2094
Analyzing the Privacy of a Vickrey Auction Mechanism
Then, B
1
and B
2
communicate the local function
of X to B
3
. With this information, bidder B
3
can
¿QGRXWWKHELGRI;$QH[DPSOHRIDQDXFWLRQ
is given in Figure 1.
In practice, this kind of collusion is extremely
unlikely to occur. Let us suppose that before the
auction begins, bidders B
1
, B
2
, and B
3
make a
deal to perform that plan. Let us note that the plan
will work only if X sends both the transformation
of his or her own bid and the transformation of
some other value to bidders in the set {B
1
, B
2
,

B
3
}. Recall that after a bidder applies his or her
function, he/she freely (e.g., randomly) chooses
what bidder will receive his or her transformed
value to continue with the transformation. So,
bidders B
1
, B
2
, and B
3
must be really lucky to
be positioned in the necessary positions with
UHVSHFWWRVRPHVSHFL¿FELGGHU;RUHYHQWRDQ\
RWKHUELGGHU<WKDWZDVQRW¿[HGLQDGYDQFH,Q
particular, the probability of this risk is negligible
when the number of bidders is high.
The previous problem could be formulated the
other way around. In this case, no deal is made
EHW ZHHQWKUHHVSHFL¿FELGGHUVEHIRUHWKHDXFWLRQ
begins. Instead, after some bidder (say B
2
) notices
that he/she received some transformed value from
;WKHQKHVKHWULHVWR¿QGZKRDUHLQWKLVVSHFL¿F
case, the bidders who play the roles of B
1
and B
3

LQWKHSUHYLRXVSUHVHQWDWLRQ$IWHUKHVKH¿QGV
them, he/she can propose them to make a deal to
uncover the bid of X. However, this scenario is
not possible. Recall that once a bidder has applied
his or her local function to some value, he/she
sends two data to the next bidder in the transfor-
mation: The (partially) transformed value and a
set containing all the bidders who have already
applied their functions to this value. Hence, bidder
B
2
receives from X the set of previous bidders,
but not an ordered sequence of bidders who have
participated in this transformation. So, B
2
is not
SURYLGHGZLWKWKHQHFHVVDU\LQIRUPDWLRQWR¿QG
out who B
1
is. According to that information, B
2
can infer who B
1
is only if the size of the received
set is 2 (i.e., the transformation thread under con-
sideration is that of the transformation of the bid
of B
1
). However, even in this case B
2

is unable to
know who B
3
is.
The use of several stages in our scheme yields
a different risk of collusion. In the previous sec-
tion, we introduced some conditions that are
necessary to avoid bidders located in interme-
diate points during the decoding of the second
Bidder 1 Bidder 2 Bidder 3 Bidder 4 Bidder 5 Bidder 6
Bidder 7
Bidder 8 Bidder 9 Bidder 10
Bid
30 18 65 46 47 39
97
58 63 46
1
st
425.234 171.33 1683.41 909.87 945.367 678.261
3432.27
1374.45 1592.34 909.87
2
nd
6715.23 6461.33 7973.41 7199.87 7235.37 6968.26
9722.27
7664.4 7882.3 7199.87
3
rd
3.13306
E09

3.0146
E09
3.72007
E09
3.35917
E09
3.37573
E09
3.25111
E09
4.53602
E09
3.57592
E09
3.67759
E09
3.35917
E09
4
th
6.64109
E17
6.17765
E17
9.16682
E17
7.569
E17
7.63919
E17

7.11848
E17
1.33002
E18
8.5115
E17
8.9713
E17
7.569
E17
5
th
4.70011
E18
4.65376
E18
4.95268
E18
4.7929
E18
4.79992
E18
4.74785
E18
5.36602
E18
4.88715
E18
4.93313
E18

4.7929
E18
6
th
2.2208
E25
2.1989
E25
2.34014
E25
2.26465
E25
2.26796
E25
2.24336
E25
2.53544
E25
2.30918
E25
2.3309
E25
2.26465
E25
7
th
1.21115
E40
1.19232
E40

1.31567
E40
1.24918
E40
1.25207
E40
1.23066
E40
1.49347
E40
1.28824
E40
1.30746
E40
1.24918
E40
8
th
5.08121
E43
5.08119
E43
5.08132
E43
5.08125
E43
5.08125
E43
5.08123
E43

