Digital Persona Project:

Home ||| About ||| Contact ||| Resource base

SOFTWARE AGENTS: PRIVACY INVASION VS. PRIVACY PROTECTION

Felix Stalder, April 2000, v.1.0

This is a high-level summary of major dangers to and potentials for privacy protection through software agents.
Software agents are programs that can act on behalf of an individual user and, over time, learn about to the user's unique preferences and behaviours. A certain degree of autonomy and adaptability are essential qualities of software agents.
Privacy concerns the handling of personal data. Privacy is measured in degrees. A high degree of privacy exists when the user knows what personal data is being created in the course of a transaction, who has access to this data and gives explicit consent to how the data is handled. Privacy is a major concern to all parties involved in electronic commerce. Consumers have repeatedly stated that they are concerned about their privacy. In a recent representative study conducted in October 1999 by IBM, 58% of all US respondents have stated that it is very important that Internet-companies follow strong privacy protection policies. IBM Global Services (1999). The Canadian government is about the pass extensive new privacy legislation (Bill C-6) that applies, among others, to federally regulated business. In addition to this, private industry has been encouraged to develop strong self-regulation.
Software agents based on user profiles and with the ability to negotiate on behalf of the user how this data is being communicated add important new elements to this important discussion. They possess new potential for privacy invasion and for the protection of sensitive personal data.
Privacy Invasion:

Insecure collection and storage of personal data (vulnerability to break-ins)

Communication of personal data without consent of user (data leaking)

Collection of data about the user without consent (tracking, intrusion)

Changing of behaviour over time without user consent (incorrectly interpreting user behaviour)
Privacy Protection:

Ability of agent to check of privacy policies of communication partner, e.g. web-based businesses.

Selective releasing of personal information based on user-established criteria (multiple personas)

Logging of data transfer to enhance transparency for the user

Request of minimum privacy protection before initiation communication.

Negotiation of conditions of release of personal information (market place for personal information, e.g. P3P proposal http://www.w3.org/P3P/)

Use of encryption for routine transactions (ease of use, access)

To bring out the positive potential of software agents and avoid their major pitfalls, it is important to regard privacy protection early on as a design variable, rather than as an add-on to be dealt with in usage policies. Building the technology appropriately will prevent later embarrassment of the type that DoubleClick.com is currently experiencing.
Major Literature:
Hustinx, Peter, Cavoukian, Ann (1999). Intelligent Software Agents: Turning a Privacy Threat into a Privacy Protector. Toronto, On; The Hague: Information and Privacy Commissioner/OntarioRegistratiekamer, The Hague
<http://www.ipc.on.ca/web_site.eng/matters/sum_pap/PAPERS/isat.pdf> [1.11.99]

End of Document