QuickStudy: Platform for Privacy Preferences Project (P3P)

Computerworld - P3P, or the Platform for Privacy Preferences Project, is the World Wide Web Consortium's (W3C) answer to the problem of protecting personal data on the Web. It's a voluntary protocol for informing Web users of what they're getting into and setting a standard for Web providers to explain what they're planning to do with personal data.

P3P is supposed to ensure that a series of questions are answered about how personal information provided by Web users is handled. None of the policies are legally enforceable, however, nor is there a mechanism to ensure that organizations follow through. The onus is on consumers to reject Web sites that don't meet their guidelines. This has led critics to claim that P3P does little to protect users but does facilitate the collection of personal data by Web providers.

P3P began as an effort to establish a voluntary protocol with free, marketlike negotiation between Web users and Web providers. Users might have P3P-aware browsers or install P3P-aware applications, such as AT&T Corp.'s privacy bird (available for free download at www.privacybird.com.) Once the privacy bird has been configured, it searches for machine-readable privacy policies at every Web site the user visits.

The privacy bird icon is green for Web sites that match the user's stated privacy guidelines, red for sites that don't match, yellow for those that don't provide P3P policies and green with a red exclamation point for sites that might match but have embedded images that have nonmatching or no privacy policies.

The idea is that users can accept or reject Web sites in an informed way and can examine what it is about offending Web sites that doesn't meet their standards. Before the Jan. 28, 2002, publication of P3P 1.0, proponents had thought that users might engage in negotiations with Web providers to reach mutually agreeable terms, but the protocols required to implement such transactions proved to be dauntingly complex.

On the provider side, P3P establishes a standard set of file formats, based on XML, that can be used to publish privacy policies. Tools such as P3PEdit, available at www.policyeditor.com for $70, can be used to create the appropriate files.

Few Web providers publish privacy policies. The list of such sites maintained at the P3P Web site (www.w3.org/P3P) underlines the small number of P3P-compliant providers there is. If P3P doesn't catch on, Web surfers who embrace it may have to bend their own standards the majority of times they bring up new pages, until, as critics point out, they simply turn off the warning.

Two Main Issues

There are two categories of privacy issues that are addressed by P3P. One is the obvious request for information that Web users butt into when they complete commercial transactions on the Web, register for online services or enter sweepstakes. They may be asked for information such as their name, billing address and credit card number, along with additional information such as age, income level and preferred travel destinations.