Privacy Practices of Israeli Public Web Sites
Assuming a non-deterministic view of technology and assuming that privacy is a basic human right which is not obliterated by the digital technology, how best should we regulate it? There are several natural candidates who offer themselves for this task: the law, market forces, and privacy enhancing technology. Different countries around the world are experimenting with these mechanisms. Israel, like EU countries, opted for a detailed legal regime, which regulates various information practices, such as the collection of information, its retention in data bases, processing and its use.
This research investigates the success -- or the limits -- of the law in protecting users' privacy in the digital environment. We examined active "public Israeli web sites", (gov.il, muni.il, ac.il) figured out which of these collect information, and what are the privacy practices of the latter.
We found a very low level of compliance with legal requirements such as providing a notice to users, let alone a comprehensible one. On the other hand, we found that these web sites engage in some privacy practices in excess of the legal requirements, especially in regard of data security.
We attempt to explain these findings in terms of an enforcement failure, of the gap between the law on the books and law in action and the interrelationship between the law, technology and the market.
In this talk, we would like to present these findings, assess their meaning, and discuss future avenues of the research (under an ISF grant), including the need to learn the contents of communications between client and server, in order to be able to assess the actual data flow, to compare it to legal requirements and to stated privacy policies.
Joint work with Niva Elkin-Koren.