Giving Users Back Their Privacy

With Microsoft set to release its first browser-based consumer privacy controls later this month, the Platform for Privacy Preferences Project (P3P) standard is about to step into the limelight.

Already, 63 companies have joined the P3P bandwagon. They've rewritten and tagged their privacy statements in XML to make those policies readable by Web surfers' machines. And many more e-merchants are well into the process of making their online privacy statements P3P-compliant.

The promise of P3P is that it will give users control over how their data is gathered and used. By supporting the standard, e-merchants hope to draw consumers back to the Web, and maybe even gain some loyalty in the process.

But critics are wary of this silver-bullet approach to consumers' privacy, charging that tools that only expose privacy policies don't hold e-businesses accountable for promises they make. And early iterations of Microsoft Corp.'s browser tool and the other emerging P3P plug-in by YouPowered Inc. in New York aren't really reading full privacy policies when deciding whether to allow a read from or write to a cookie, making it harder to automate personal preferences on privacy.

"P3P will not improve the current level of privacy protection," says Andy Shen, policy analyst at EPIC.org, a privacy advocacy group in Washington. "What we need is standards - something to hold [vendors] accountable. Because without those, there's no enforcement."

But these early iterations of P3P are better than doing nothing, say proponents. And as implementations expand to offer more granular choices for users, P3P could be the biggest thing to hit the browser since Secure Sockets Layer encryption, say early adopters.

The Language

By tagging English-language privacy statements in XML, Web businesses make their policies readable by any P3P client. As P3P matures, users should eventually have a vast array of settings they can use to tailor their Web experiences to their preferences.

"The benefit of P3P is once you establish a set of general preferences, the review of the site's policy happens automatically," says Jules Polonetsky, chief privacy officer at e-mail marketing company DoubleClick Inc. in New York. "This is the beginning of allowing users to say, 'I'll give you this, but I won't give you that. Tell me what [the Web site is] asking for, and my browser will interact."

The back-end work of tagging privacy statements in XML is straightforward, says Lorrie Cranor, chair of the P3P specifications working group spearheaded by the World Wide Web Consortium. Cranor, also a principal technical staff member at AT&T Labs in Lorham Park, N.J., has completed tagging AT&T Corp.'s English language privacy policy for P3P compliance.

The difficult part is re-creating the privacy statements in the fine detail required to make them P3P-compliant, according to both Cranor and Polonetsky.

"Your privacy statement and your P3P statement are likely to be different documents," says Polonetsky, who's in the midst of rewriting DoubleClick's privacy statements for P3P. "Most privacy policies don't go into as much detail as P3P does - or cover the gamut of technology that has any information relationship, like navigational data, log files, HTTP refers."

To make this easier, Cranor developed a template-based privacy policy generator to cover the mundane detail called for in P3P-compliant policy statements. AT&T's new policy, which went live July 1 at www.att.com/privacy/, addresses not only what data is collected, but also how it's collected and what's done with it. Some examples include the following:

• Data collection: AT&T's policy specifies what the data is collected for: Billing services, change services, problem resolution and product information. "This means that AT&T may use your customer-identifiable information, in conjunction with information available from other sources, to market new services to you that we think will be of interest to you, but we will not disclose your customer-identifiable information to third parties who want to market products to you," the statement says.

• Cookies: The policy states that "AT&T servers automatically gather information about which sites customers visit on the Internet and which pages are visited within an AT&T Web site. The company does not use that information, except in the aggregate."

• Disclosure: AT&T's policy states it will not sell, trade or disclose this information - including customer names and addresses - to third parties without consent of customers. It also says AT&T will ensure that contractors also protect the customer-identifiable information.

Polonetsky says DoubleClick's privacy policies are clear, but the company's use of cookies is complex because it monitors Web surfing habits to determine which ads to send to consumers' browsers. So his efforts have mostly centered on making sure cookie use is portrayed accurately, which has taken extensive conferencing with DoubleClick's legal, privacy, marketing and technical people, he says.

Missing from P3P work is language for data security, something even the Federal Trade Commission (FTC) brought up to the P3P working group when it was formalized in 1997. But when the working group looked into allowing consumers to set their data security preferences, it decided it was impossible to objectively define which sites are secure, says Cranor.

That's because anyone with a firewall can say they protect consumers' data, even if that firewall is junk, she says. P3P does include a hook for security vocabulary, but it won't be useful until some best security practices, such as the published security standard ISO 17799 or Visa International Inc.'s merchant security policies, are universally adopted. Then, the XML-readable security policy could verify that a site protects the customer's data by saying that it adheres to the ISO 17799 security standards, for example.

The Revolution

Microsoft demonstrated its P3P in its browser in December at a privacy/security conference it hosted. YouPowered also has a browser plug-in. Netscape Communications Corp. is waiting for a secret third-party developer to deliver an open-source P3P reader for its browser at a yet-to-be-determined point in time. And AT&T is developing a P3P reader of its own, perhaps for commercial use in the future, according to Cranor.

Some criticize Microsoft's tool for not automatically reading full privacy statements. However, Polonetsky and Cranor both say that's a good thing, because to do otherwise at this early stage of adoption would block access to non-P3P-compliant sites. And the P3P reader operates much faster by reading just the cookie headers and reading full privacy policies only when the Web surfer specifically requests it, says Michael Wallent, the director of Microsoft's Internet Explorer team.

Critics have said they would also like to see P3P somehow create more merchant accountability. One could argue, however, that accountability and enforcement are already on the rise. Currently, some 50 privacy-related bills are hung up in Congress. And the FTC is using existing laws regarding deceptive practices, negligence and breach of contract to go after companies that violate consumer privacy (first in line was DoubleClick).

Add merchant accountability to a sense of consumer empowerment, and e-commerce may actually live up to its promise.

"Statistics show that people on the Internet are concerned about identity theft and other privacy issues," says Gary Clayton, CEO of the Privacy Council, a privacy consulting group in Dallas. "I think P3P is the beginning of things to come."

For Web resources on this topic, head to our P3P Research Links page.

For the latest privacy news, head to Computerworld's Focus on Privacy page.

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

  
Shop Tech Products at Amazon