New Book May Be the Bible on P3P
P3P operates at the browser level. It is a retail mechanism that lets an individual consumer automatically compare her privacy preferences with the policies of a Web site. If the Web site fails to meet the consumer's standards, P3P alerts the user, who can decide whether and how to use that site.
P3P has been in development for more than five years, and it is just hitting the Net in a major way. I haven't written about P3P here, but a new book on the subject offers a good excuse. The book is "Web Privacy with P3P," by Lorrie Faith Cranor and published by O'Reilly. Cranor works for AT&T Labs and is a principal developer of P3P. She is respected in the Internet community for her technical and policy activities.
Several aspects of P3P are noteworthy. First, it is a technology rather than a policy, though it reflects many policy judgments. Second, it isn't a comprehensive solution to privacy. P3P automates some communications between users and Web sites. Third, it was developed jointly by representatives from business, privacy and Internet organizations. Such broad-based cooperation is rare in the privacy world.
P3P's principal sponsor is the World Wide Web Consortium, known as W3C. W3C is a group of hundreds of companies, universities and nonprofit organizations working together on technical and other aspects of the Web.
I am enthusiastic about the book. The first 50 pages describe P3P's purpose, history, background and development. Also included are introductions to privacy law and policy and to Internet operations. If you are considering adding P3P to your Web site or just thinking about approaches to privacy in general, the book is a good place to start.
The author is open and honest about the lengthy and mildly troubled history of P3P, its shortcomings and its critics. Cranor is clearly an advocate for P3P, but she is not a cheerleader.
Much of the rest of the book addresses the P3P technology and code. Part II provides Webmasters the information they need to make a site P3P-compatible. If your job is to deploy P3P on a Web site, this section describes the requirements, syntax, coding and data elements.
Chapter 7 explains how to gather the information to create a P3P policy for a Web site. The chapter bridges the gap between the technical details needed for implementation and the policy choices that the implementation must describe.
Part III addresses design issues related to P3P. The audience is mostly software developers. Though there are many technical details here as well, the discussion is not merely technical. Cranor often gives a context to the features of P3P with a discussion of the manner in which P3P developed, what choices were made and what was left out.
Buying the book is an easy decision. The harder choice is whether to use P3P on your Web site. I've followed the development of P3P for a long time, and I have never made up my mind about it. I can't make a general recommendation to use or not use P3P.
P3P has been simplified over the years, but the final product remains complex and can be expensive to embrace. For complex Web sites, the price for automated privacy decisions is steep. For users, limitations are significant. Some privacy advocates are critical of P3P, and they make some good points. Still, P3P is feasible, well thought out, and useful in some ways. It's a tough call.
P3P has gotten a lot of interest from Microsoft and other Internet players. Internet Explorer and Netscape Navigator support P3P. Browser integration is essential if P3P is to have a chance to succeed.
P3P is ready and waiting to be embraced by consumers, but so far lacks the buzz to be a success. The real question is whether the marketplace of consumers and Web site operators will find P3P useful. The jury is still out.
If you have any interest in P3P as a policy development or are considering whether to add P3P functionality to your site, you should read this book. If you have already decided to proceed with P3P, you will need it. "Web Privacy with P3P" is destined to be the P3P bible. The broader questions are how many Web sites will join the P3P church and whether consumers will care.