Colloquia Series: Sebastian Zimmeck

Feb 16, 2018
11 a.m.
Lopata Hall, Room 101

Improving Privacy Policy Compliance ̶ An Interdisciplinary Approach


Privacy policies are intended to notify Internet users of organizations’ privacy practices and give them choices to opt out from behavioral advertising and other services. However, very few users actually read privacy policies and many remain oblivious to what happens to their data. In addition, software developers are oftentimes not aware of their legal obligations and fail to disclose their privacy practices. These cases of non-compliance can remain undetected for extended periods of time as the Federal Trade Commission and other privacy regulators do not have the resources to perform their oversight systematically and comprehensively. The use of machine learning technologies to analyze privacy policies automatically for compliance with privacy law requirements holds promise to alleviate these problems.

Whether a privacy policy satisfies applicable privacy law requirements can be analyzed based on supervised machine learning and domain-specific feature engineering. The analysis results can be converted to a format that is easier to comprehend than a full text policy. Such format also allows regulators to perform inter-policy comparisons. Regulators can further evaluate the compliance of software with developers' privacy promises by comparing the policy analysis results to what the pertinent software actually does. To avoid privacy non-compliance developers can automatically generate privacy policies from their code by using privacy policy generation plugins integrated in their development environments. However, as many emerging practices, especially, on IoT devices, are not easily detectable, further challenges for notifying users of privacy practices remain and require further work at the intersection of law and computer science.


Sebastian Zimmeck is a postdoc in computer science at Carnegie Mellon University's Institute for Software Research. His research interests are Internet privacy and security. Before coming to Carnegie Mellon Sebastian studied computer science at Columbia University. He also studied information privacy and intellectual property law and practiced in these areas as an attorney with international law firm Freshfields Bruckhaus Deringer. He was a Google Research Fellow at the Berkeley Center for Law & Technology. Sebastian holds degrees in computer science from Columbia University (MS, PhD) as well as law degrees from the University of California, Berkeley (LLM) and the University of Kiel (JD, PhD). He is licensed to practice law in California and Germany (both admissions currently inactive).