5.08149
E43
5.08129
E43
5.08131
E43
5.08125
E43
9
th
1.96679
E49
1.96679
E49
1.96684
E49
1.96681
E49
1.96681
E49
1.9668
E49
1.9669
E49
1.96682
E49
1.96683
E49
1.96681
E49

10
th
2.43639
E79
2.43638
E79
2.43647
E79
2.43642
E79
2.43643
E79
2.43641
E79
2.43661
E79
2.43645
E79
2.43647
E79
2.43642
E79
2
nd
highest
1
st
1.96684
E49


2
nd
5.08132
E43

3
rd
1.31567
E40

4
th
2.34014
E25

5
th
4.95268
E18

6
th
9.16682
E17

7
th
3.72007
E09


8
th
7973.41
9
th
1683.41
10
th
65
Winner
Figure 1. Example of auction
2095
Analyzing the Privacy of a Vickrey Auction Mechanism
highest bid collecting enough information to
infer the global function. However, we did not
consider a scenario where these bidders collude.
Contrarily to the previous situation, in this case
LWLVUHODWLYHO\HDV\IRUDELGGHUWR¿QGDQRWKHU
bidder to collude. Let B
2
be a bidder located in
the intermediate point between decoding stages
2 and 3. Since he/she receives a set denoting all
the bidders that have been located in intermedi-
ate points so far, he/she knows who the bidder
between stages 1 and 2 is. Let B
1
be that bidder.
B
1

and B
2
can together infer the part of the global
decoding function that applies from stage 1 to
stage 3. If four or less stages are used and one of
these bidders is the winner, then B
1
and B
2
can
uncover the global function: Since the function
that governs the transformation from stage 3 on
depends on only two parameters, the winner, who
owns two examples of its application, can infer it.
However, let us note that B
1
and B
2
FDQQRW¿QG
out who the bidders are in the rest of intermedi-
ate points (recall that the next bidder after B
2
is
not in an intermediate point or is in the same
intermediate point than he/she). So, they do not
have any privileged information about the func-
tion that governs the transformation from stage
3 on. Note that if this function depends on three
parameters, then even the winner will be unable
WRLQIHULW+HQFHE\XVLQJ¿YHVWDJHVLQVWHDGRI

four we easily solve this collusion problem.
Let us consider a last collusion scenario. Let
us suppose that before the auction begins, some
bidders make a deal to collude. If these bidders
are located in enough intermediate points by
chance, then they could exchange their informa-
tion and infer the global function. In spite of the
fact that the probabilities of having some bidders
in enough intermediate points is negligible when
the number of bidders is high, even this problem
can be avoided by using n+1 stages, where n is the
number of bidders. Let us note that in this case,
all bidders are located in an intermediate point.
Then, only the collusion of n-2 nonwinning bid-
ders and the winner (i.e., n-1 bidders) allows the
colluders to uncover the global function. Let us
note that, in this case, the colluders can access the
values in all intermediate points but one. Let this
unknown point be located at stage i. Then, the col-
luders can compare the partial transformation of
the second highest bid at stages i-1 and i+1. Since
the global function from the beginning to i-1 and
from i+1 to the end is uncovered, the winner can
use these parts of the function to know the value
of its own bid at points i-1 and i+1. So, the win-
ner has two examples of the function that applies
from stage i-1 to stage i+1, which depends on 2
parameters. The consequence is that a group of
n-1 colluders that includes the winner can uncover
the global function. Let us note that as stated by

Brandt and Sandholm (2004), it is impossible to
¿QGDFRPSOHWHO\SULYDWHPHFKDQLVPWRSHUIRUP
the Vickrey auction. So, providing a mechanism
where even the collusion of n-1 bidders is unable
to breach the privacy is not possible.
Let us note that the complexity of our proto-
FROLV2QZKHQD¿[HGQXPEHURIVWDJHVHJ
LVXVHGEHFDXVHWKHFRGL¿FDWLRQRIDOOELGVLV
performed in parallel. However, if n+1 stages are
used, then the complexity is O(n
2
), which could be
too high if the number of bidders is high. Hence,
the risk of the previous kind of collusion should
be assessed before taking the decision of using
n+1 stages.
IMPLEMENTATION
The distributed algorithm that performs our
method and takes into account all the previous
considerations is depicted in Figure 2. Besides,
we have implemented a simple simulation of our
protocol. It is a monoprocessor C++ simulation,
where the relevant events that would occur in
the real system are represented. In particular, we
simulated a simple environment where 10 bidders
participate in the auction. Exponential, additive,
and multiplicative functions were used, as ex-
plained in previous sections. Since exponential
2096
Analyzing the Privacy of a Vickrey Auction Mechanism

