P3P Is First Step Toward Transparency

What is the difference between a consumer who roams around a bit on your company’s Web site but leaves without making a purchase, and one who goes to your competitor’s site, returning again and again, leaving only after completing a sales transaction?

It could be that the first consumer has concerns about the information you are collecting about her.

More than 70 percent of individuals in a recent study by the National Consumers League, Washington, said it was essential that Web sites ask visitors for permission to pass on personal information. These survey respondents, as well as many other computer users cited in several surveys, including one released in November by Gallup, Princeton, NJ, are worried about the amount and type of personal information being gathered by corporate Web sites through cookies and Web bugs for marketing purposes.

With no rules with which companies must comply, technical solutions are becoming the means of attacking the problem — and the Platform for Privacy Preferences, or P3P, is being engaged as part of the arsenal.

P3P has been under development for three years by the World Wide Web Consortium, or W3C, with participation by AT&T Labs, IBM, Microsoft, America Online, Citigroup and others. Using Extensible Markup Language, the technology converts a company’s privacy statement into a machine-readable format on the Web site side. On the user side, it is implemented as a browser extension or incorporated into Internet Explorer and Netscape Navigator.

Developers such as AT&T’s Lorrie Cranor, who chairs the P3P Specification Working Group, envision a browser tool that offers Web surfers levels of opt-in privacy choices that can be set up as preferences. Once the user goes on the Web and clicks on a site, the software will read what is essentially a snapshot of the site’s privacy statement and match it to the user’s preference. If there is a match, no problem. If there is a conflict, however, the user would be alerted and offered the choice of either leaving the site or acquiescing to the policy.

“P3P promotes transparency about all the elements involved in a Web site,” Cranor said.

At interoperability sessions — known in the industry as an interop — held last June in New York and in November in Palo Alto, CA, Microsoft and other companies demonstrated software prototypes. P3P is in the candidate-recommendation phase. Once all the reviews and comments have been addressed, Cranor said, it will go through the W3C process as an official recommendation. She was unable to specify how long that will take.

Getting Business Compliant

Since P3P is a voluntary standard, how much compliance by e-commerce sites and others can be expected?

Do you really want all that legalese translated into something to which you could be held accountable?

Mary Culnan, professor of management and information technology at Bentley College, Waltham, MA, sees P3P neither as a silver bullet nor totally inadequate, but instead as a start that will give consumers some sunshine into what Web sites are demanding from them. It is also, she noted, a chicken-and-egg conundrum.

“Consumers probably won’t go to the trouble of using it unless Web sites install it, and Web sites won’t install it until they know consumers will use it,” she said.

P3P has been embraced by the White House, which has made its site compliant. Microsoft has announced that it will incorporate it into Whistler, its next version of Windows, which is scheduled to ship commercially during the second half of 2001. Netscape/AOL is also working with P3P. IBM, Hewlett-Packard, Procter & Gamble and AT&T are all P3P-compliant.

“We think companies will want to do it because most meet industry standards,” said Ari Schwartz, a policy analyst at the Center for Democracy & Technology, Washington. “A lot of companies are moving toward opt in, and that’s making customers happy and sustaining trust in them as brand names. We’re seeing a lot more companies coming to us, saying that they want to fit into that camp.”

Schwartz added that large and small companies are implementing P3P, even as the details are being worked out.

“They want to see how it looks and show support,” he said.

Barbara Lawler, customer privacy manager at Hewlett-Packard, Palo Alto, CA, has been in charge of implementing P3P on the company’s many sites.

“I found that the policy has to be very precise because of the technology,” she said. “I had to match my understanding of our policy to the language in the policy generator tool.”

However, the standard can be complicated to adopt when you have not only different pages doing different things, such as e-commerce or customer support, but also third-party advertisements, which Hewlett-Packard does not have but has not ruled out for the future.

“This is a complex issue the industry is trying to figure out,” Lawler said.

Noting a steady increase in interest behind the scenes, Lawler is encouraging other companies to adopt the standard.

“You need to decide now because when a consumer has access to P3P, you need to be ready,” she said. “It behooves sites to adopt P3P, particularly the heavy hitters, because the industry could set a good example of taking the lead on privacy, and this is a good way to do it.”

Does Choice Equal Best Practices?

Transparency and choice are the P3P buzzwords. But P3P is not going over well in some arenas — and the fiercest resistance is not coming from e-commerce sites already targeted as data thieves. The strongest opponents are the privacy advocacy camps. Junkbusters, Green Brook, NJ, and the Electronic Privacy Information Center, Washington, are heatedly anti-P3P for several reasons.

“What role will P3P play in privacy protection?” Andrew Shen, a policy analyst at EPIC, asked. “We believe in doing business around fair information practices that give a plethora of guarantees around privacy. P3P is focused on the wrong aspects of privacy protection. It’s not addressing best practices and principles, but choice. It forces customers into a decision, when customers should have certain guarantees with respect to the collection and use of their data.”

Shen and others, including Jason Catlett, who runs Junkbusters, also have concerns that P3P will mollify politicians and deflate any efforts to implement strong privacy legislation.

“We’re against it because it’s hyped as a technology that will improve privacy, but it most likely won’t do that,” Catlett said. “The real privacy-enhancing technology will stop data from being collected, whereas P3P merely facilitates notice of practices. Just because it automatically translates policies into a computer language doesn’t mean the policies will get better, and it just might lull consumers into a false sense of privacy.”

Catlett is not against privacy-enhancing technologies per se, he said. In fact, Junkbusters has published a free proxy server that manages cookies and blocks banner ads.

“We’re in favor of them, but this isn’t one of them,” he said. “To call this a privacy standard when the minimum level hasn’t yet been determined is an act of creative fiction.”

