Research and Advances
Computing Applications The adaptive web

Personalized Hypermedia and International Privacy

Personalized hypermedia systems may be in conflict with privacy concerns of computer users, and with privacy laws that are in effect in many countries.
  1. Introduction
  2. Impacts on Personalized Hypermedia Systems
  3. Future Directions
  4. References
  5. Author
  6. Footnotes
  7. Sidebar: OECD Basic Privacy Principles of National Application
  8. Sidebar: Some Countries With Restrictions on the Transborder Flow of Personal Data

User-adaptive (or "personalized") hypermedia systems are able to cater to users more effectively given the more information they possess about them. The adaptations that will be necessary are usually not known at the time when different pieces of information about users become available. Personalized hypermedia systems therefore have to lay this collected data "in stock" and maintain it for possible future usage. Moreover, data gathering is moreover mostly performed in an unobtrusive manner and often without users’ awareness. This is done to avoid distracting users from their tasks and with consideration that users are very reluctant to perform actions not directed toward their immediate goals (like providing data about themselves) if they do not receive immediate benefits, even when they would benefit in the long run [3].

This current practice of data collection and processing in personalized hypermedia systems, specifically in personalized Web sites [7], seems to be in conflict with privacy concerns of Internet users. These became manifest in numerous recent consumer polls,1 where respondents reported being concerned about threats to their privacy when using the Internet; being concerned about divulging personal information online; and being concerned about being tracked online. Web users are not only concerned but already counteract. They reported leaving Web sites that required registration information; having entered false registration information; and having refrained from shopping online due to privacy concerns, or having bought less. Internet users who are concerned about privacy are thereby not naive isolationists, but have very pragmatic demands. They want Internet sites to ask for permission to use personal data and are willing to give out personal data for getting something valuable in return.

The current practice of personal data processing in personalized hypermedia also appears to be in conflict with privacy laws and guidelines that usually call for parsimony, purpose-specifity, and user awareness or even user consent in the collection and processing of personal data. Privacy laws protect the data of identified or identifiable2 individuals in more than 30 countries, and a few states and provinces. Several countries, including the U.S., have some sector-specific regulations. In another 10–15 countries, privacy regulations are currently at various stages in the legislative process.

While at a surface level privacy laws are often widely different, they are usually grounded in a comparatively small number of basic privacy principles. As an example, the sidebar "OECD Basic Privacy Principles of National Application" lists recommended privacy guidelines adopted by the Organization for Economic Co-operation and Development (OECD) in 1980 (these are not binding for its current 30 member countries, which include the U.S.). The privacy laws of many countries also restrict the transborder flow of personal data, or even extend their coverage beyond the national boundaries. Such laws then also affect personalized hypermedia sites abroad that serve users in these regulated countries, even if there is no privacy law in place in the country where the site is located (see the sidebar for a brief overview).3 For comprehensive privacy resources, see for example,,,,, [1], [8], and [11].

If privacy laws apply to a personalized hypermedia application, they often not only affect the conditions under which personal data may be collected and the rights that data subjects have with respect to their data, but also the methods that may be used for processing the data. Following is a sample of restrictions from the German Teleservices Data Protection Act and the European Data Protection Directive that substantially affect the internal operation of personalized hypermedia applications:

  • Usage logs must be deleted after each session. This provision affects, for example, the machine-learning methods that can be employed in a personalized hypermedia system. If learning takes place over several sessions, only incremental methods can be employed since the raw usage data from previous sessions has all been discarded.
  • Usage logs of different services may not be combined, except for accounting purposes. This is a severe restriction for so-called central user modeling servers that collect user data from, and make it available to, different user-adaptive applications [5].
  • User profiles are permissible only if pseudonyms are used. Profiles retrievable under pseudonyms shall not be combined with data relating to the bearer of the pseudonym. This clause mandates a Chinese wall between the component that receives data from identifiable users, and the user-modeling component that makes generalizations about pseudonymous users and adapts hypermedia pages accordingly. Communication between these components may only take place through a trusted third component that manages the directory of pseudonyms, or through more complex pseudonymization procedures.
  • No fully automated individual decisions are allowed that produce legal effects concerning the data subject or significantly affect him and that are based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, and so forth. This prohibition has impacts on learner-adaptive hypermedia systems for tutoring [2]. If such systems assign formal grades, there has to be a human somewhere in the loop.
  • Technical and organizational security measures must be implemented to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.
  • Anonymous or pseudonymous access and payment must be offered possible and reasonable.

Back to Top

Impacts on Personalized Hypermedia Systems

If users can interact with a personalized system in an anonymous or pseudonymous manner, privacy laws generally do not apply and users’ privacy concerns seem to abate. Internet users that remain anonymous are more likely to provide data about themselves, which will improve the quality of the personalization. To facilitate the development of such systems, [12] defines a reference model that preserves the pseudonymity of both users and user modeling servers while at the same time permitting full personalization.

