has three main objectives, according to Antón. The first is to provide consumers, or end-users, help to better manage their own privacy online.

“We want to enable people to know who has what information about you, and let consumers specify what companies can and can’t do with personal information,” she said. “Right now, there is no technological support for this.”

The second objective is to help people – like security architects and software engineers who write privacy policies – come to terms with the specifics of privacy policies and the requirements necessary to maintain the confidentiality of customer information.

“People specifying policy don’t necessarily worry about who has to read the policy,” Antón says. “Some of our previous research has shown that privacy policies are impossible to read. We want our tools to help establish a language that conveys the same meaning to everyone involved.”

This summer Antón’s research team completed a study that examined 40 online privacy statements from nine financial institutions covered by the Gramm-Leach-Bliley Act (GLBA). That act, which became effective in July 2001, requires financial institutions to protect the security and confidentiality of nonpublic personal information for distribution beyond the institution.

Antón and her colleagues found that the privacy statements, which are required by law to be “clear and conspicuous,” were in many cases neither clear nor conspicuous. The study also found that most policies require a reading skill considerably higher than the Internet population’s average literacy level.

The project’s third objective is meant to assist corporations with policy monitoring and enforcement, Antón says.

“Companies genuinely are concerned about complying with privacy laws,” Antón says. “We’re trying to develop a tool that will help companies monitor their Web sites, find conflicts or privacy violations, and fix them before they become a major problem. Right now, there are no tools available to help companies monitor their sites in this manner.”

Antón stresses that the technologies being developed on this project – which focuses mostly on the health care industry – will be general enough for other uses. They will also be readily available on The Privacy Place Web site. Antón created the site to serve as a forum for Web privacy and security issues and as a repository for tools, concepts, survey results and other data that might help align privacy policies, software and governance on the Web.

Collaborators on the NSF project include faculty from NC State’s College of Management and Georgia Institute of Technology’s College of Computing.

- kulikowski -