Figure 2. Actual Algorithm
Notation:
P: set of bidders, with n = |P|.
Given p
i

P, the bid of p
i
is
b
i
.
ST: number of stages.
S: set of bidders already used in this stage.
G: set of bidders already used in intermediate points (in the inverse transformation).
Initialitation:
ST is agreed by all bidders (ST t 5);
i
of each stage i is commonly fixed by all bidders such that:
-  1d i d ST-
i
 F
imod3
,where F
1
= {f | f(x) = x
r
}, F
2
= {f | f(x) = x+r}, and F

0
= {f | f(x) = r · x};
For each bidder p
j
 P, privately do:
-
For each stage i, choose a function f
ji

i
;
- c := f
j1
(b
j
);
-p :=ChooseRandomly(P \ {p
j
});
- Transmit (c, {p
j
}, 1) to bidder p; /* where 1 denotes the first stage */
Inductive Case (forward way):
When tuple (c,S,i) is transmitted to bidder p
j
, do:
c: = f
ji
(c);
If |S| d n-2 then /* more bidders must apply their functions */

-p :=ChooseRandomly(P \ (S  {p
j
}));
- Transmit (c, S  {p
j
}, i) to bidder p;
else if i < ST then /* there are more stages */
-p :=ChooseRandomly(P);
- Transmit (c, Ø, i+1) to bidder p;
else broadcast c;
Comparison:
Once n values are broadcasted, we publicly perform:
Obtain the second highest value (namely d);
p := ChooseRandomly(P); G := Ø;
Trans
mit (d,
Ø, ST,
G) to bidd
er p;
Inductive Case (backward way):
When tuple (c, S, i, G) is transmitted to bidder p
j
, do:
c := f
-1
ji
(c);
If |S| d n-2 then /* more bidders must apply their functions */
-p :=MaybeChooseRandomly((P \ (S  {p
j

}))  G);
- If p does not exist then p := ChooseRandomly(P \ (S  {p
j
}));
- /* Depending on whether p finishes this stage: */
- If |S| d n-3 then Transmit (c, S  {p
j
}, i, G) to bidder p
- else Transmit (c,S  {p
j
},i,G  {p}) to bidder p;
else if i > 1 then /* there are more stages */
-p :=ChooseRandomly(P \ G);
- Transmit (c, Ø, i-1, G  {p}) to bidder p; /* p is first bidder of next stage */
else Broadcast c;
Resolution:
Once a value c is broadcasted, do:
Ask for the bidder whose bid was greater than c. Let k be such bidder;
Assign item to bidder k at price c;
Figure 2. Actual algorithm
functions dramatically modify values, we were
concerned about modifying values, and the preci-
sion of the overall process. This issue is critical
because it concerns whether the transformed bids
keep their relative order like the original bids.
Besides, it also concerns whether the decoding
of a coded bid matches the original value. Even
WKRXJK¿YHVWDJHVDUHHQRXJKWRJXDUDQWHHPRVW
privacy properties, more stages were used in or-
der to maximize numerical errors and study the

numerical stability of the algorithm. In particular,
we used 10 stages where the kinds of functions
2097
Analyzing the Privacy of a Vickrey Auction Mechanism
cyclically alternated, as we said before. The C-
data type used to store values was the standard
long double type that provides 80-bit precision
ÀRDWLQJSRLQWQXPEHUV
In our experiment, bidders choose a random
bid between 1 and 100. Then they select multipli-
cative factors between 1 and 10 and exponential
factors between 1.01 and 1.1. Regarding additive
factors, they choose values whose magnitude is
close to that of the values they manipulated in the
previous stage. In spite of the fact that the prob-
ability of each value is uniformly distributed in
our experiment, bidders of a true auction are free
to choose their values according to any private
criterion. A simulation of the process is depicted
in Figure 2.
The winner is depicted in bold face, while
the second highest bidder is shown in italics.
%RWKWKHFRGL¿FDWLRQDQGWKHGHFRGLQJSKDVHV
are depicted. Let us note that the decoding of
the second highest value matched perfectly the
original second highest bid (65). For the sake of
checking precision issues, the rest of the values
were decoded as well. It turns out that not only
the relative order between bids is kept, but also
WKH¿QDOYDOXHVPDWFKSHUIHFWO\ZLWKWKHRULJLQDO

