Privacy Resource Center

Institute for Management Information Systems

On this site, we are collecting valuable resources on electronic privacy that our team has written, read and/or judged as particularly noteworthy to share.

The Privacy Legal Environment and its Evolution

Fair Information Practices („FIPs“)

Fair Information Practices are the governing privacy principles in the US.

OECD Privacy Guidelines

Together with the FIPs the OECD Guidelines are widely accepted as an outline to govern data protection and transborder information flows beyond Europe.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
note: revision submitted by the commission on 25^th Jan 2012.

This is the core European legal framework. It is currently under revision; consequently it is important to recognize the enhancements proposed on 25h of Jan 2012 (in particular concepts like: data portability; data breach notifications; privacy by design; privacy impact assessments; a right to delete…).

Safe Harbor Principles

An agreement for data transfers between US and EU which works only marginally well due to lack of oversight and missing sanctions.

There is a debate going on whether it wouldn’t make sense to propertize personal data; this debate is centered in the US although it may make sense in the European context as well; especially since the EU Directives already grant a lot of rights to individuals that would support to exercise property rights for personal data.

Privacy Principles – What is Privacy?

These articles are giving a fantastic overview of what privacy is and how it has been conceptualized over time.

Greenleaf, G., „Global Data Privacy in a Networked World“, in: RESEARCH HANDBOOK ON GOVERNANCE OF THE INTERNET, eds by I. Brown, 2011.

Excellent overview article of current legal landscape and the privacy principles found therein.

Rost, M. (2011) Datenschutz in 3D. DUD - Datenschutz und Datensicherheit, 5, 351-354.
Bock, K. & Rost, M. (2011) Privacy by Design und die Neuen Schutzziele. Datenschutz und Datensicherheit, 1, 30-35.
Pfitzmann, A. & Rost, M. (2009) Datenschutzziele - revisited. Datenschutz und Datensicherheit, 6, 353-358.

These articles derive privacy targets from privacy principles; privacy targets (German: “Schutzziele”) is what engineers can concretely try to aim for when they plan technical systems.

Privacy Engineering and Privacy Methodologies

Cavoukian, A. (2011) Privacy by Design...Take the Challenge, Information and Privacy Commissioner of Ontario, Canada.

This Framework has been very influential, because the term “Privacy by Design” was coined here; privacy design goals are well outlined.

Spiekermann, S., Cranor, L., “Engineering Privacy”, IEEE Transactions on Software Engineering, Vol. 35, Nr. 1, Jänner/Februar 2009, pp. 67-82.

This paper is one of the few papers that gives an overview of what privacy engineering actually means; the most important contribution is the concept of privacy by architecture and a model to analyze the identifiability of personal data.

Oetzel, M., H. Kelter, Spiekermann, Sarah, Mull, Sabine (2011). BSI Privacy Impact Assessment (PIA) Leitfaden; Erweiterung der BSI Technischen Richtlinie TR 03126, Hrsg.: Bundesamt für Sicherheit in der Informationstechnik (BSI).
Oetzel, M., Spiekermann S., “Privacy-By-Design through systematic privacy impact assessment – presentation of a methodology“.
Wright, D. & De Hert, P. (2012) Privacy Impact Assessment, Springer, Dodrecht Heidelberg London New York.
Clarke, R. (2009) Privacy impact assessment: Its origins and development. Computer Law & Security Review, 25123-135.

Privacy Impact Assessments are a key tool to create privacy by design. The BSI guideline is a very good guide on how a privacy impact assessment can be conducted step by step so that privacy by design is the outcome; the guideline focuses specifically on RFID; the more general and expanding article on how to conduct a PIA and how to conceive of PIAs as a tool is recommendable (written by the same team that developed the BSI RFID guideline);
Roger Clark is one of the thought leaders on PIAs and David Wright has taken up the effort to promote PIAs in Europe.

Privacy Enhancing Technologies

London Economics, July 2010, „Study on the economic benefits of privacy enhancing technologies (PETs)“, prepared for European Commission DG JUST.

This paper summarizes the landscape of PETs and how these have been and can be categorized. It includes hints to much further PET literature.

Looking back at P3P, Ari Schwartz, November 2009,
http://www.w3.org/P3P/.

Machine readable privacy policies that allow for privacy negotiations between data subjects and data controllers may be key in the future. A first project and technology in this direction was P3P.

The Laws of Identity

This is a very influential concept that was aired by Kim Cameron who was a major privacy guru at Microsoft. The idea is that we should have an identity layer between the user and the virtual world that protects peoples’ identities.

Acquisti, A. (2009) Nudging Privacy - The Behavioral Economics of Personal Information. In: IEEE Security & Privacy, Vol. 7, pp. 82-85. IEEE Computing Society.

This article summarizes a concept that recently emerged and that proposes that people should be supported in making rational privacy decisions through more paternalistic systems and defaults.

ISO (2011) Information Technology - Security techniques - Privacy architecture framework. Vol. ISO/IEC JTC 1/SC 27 N10556, pp. DIN Deutsches Institut für Normung e.V.

This document contains an excellent list of privacy principles although the term privacy targets could have been chosen as well; in particular it creates a link between what needs to be protected (principles) and what protection measures can actually be taken.

Privacy Behavior

Berendt, B., Günther, O., Spiekermann, S., "Privacy in E-Commerce: Stated Preferences vs. Actual Behavior”, Communications of the ACM (CACM), Vol. 48, Nr.3, 2005, pp. 101-106.

This article reports on how the “Privacy Paradox” was discovered.

Acquisti, A. & Grossklags, J. (2005) Privacy and Rationality in Individual Decision Making. In: IEEE Security & Privacy, Vol. 3, pp. 26-33.

This article gives a very good overview how theories of behavioral economics can be transferred to the privacy domain; the main argument is that people are not rational when they make privacy decisions.

Smith, J. H., Milberg, S., J. & Burke, S., J. (1996) Information Privacy: Measuring Individuals' Concerns About Organizational Practices. MIS Quarterly, 20, 2, 167-196.

Smith’s paper is still valid today. It summarizes all the major privacy dimensions that people seem to be concerned about and includes privacy scales.

Iachello, G. & Hong, J. (2007) End-User Privacy in Human-Computer Interaction. Foundations and Trends in Human-Computer Interaction, 1, 1, 1-137.

This article gives an excellent overview of privacy research up to 2007 and includes many of the major privacy frameworks that have been proposed by scholars and that summarize the concerns of people from multiple perspectives.

Other recommendable sources on privacy

These two EU Projects have been at the core of privacy research focusing to a large extend on identity management; the researchers involved are thought leaders in the field of privacy research.

http://www.rogerclarke.com/DV/#PETs

Excellent collection by Roger Clark of links to privacy and security sources including technological solutions to ensure privacy (PETs).

http://www.heinz.cmu.edu
/~acquisti/economics-privacy.htm

Excellent collection by Alessandro Acquisti of links to papers on the behavioral economics of privacy.

MEMBER OF

WU Structure

WU Strategy

Programs

Research

Executive Education

Highlights

Current Students

Prospective Students

Academic Staff

Administrative Staff

Cooperations

Press

Alumni