But Cranor and her colleagues have been plain about the role they perceive P3P has in the fight for privacy protection.

“We’ve tried to be upfront,” she said. “This addresses one aspect of online privacy issues. It’s not a comprehensive solution and shouldn’t be used as an excuse not to work on other privacy solutions.”

She said that in countries represented by the European Union, where privacy laws are in place, P3P would complement their framework.

“The laws require companies to provide notice about what they do,” Cranor said. “And what is it they’re actually doing? Realistically, no one’s going to stop and read the notices. But if they had an automated tool that could read the notices for them and alert them if there are conflicts, they can act. So, it’s useful even in countries with strong privacy laws.”

Ann Cavoukian, Ontario’s information and privacy commissioner, agreed.

“Privacy legislation is a necessity, but it is insufficient to deal with the rapid pace of change, especially in the technology sector,” she said. “Other efforts, for example, by the media, advocacy groups and the private sector, can be very effective in identifying an emerging privacy issue, bringing it to the public’s attention and helping to develop solutions. P3P falls into this category of solutions.”

P3P has its limits when it comes to compliance, said Rena Mears, a Deloitte & Touche partner based in San Francisco.

“It is important for both businesses and consumers alike to realize that the use of P3P alone does not provide third-party audit compliance,” she said. “Even if a company has P3P in use for each user’s visit to the site, you can’t assume that the host is in complete control of the technologies involved in handling consumers’ private information.”

Tim Connors, a Deloitte & Touche partner in Enterprise Risk Services, said that any business intent on addressing privacy issues and ensuring customers of their compliance should be audited.

“Third-party auditing is necessary, even if you adopt P3P,” he said. “We do it, as do organizations like TRUSTe and BBB Online.”

Another issue that has been raised by privacy-rights groups is just who establishes the privacy defaults that will appear in browsers such as Internet Explorer.

Catlett scoffs at the notion that either Microsoft or AOL can develop a default that would truly protect user privacy.

“The idea that the technology will help educate consumers is naïve,” he said. “Microsoft and AOL have a terrible history with this. Look at what happened with Microsoft and cookies. At the interop in June, I asked them what the defaults will be before the red lights go off. They said they hadn’t decided.”

But Microsoft said it will not establish those defaults. The plan is to bring in a third party, such as a consultant with a privacy practice or one of the seal programs, such as TRUSTe.

“The key is, it won’t be us,” said Greg Hampson, corporate privacy manager at Microsoft.

Schedules Out of Sync

Hampson said now that the P3P spec is in the candidate-recommendation phase, it is considered close enough to be able to code to. Microsoft is supporting it in Internet Explorer 6, which is about to debut in beta. The difficulty, Hampson said, has been that the schedules for developing IE 6 and P3P have been out of sync, with IE 6 further ahead.

“So our approach will be to use the P3P specification and vocabulary to allow users to manage cookies,” he said. “That’s our minimum level of commitment. We hope to do a fuller implementation after that.”

AOL, while enthusiastic, is further behind, with no announcement of a scheduled adoption in Netscape. That has been because of the engineering logistics of launching a new version of the browser in November, AOL spokesman Andrew Weinstein said. “But now that we’ve launched version 6, our engineering team is actively looking at ways in which we might be able to integrate P3P technology in different products,” he said. “They’re also working with other software developers and encouraging them to use Netscape’s open source platform to develop P3P-compatible applications.”

While Microsoft, Netscape and the plug-in makers will be integrating the defaults into their software, Schwartz is emphatic that it will not be done in a vacuum. The Center for Democracy & Technology, privacy commissioners, attorneys general and the public, he said, will all have a chance to comment on the defaults as they are created.

Cranor describes the browser interface that Microsoft demonstrated with AT&T as privacy friendly. “There are different levels of granularity,” she said. “I think what you can do is build overlays — ask people small numbers of questions that will build the preference. Power users can go back and tweak them, but at least with a small number of questions, people can get started.”

While several software companies, including Privista and invisiME, are working on technical solutions to help individuals control their personal identities online, some have developed browser extensions augmented with P3P. One of them is IDcide, which demonstrated a Netscape-compatible version of its Privacy Companion at the June interop.

“Privacy Companion allows users to find out whether a site is using cookies, including third-party cookies, and to block them,” said Ron Perry, president of IDcide, Saratoga, CA. “With P3P added, users can customize their settings to only block cookies from sites that don’t match their privacy preferences.”

Schwartz, Cranor and other advocates are convinced that P3P will have an additional benefit: spurring privacy legislation. Although Culnan is doubtful that widespread implementation of P3P will encourage legislation, she noted that legislation would start initially by looking at disclosure issues – and, if nothing else, disclosure is what P3P provides. So, once P3P users realize how much personal information is being grabbed, the assumption is that they will join the anti-P3P privacy advocates in clamoring for new laws.

“We don’t want to kill legislation,” Schwartz said. “We want it to spur legislation.”

In an environment in which competition not just for eyeballs but for wallets is growing increasingly fierce, making potential consumers as comfortable buying online as they would in the local mall is not even a choice. P3P is admittedly not the be-all and end-all solution for consumers or retailers, but it is a good first start in bringing some transparency into the online shopping process and in getting businesses to start addressing privacy issues sooner rather than later.

Companies that implement P3P can find themselves ahead of the privacy curve — and the competition — by demonstrating to consumers their sensitivity to privacy concerns and giving them upfront information about their privacy policies. And, in the process, it can help businesses clarify sometimes murky policy statements. You want your customers to trust you to offer them the best products and services. Help them trust you to complete the transaction.

Related Posts