bids. That is, all values in any decoding stage i
FRLQFLGH WR WKRVH LQ WKH FRGL¿FDWLRQ VWDJH QL
The reason for that numerical precision is that
our protocol does not mix different kinds of op-
erations in the same stage. That is, in spite that
the order in which each exponential function is
applied is different for each bid, no single addi-
tion or multiplication is performed until all the
bids are transformed according to all exponential
functions in this stage. A similar argument applies
when the kind of function is either multiplicative
or additive. This fact minimizes numerical preci-
sion problems.
Let us note that if the number of bidders in an
auction is high, then the factors used by bidders
in their local functions should be constrained by
some upper and lower bounds. Otherwise, the size
of transformed values could be too high or too
ORZDQGLWFRXOGRYHUÀRZWKHPD[LPDOSUHFLVLRQ
allowed by the chosen data types. Alternatively,
data types with unlimited precision (and unlimited
memory usage) can be constructed and used.
CONCLUSION AND FUTURE WORK
In this paper, we have studied some properties
of the protocol presented in López et at. (2004).
In that paper, a mechanism to perform a Vickrey
auction was presented in such a way that only the
VHFRQGKLJKHVWELGDQGWKHLGHQWLW\RIWKH¿UVWELG-
der were revealed. Contrarily to some previous
works, this is achieved without the necessity of

any trusted third part, not even the auctioneer.
However, some relevant issues concerning risks
against the privacy, with or without collusion,
were not considered. Besides, a discussion about
practical issues was missing. In this paper, we have
addressed all these topics, and some results about
a simple implementation have been reported.
Let us note that this protocol requires that
all bidders behave conforming to the protocol.
That is, they are supposed to follow the behavior
described by the protocol. However, the result
of the auction could be ruined if one or more
bidders cheat. For example, if a bidder applies a
different function when a bid is coded and when
it is decoded, the published value of the second
highest bid could be wrong. Following this line,
we are currently developing a mechanism to
detect liars in the protocol. It consists of apply-
ing a kind of checksumWR¿QGRXWZKHWKHUVRPH
ELGGHUPRGL¿HGWKHUHVXOWV,WLVDGLI¿FXOWWDVN
because faults in the results must be detected
without revealing too much information, which
could break the privacy.
ACKNOWLEDGMENT
We would like to thank Felix Brandt for his helpful
comments about our auction protocol. This work
2098
Analyzing the Privacy of a Vickrey Auction Mechanism
has been supported in part by the MCYT project
MASTER (reference TIC2003-07848-C02-01),

and by the JCCLM project PAC-03-001.
REFERENCES
Brandt, F., & Sandholm, T. (2004). (Im)possibility
of unconditional privacy preserving auctions. In
Proceedings of the 3rd International Joint Con-
ference on Autonomous Agents and Multiagent
Systems (pp. 810–817). ACM Press.
Lipmaa, H., Asokan, N., & Niemi, V. (2002).
Secure Vickrey auctions without threshold trust.
In Proceedings of the Annual Conference on Fi-
nancial Cryptography, LNCS 2357 (pp. 87–101).
Springer.
López, N., Núñez, M., Rodríguez, I., & Rubio, F.
(2004). Improving privacy in Vickrey auctions.
ACM SIGEcom Exchanges, 5(1), 1–12.
Myerson, R. B. (1981). Optimal auction design.
Mathematics of Operations Research, 6, 58–73.
Naor, M., Pinkas, B., & Sumner, R. (1999). Privacy
preserving auctions and mechanism design. In
Proceedings of the ACM Conference on Electronic
Commerce (pp.129–139). ACM Press.
Sandholm, T., & Lesser, V. (1995). On automated
contracting in multienterprise manufacturing. In
Proceedings of Distributed Enterprise: Advanced
Systems and Tools, ESPRIT Working Group 9245
(pp.33–42).
Vickrey W. (1961). Counterspeculation, auctions,
and competitive sealed tenders. Journal of Fi-
nance, 16, 8–37.
ENDNOTES

