Dr. Annie Antón,
News Services, 919/515-3470
Engineer Gets NSF Grant to Study Web Privacy, Security
It’s only fair to assume that,
when you go online to buy a plane ticket or pharmaceuticals,
your personal information will be used only for those
specific purposes, right?
Unfortunately, says Dr. Annie Antón,
associate professor of software engineering at North
Carolina State University and an expert in Web security
and privacy issues, in the rush to provide online services,
many companies have failed to consider privacy and security
issues, and therefore have privacy policies, software
systems and enforcement policies that are misaligned.
Antón is the principal investigator
for a new, four-year, $920,000 grant from the National
Science Foundation that will attempt to provide concepts,
software tools and techniques to address Web-based privacy
issues. Further, Antón hopes to help consumers,
software engineers and companies speak the same language
when talking about privacy and security.
“The project focuses on how you
for the software systems those privacy policies govern;
how you ensure the requirements are in compliance with
policies, and how you enforce those policies,”
The project has three main objectives,
according to Antón. The first is to provide consumers,
or end-users, help to better manage their own privacy
“We want to enable people to
know who has what information about you, and let consumers
specify what companies can and can’t do with personal
information,” she said. “Right now, there
is no technological support for this.”
The second objective is to help people – like
security architects and software engineers who write
privacy policies – come to terms with the specifics
of privacy policies and the requirements necessary to
maintain the confidentiality of customer information.
specifying policy don’t necessarily worry about
who has to read the policy,” Antón says.
“Some of our previous research has shown that
privacy policies are impossible to read. We want our
tools to help establish a language that conveys the
same meaning to everyone involved.”
This summer Antón’s research
team completed a study that examined 40 online privacy
statements from nine financial institutions covered
by the Gramm-Leach-Bliley Act (GLBA). That act, which
became effective in July 2001, requires financial institutions
to protect the security and confidentiality of nonpublic
personal information for distribution beyond the institution.
Antón and her colleagues found
that the privacy statements, which are required by law
to be “clear and conspicuous,” were in many
cases neither clear nor conspicuous. The study also
found that most policies require a reading skill considerably
higher than the Internet population’s average
The project’s third objective
is meant to assist corporations with policy monitoring
and enforcement, Antón says.
“Companies genuinely are concerned
about complying with privacy laws,” Antón
says. “We’re trying to develop a tool that
will help companies monitor their Web sites, find conflicts
or privacy violations, and fix them before they become
a major problem. Right now, there are no tools available
to help companies monitor their sites in this manner.”
stresses that the technologies being developed on this
project – which focuses mostly on the health care
industry – will be general enough for other uses.
They will also be readily available on The
Privacy Place Web site. Antón created the
site to serve as a forum for Web privacy and security
issues and as a repository for tools, concepts, survey
results and other data that might help align privacy
policies, software and governance on the Web.
Collaborators on the NSF project include faculty from
NC State’s College
of Management and Georgia Institute of Technology’s
College of Computing.