If anonymous or pseudonymous access is not possible, users’ privacy preferences need to be taken into account as well as national privacy laws that possibly apply. The following are suggested guidelines for the design of personalized hypermedia systems in an identifiable usage context. The guidelines constitute keystones in most privacy laws and probably also meet the current privacy preferences of many users:

  • Make (long-term) personalization a clear purpose of your service. This may improve the accuracy of the data needed for personalization purposes, and will also facilitate the next guideline.
  • Provide comprehensive and intelligible advance notice to users about all data that is to be collected, processed and transferred, and indicate the purposes for which this is being done. This is likely to increase users’ trust in the application and is mandated by virtually all privacy laws.
  • Obtain users’ informed and voluntary consent to processing their data for personalization purposes.
  • Provide organizational and technical means to allow users to inspect, block, rectify and erase both the data they provided, and specifically the assumptions the system inferred about them.
  • Provide security mechanisms that are commensurate with the technical state of the art and the sensitivity of the stored user data.

These guidelines can be complemented or modified by users’ individual privacy preferences (as for example, expressed in the APPEL language [4] in combination with the PGP protocol [8]), yielding a privacy policy adapted to each individual user. When personalized hypermedia systems are aimed at users from foreign countries, care must be taken whether privacy laws are in place that affect the trans-border flow or the extraterritorial processing of personal data gathered in these countries. If so, the regulations that must be observed are in most cases different between these countries, and different from those of the country where the personalized system is located. It is therefore proposed in [6] that a flexible architecture for personalized systems should tailor privacy dynamically to each individual user, taking his or her preferences and the privacy laws at both the system’s and the user’s location into account.

Back to Top

Future Directions

New architectures for personalized systems (which are currently too resource-intensive to build) would considerably reduce the amount of personal data that becomes available to others, and would thus mitigate the impact of privacy laws and privacy concerns. Client-side instead of server-side personalization would give users exclusive control of all purposely-collected personal data as well as all processes that operate on the data. Mobile personalized hypermedia services that are executed on the client side only would additionally leave all information about a user’s interaction with these services exclusively in the user’s domain.

On the legal front, an international treaty on information privacy [10] is expedient that would allow personalized systems to follow a single privacy standard instead of catering to different requirements of different countries. Such an agreement could build on a revised version of the OECD guidelines mentioned previously, or other privacy principles that are currently being discussed.

Back to Top

Back to Top

Back to Top

Back to Top

Back to Top

    1. Agre, P. and Rotenberg, M., Eds. Technology and Privacy: The New Landscape. MIT Press, Cambridge, MA, 1997.

    2. Brusilovsky, P. Adaptive and intelligent technologies for Web-based education. Künstliche Intelligenz (Apr. 2000), 19–25;

    3. Carrol, J. and Rosson, M.B. The paradox of the active user. In J. Carrol, J., Ed., Interfacing Thought: Cognitive Aspects of Human-Computer Interaction. MIT Press, Cambridge, MA, 1989.

    4. Cranor, L., Langheinrich, M., and Marchiori, M. A P3P Preferences Exchange Language 1.0 (APPEL 1.0), 2001;

    5. Kobsa, A. Generic user modeling systems. User Modeling and User-Adapted Interaction 11, 1–2 (2001), 49–63; papers/2001-UMUAI-kobsa.pdf.

    6. Kobsa, A. Tailoring privacy to users' needs. In M. Bauer, P.J. Gmytrasiewicz, and J. Vassileva, Eds., User Modeling 2001: 8th International Conference, Springer Verlag, Berlin-Heidelberg, 2001, 303–313;

    7. Kobsa, A., Koenemann, J. and Pohl, W. Personalized hypermedia presentation techniques for improving customer relationships. The Knowledge Engineering Review 16, 2 (2001), 111–155;

    8. Peters, T.A. Computerized Monitoring and Online Privacy. McFarland, Jefferson, NC, 1999.

    9. Reagle, J. and Cranor, L. The platform for privacy preferences. Commun. ACM 42, 2 (Feb. 1999), 48–55.

    10. Reidenberg, J.R. Resolving conflicting international data privacy rules in cyberspace. Stanford Law Review 52 (2000), 1315–1376;

    11. Rotenberg, M. The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments. EPIC, Washington, DC, 2001.

    12. Schreck, J. Security and Privacy in User Modeling. Kluwer, Dordrecht, Netherlands;

    An electronic version of this article that includes additional references to all discussed privacy surveys and privacy laws is available at A collection of international privacy laws with a comparison of the stipulations that specifically affect personalized systems can be found at

    1See for a very comprehensive overview of the more than 100 surveys that have been conducted to date.

    2It is thus not required that the system actually identifies the user. Privacy laws already apply when it is possible to identify the user with reasonable efforts based on the data that the system collects. Static IP numbers are generally regarded as identifying characteristics of Web users.

    3When users in country A interact with a Web site that is located in country B, data collection is generally deemed to take place in country A, and a transfer of data takes place from A to B.

    *U.S. organizations that subject themselves to the so-called Safe Harbor Principles that were negotiated between the European Union and the U.S. meet this adequacy standard.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More