1
The RET requires, for example, that the
ORZHVWELGGHUH[SHFWV]HURSUR¿WWKDWELG-
ders are risk-neutral, and that bidders have
independent and private values for their
items. These properties are rarely met in
real e-commerce environments.
2
For instance, if a bidder played the role of an
auctioneer in a previous auction where the
item being sold was similar, then he could
¿QGRXWWKHELGVLQWKHFXUUHQWDXFWLRQ
3
Alternatively, in order to guarantee that the
winner (and not the second bidder) buys the
item, the price could be raised in any tiny
amount μ.
4
In (López et al., 2004) the possibility that a
bidder knew two examples of the function
was not explicitly considered. However, the
g l o b a l f u n c t i o n d e p e n d e d i n g e n e r a l o n m o r e
than two unknowns, since each stage used
a different kind of function and introduced
a new unknown in the global function.
This work was previously published in International Journal of E-Business Research, Vol. 2, Issue 3, edited by I Lee, pp. 17-27,
copyright 2006 by IGI Publishing (an imprint of IGI Global).
2099
Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Chapter 7.9

E-Services Privacy:
Needs, Approaches, Challenges,
Models, and Dimensions
Osama Shata
6SHFLDOL]HG(QJLQHHULQJ2I¿FH(J\SW
ABSTRACT
This chapter introduces several aspects related to
e-privacy such as needs, approaches, challenges,
and models. It argues that e-privacy protection,
although being of interest to many parties such
as industry, government, and individuals, is very
GLI¿FXOWWRDFKLHYHVLQFHWKHVHVWDNHKROGHUVRIWHQ
KDYHFRQÀLFWLQJQHHGVDQGUHTXLUHPHQWVDQGPD\
H YH Q K DYHF R Q ÀLFW L QJ X Q G H U V W D Q G L Q J RIH  S U L Y D F \ 
6R¿QGLQJRQHPRGHORURQHDSSURDFKWRHSULYDF\
protection that may satisfy these stakeholders
is a challenging task. Furthermore, the author
hopes that this chapter will present an acceptable
GH¿QLWLRQ IRU HSULYDF\ DQG XVH WKLV GH¿QLWLRQ
to discuss various aspects of e-privacy protec-
tion such as principles of developing e-privacy
policies, individuals and organizations needs of
various privacy issues, challenges of adopting and
coping with e-privacy policies, tools and models
to support e-privacy protection in both public and
private networks, related legislations that protect
or constraint e-privacy, and spamming and Inter-
net censorship in the context of e-privacy. The
author hopes that understanding these aspects
will assist researchers in developing policies and

V\VWHPVWKDWZLOOEULQJWKHFRQÀLFWLQHSULYDF\
protection needs of individuals, industry, and
government into better alignment.
INTRODUCTION
The Internet in general and the World Wide Web
(WWW) in particular, were initially intended
to facilitate sharing of information between
individuals, research centers, organizations,
and so forth. However, they have now become
the fastest growing means to provide a variety
of services such as e-government, e-commerce,
e-communication, e-entertainment, e-education,
e-investment, and so on.
2100
E-Services Privacy
$OWKRXJK³HOHFWURQLFVHUYLFHV´HVHUYLFHV
is a term that implies the offering of services by
electronic means, it is mostly used now to mean
the offering of services via the Internet/WWW.
E-services are of various types, including those
that enable individuals and organizations to access
LQIRUPDWLRQHJVXU¿QJWKH:::DQGWKRVH
that facilitate transmitting of data (e.g., banking
application, e-shopping).
Individuals and organizations using and offer-
ing e-services are subject to many potential threats
(e.g., unauthorized intrusion and collection of IP
addresses, session hijacking, copying/stealing
information digitally stored, etc.). This raises the
need for high standards of security measures.

