While confidentiality of telephone conversation contents has recently received considerable attention in Internet telephony (VoIP), the protection of the caller--callee relation is largely unexplored. From the privacy research community we learn that this relation can be protected by Chaum's mixes. In early proposals of mix networks, however, it was reasonable to assume that high latency is acceptable. While the general idea has been deployed for low latency networks as well, important security measures had to be dropped for achieving performance. The result is protection against a considerably weaker adversary model in exchange for usability. In this paper, we show that it is unjustified to conclude that low latency network applications imply weak protection. On the contrary, we argue that current Internet telephony protocols provide a range of promising preconditions for adopting anonymity services with security properties similar to those of high latency anonymity networks. We expect that implementing anonymity services becomes a major challenge as customer privacy becomes one of the most important secondary goals in any (commercial) Internet application.

One of the key challenges in the information society is responsible handling of personal data. An often-cited reason why people fail to make rational decisions regarding their own informational privacy is the high uncertainty about future consequences of information disclosures today. This chapter builds an analogy to financial options and draws on principles of option pricing to account for this uncertainty in the valuation of privacy. For this purpose, the development of a data subject's personal attributes over time and the development of the attribute distribution in the population are modelled as two stochastic processes, which fit into the Binomial Option Pricing Model (BOPM). Possible applications of such valuation methods to guide decision support in future privacy-enhancing technologies (PETs) are sketched

The data protection laws in Europe require that data controllers provide privacy policies to inform individuals about the prospective processing of their personal data. The ever growing expressiveness of privacy policy languages allows to specify policies in a growing number of details. This and new options for policy negotiations transformed rather general privacy policies into specific privacy contracts between the data controller and the individual.

In this report, we specify a privacy contract language and call it the Privacy Option Language. It is modelled after the analogy between financial option contracts and data disclosures which has been presented in previous work and led to the Privacy Option notion. The language specification provides privacy by design through its data minimisation provisions, i.e., all contracts are automatically reduced to their canonical form so that individual differences in the contract formulation are inherently normalised. The language specification is extensible in two ways. First, hooks are specified in the core language and can be used to connect sublanguages. The freedom to choose any suitable sublanguage allows to specify language details independent of the core language. Second, the Privacy Option Language itself can be used as a sublanguage within a more general-domain language. We give examples for both types of extensions. Additionally, we provide tools for evaluating semantics such as human-readable presentations of Privacy Options and contract management. The definitions of the semantics are kept simple and serve as templates for more practical ones.

All functionality can be checked by interactive tests in a standard multi-purpose programming language interpreter, since the Privacy Option Language is specified as an embedded domain-specific language within Haskell. Hands-on examples are provided along with the language specification.