One of the threats that is receiving growing
attention is violating the privacy of users using
e-services. One type of violation may occur by
harmful software that attacks computers to col-
lect sensitive information for purposes such as
identity theft, or to destroy stored information.
This requires continuous adopting of new and
up-to-date protection techniques.
A second type of privacy violation is commit-
ted by organizations offering e-services. Such or-
ganizations tend to collect some of an individual’s
SHUVRQDOLGHQWL¿DEOHLQIRUPDWLRQ3,,ZKLFKLV
considered critical for the organizations’ interests,
but also is seen private by the individual using the
e-services. This necessitates preventing PII from
being collected without consent and protecting PII
collected with consent. This has raised Internet
privacy protection as one of the top policy issues
for legal institutions and legislators.
,Q RUGHU WR UHVROYHWKLV FRQÀLFWRI LQWHUHVWV
between individuals and organizations, several
laws and acts have been issued with the aim of
balancing the interests of the two parties. The
purpose of these laws and acts is to organize the
process of collecting, processing, and protecting
PII of individuals using e-services, and hence, to
provide some protection for individuals. This is
ZKDWZHFDOOLQWKLVFKDSWHU³HVHUYLFHSULYDF\
SURWHFWLRQ´RU³HSULYDF\´IRUVKRUW
(SULYDF\LVDFRQFHSWWKDWLVGLI¿FXOWWRGH¿QH

It is seen differently by the parties involved. Some
of the organizations that collect PII may view the
Internet as a public environment, and those who
connect to it should expect to be noticed. Other
organizations offer free services, thus those who
use the services should expect some trade off. On
the other hand, individuals believe that their online
activities and all their PII are private and belong
to them. Since these individuals switch between
TV channels and view whatever they prefer in
privacy without being tracked, they expect the
V D P H S U L Y D F \ Z K H Q V X U ¿ Q J W K H : : : / HJ L VOD W R U V 
always debate comprehensively, before the issuing
of any related privacy law, on how to balance the
interests of the collecting organizations and indi-
viduals, and what principles and standards may
be used (e.g., the Canadian Personal Information
Protection and Electronic Documentation Act
[Government of Canada-1]). In addition, e-privacy
may be broadened to cover individuals’ rights not
to receive any unsolicited advertisements (spam-
ming) in their e-mail inboxes, as well as their
rights to access Web sites without restrictions
(Internet censorship). Another question is whether
or not the meaning of e-privacy would differ ac-
cording to whether the communication network
used is public (Internet) or private (belongs to an
organization or a workplace).
There are many issues related to e-privacy
such as its criticality, types, scope, standards,

legal requirements, challenges, approaches, and
how to protect it.
This chapter will discuss some of these issues.
In particular, it aims to:
 ,QWURGXFHHSULYDF\GH¿QHDQGFRQVLGHULW
from various perspectives,
2. Highlight standards and principles of e-
privacy policies,
3. Identify various challenges of adopting and
coping with e-privacy policies,
4. Discuss e-privacy in the context of public
networks,
2101
E-Services Privacy
5. Relate e-privacy to electronic security,
6. Identify critical organizational, legal, and
technical issues in managing e-privacy,
7. Introduce example models and approaches
to maintain individuals’ e-privacy,
8. Discuss spamming and Internet censorship
in the context of e-privacy, and
9. Introduce e-privacy considerations in private
networks.
WHAT IS E-PRIVACY?
Privacy is an abstract word that has various
meanings, scopes, and dimensions to individu-
als depending on each individual’s background,
psychology, beliefs, and ethics. However, most
individuals will relate its meaning to their right
to act freely from unauthorized intrusion and to

their right to keep what they believe to be private
from others.
Hence, we can look at e-privacy as an
individual’s right to act freely online (on the In-
ternet/WWW) without being monitored, traced,
restricted, and to keep their PII from being col-
lected or distributed to other parties without their
FRQVHQW8QIRUWXQDWHO\WKLVGH¿QLWLRQPD\QRW
EHDSSURYHGE\VRPHRUJDQL]DWLRQVWKDW¿QGLW
necessary to monitor individuals while they are
online to collect some necessary PII.
7KLVFKDSWHUZLOOXVHWKHDERYHGH¿QLWLRQRI
e-privacy as a base when discussing the balancing
RIFRQÀLFWLQJLQWHUHVWVEHWZHHQLQGLYLGXDOVDQG
organizations and to highlight some other related
issues. The next section will introduce examples of
violating individuals’ privacy online and discuss
the need for protecting e-privacy.
THE NEED FOR E-SERVICES
PRIVACY PROTECTION
New technology has enabled electronic services
providers and other parties to monitor online us-
ers and to collect and transfer users’ PII. These
technological capabilities have raised concerns
among users that their PII could be used in ways
that they would consider an invasion of their e-
privacy. As an attempt to understand the need for
e-privacy protection, it would be helpful to list
some examples of the misuse of the Internet which
have affected individuals’ e-privacy, whether the

misuse was intentional or unintentional.
In a recent article, Cobb and Cobb (2004)
gave an example to illustrate what happens when
people fail to understand how technology may
affect privacy. Some years ago, legislators in the
State of Florida authorized counties to put all
public records on the Web. As a result, anyone
could view the private data in the records such
as name, social security number, address, and in
some cases signatures. This can undoubtedly be
FODVVL¿HGDVDSULYDF\YLRODWLRQDQGFDQOHDGWR
various crimes such as identity theft. A sample
r e c o r d t h a t h a s b e e n u s e d b y C o b b a n d C o b b ( 2 0 0 4 )
may be examined for illustration at: http://www.
privacyforbusiness.com/example1.htm.
While Cobb and Cobb’s example of privacy
invasion was unintentional and would not be
FRQVLGHUHGDFULPLQDODFWRQHFDQ¿QGPDQ\
examples of intentional privacy invasion for the
sake of electronic fraud. One example of this is
Western Union’s Web site was broken into, and it
is thought that the hackers have managed to copy
credit ca rd infor mation for more than 15,000 cus-
tomers. (ID Theft, Schemes, Scams, Frauds).
Large organizations also suffer from private
information violations. In a presentation by Fred
+ROERUQKHSUHVHQWHGWKDW³RIODUJH
organizations detected computer security attacks
LQDFNQRZOHGJHG¿QDQFLDOORVVHVGXH
to computer breaches; theft of proprietary infor-

PDWLRQFDXVHGWKHJUHDWHVW¿QDQFLDOORVV²
million average.”
One can argue that these examples of privacy
invasion may occur in non-electronic environ-
ments as well and that the use of the Internet and
electronic services has just made them easier.
2102
E-Services Privacy
However, there are examples of privacy inva-
sions that would occur only because of the elec-
tronic services and the use of the Internet/WWW.
Such invasions are committed by unauthorized
software. This software is of various types,
including spy-ware, ad-ware, viruses, cookies,
online activities trackers, scum-ware, and Web
beacons. However, these various types share the
characteristic of being uninvited. In most cases,
the user is not aware of their existence until his or
her computer starts functioning in an unexpected
ZD\DQGWKH\FDQEHGLI¿FXOWWRUHPRYH:KLOH
some unauthorized software can cause serious
problems such as destroying personal data, and
identity theft, the aim of much other unauthorized
software is to collect information for the sake of
sending ads or even for security purposes. The
¿UVWW\SHRIXQDXWKRUL]HGVRIWZDUHFDXVHVLOOH-
gal activities and would require individuals and
organizations that keep online data to increase
WKHLU VHFXULW\ PHDVXUHV HJ WR XVH ¿UHZDOOV
Meanwhile, the second type of the unauthorized

software would need to be controlled by some
policy. To understand this better consider the
following examples:
• An online shopping Web site tracks its visi-
tors’ online activities and collects their PII
to e-mail them discounted offers.
• $VHDUFKHQJLQHWUDFNVLWVXVHUV¶VXU¿QJDQG
passes their PII to its sponsoring organiza-
tions.
• An e-government Web site collects PII with
individuals’ consent, but shares the PII with
other government agencies.
• An organization is increasing its security
measures and checks outgoing e-mail to
protect its critical data from being leaked, or
is monitoring its employees online activities
during working hours to increase productiv-
ity — is this an invasion of its employees’
e-privacy?
Such examples of what may be considered e-
privacy invasion led many legislators to conclude
that industry needs standards, policies, and laws
t o o r g a n i z e t h e p r o c e s s o f m o n i t o r i n g i nd i v i d u a l s’
online activities and online private data collec-
tion and usage. Some governments (e.g., U.S.,
EU, Australia, and Canada) have already issued
related bills and laws (e.g., the Canadian Personal
Information Protection and Electronic Documen-
tation Act [Government of Canada-1]).
The discussion of the need for e-services

privacy protection usually focuses on e-services
provided within public networks and does not
focus on e-services provided within non-public
networks (although the later type also requires
attention). However, the topic of e-privacy is still
HYROYLQJ DQG WKHUH LV QR XQL¿HG GH¿QLWLRQ RU
scope for online privacy and protection. We will
introduce in Section vi a discussion of the related
standards, principles, and models applicable to
e-privacy.
STANDARDS, PRINCIPLES, AND
MODELS OF E-SERVICES PRIVACY
PROTECTION
The rapid growth of Internet e-services and Web-
based applications that target consumers and
collect their PII led to concerns over e-privacy.
This required the issuing of laws for enforcing
e-privacy protection. Most e-privacy-related laws
enforce sites and organizations that collect PII
from individuals using an e-service by adopting
an e-privacy policy with minimally enforced stan-
GDUGVDQGVSHFL¿FDWLRQV,QPDQ\FDVHVWKHODZV
and regulations for e-privacy are amendments to
off-line privacy acts that are already in place.
In Canada, there is the Personal Information
Protection and Electronic Documents Act. The
purpose of this act, as stated on the Department
of Justice Web site is (Department of Justice
 &DQDGD³WR SURYLGH&DQDGLDQV ZLWK D ULJKW
of privacy with respect to their personal infor-

2103
E-Services Privacy
mation that is collected, used, or disclosed by
an organization in the private sector in an era
in which technology increasingly facilitates the
FROOHFWLRQDQGIUHHÀRZRILQIRUPDWLRQ´7KH
privacy provisions of the Personal Information
Protection and Electronic Documents Act are
based on the Canadian Standards Association’s
Model Code for the Protection of Personal In-
formation, recognized as a national standard in
1996 (Government of Canada). The code’s 10
SULQFLSOHVDUH³$FFRXQWDELOLW\´³,GHQWLI\LQJ
3XUSRVHV´ ³&RQVHQW´ ³/LPLWLQJ &ROOHFWLRQ´
³/LPLWLQJ8VH'LVFORVXUHDQG5HWHQWLRQ´³$F-
FXUDF\´³6DIHJXDUGV´³2SHQQHVV´³,QGLYLGXDO
$FFHVV´DQG³&KDOOHQJLQJ&RPSOLDQFH´7KLVDFW
is supposed to cover both the government and the
private sectors. There are also other provincial acts
(e.g., Alberta’s Personal Information Protection
Act [Alberta Government] and British Columbia’s
Personal Information Protection Act).
The UK has the Data Protection Act 1998
8.7KHDFW³DSSOLHVWRDGDWDFRQWUROOHU
in respect of any data only if:
(a) t h e d a t a c o n t r o l l e r i s e s t a b l i s h e d i n t h e U n i t e d
Kingdom and the data are processed in the
context of that establishment, or
(b) the data controller is established neither in the
United Kingdom nor in any other EEA State

but uses equipment in the United Kingdom
for processing the data otherwise than for
the purposes of transit through the United
Kingdom.”
The act’s main principles emphasize that
personal data: shall be processed fairly
and lawfully; obtained only for one or
PRUHVSHFL¿HGDQGODZIXOSXUSRVHVVKDOO
be adequate, relevant, and accurate; shall
not be kept for longer than is necessary;
shall be protected by appropriate techni-
cal and organizational measures against
unauthorized or unlawful processing and
against accidental loss or destruction; and
shall only be transferred to a country or
territory outside the European Economic
Area (EEA) under conditions that ensure
an adequate level of protection of personal
data and the rights and freedoms of data
subjects (UK, 1998). The reader may realize
the great similarity between the principles
of the UK’s Data Protection Act 1998 and
those of the Canadian Personal Information
Protection and Electronic Documents Act.
Australia has the Federal Privacy Law. It
contains 11 Information Privacy Principles
(IPPs) and which apply to Commonwealth
and government agencies (Federal Privacy
Commissioner [Australia], 1988). The 11
principles are: Manner and purpose of col-

lection of personal information; solicitation
of personal information from individual
concerned; solicitation of personal infor-
mation generally; storage and security of
personal information; information relating
to records kept by record-keeper; access to
records containing personal information;
alteration of records containing personal
information; record-keeper to check ac-
curacy and so forth of personal informa-
tion before use; personal information to be
used only for relevant purposes; limits on
use of personal information; and limits on
disclosu re of personal i nformation. T he law
also has 10 National Privacy Principles that
apply to parts of the private sector and all
health service providers.
While the Canadian act and the Australian law
cover both the federal and private sectors, other
countries have laws and acts to govern the federal
sector and leave the private sector to develop its
own privacy policies (e.g., USA).
In the United States legislators have passed a
legislation regarding information practices and
e-privacy for the federal government. However,
legislators are still debating whether an e-privacy
act for the private sector is needed or industry