P3P: Protector Of Consumers' Online Privacy

Who trusts the Internet? Hardly anyone, it seems. Least of all, North American consumers, who spent $12 billion less online than they would have in 1999 because of privacy concerns, according to a Forrester Research study. And consumer privacy concerns are intensifying.

The protection of personal information and data security are two of the biggest issues that users have with online commerce. While security problems are being addressed, little has been done to ease users' privacy concerns. Many consumers are still uncomfortable with the prospect of handing their private information to Web sites.

While various security standards and technologies have emerged in recent years, few technological innovations have evolved to help protect the privacy of personal information. P3P, the Platform for Privacy Preferences, is perhaps the first technology that consumers will encounter, because it will be part of Microsoft's forthcoming Internet Explorer 6.0 browser.

P3P is a World Wide Web Consortium standard designed to help users gain control over the use of their personal data. The standard is starting to appear on Web sites and in software products. The primary purpose of P3P is to turn the fine print of a Web site's privacy policy into something that users can understand. P3P should help consumers make informed decisions about whether to share their personal information with a Web site.

To accomplish this goal, P3P must be deployed on both clients and servers. On the server side, Web sites must encode their privacy policies in a machine-readable XML language. Users who access the Web site using a P3P-com-pliant client, such as Internet Explorer 6.0, can review the sites' privacy policies and decide whether they want to divulge any personal information.

While many E-commerce sites have online privacy policies, these policies are often written in legalese that's hard for users to understand. P3P's XML language will encourage sites to express their privacy policies with precision and specify exactly what they'll do with users' private information.

For sites that want to deploy P3P, translating their current privacy practices into P3P's XML language will be a primary challenge. This can be tedious, because P3P requires exact answers for many privacy questions.

"Because there's no standardized terminology for privacy policies, when you get down to the translation, you have to be very specific about where data is going," says Michael Wallent, Microsoft's IE 6.0 product manager.

Consultants such as PricewaterhouseCoopers have helped companies deploy privacy policies, and P3P generator tools such as IBM's P3P Editor and Microsoft's Privacy Wizard help translate natural-language privacy policies into P3P's XML privacy language.

No company develops privacy policies without input from legal counsel, and the confusing array of privacy legislation in different countries makes the deployment of a narrow, specific policy difficult. Already, IT managers and lawyers have had to be vigilant with respect to the ever-changing legal landscape for privacy.

But P3P doesn't let managers ignore new duties created by recent privacy legislation, says Henry Jones, a veteran E-commerce lawyer with Fulbright and Jaworski. Managers must assess their customer-profile and related data, and test network security and data-storage processes. Managers who assume they're safe may face liabilities, he adds.

Congress has enacted a hodgepodge of privacy laws, including the Graham-Leach-Bliley Act, as well as the Children's Online Privacy Act, the Electronic Communications Privacy Act, and the Fair Credit Reporting Act, which relate to specific industries or demographics, such as personal finance, medicine, and children under 13. But so far, there hasn't been broad legislation that protects users' personal data across every business.

Fundamentally, Web sites in the United States collect personal data in a fashion known as "opt-out," which means that the sites aren't obligated to inform users that their personal data has been collected or how it will be used. Users find out, sometimes through distasteful spam or other unseemly ways, that their E-mail address and other private information have been sold. They must find a way to "opt-out," or remove themselves and their information from the purveyors after the fact.

In contrast, the European Union has enacted laws that restrict the ability of businesses to collect private information about individuals without their permission. Web sites that operate in European Union countries are strictly "opt-in," which means that the sites must provide full disclosure directly to the user about what they'll do with user information before the fact.

But Web sites aren't rushing to deploy P3P. A Zona Research survey on Internet privacy conducted in the spring asked businesses which privacy technologies they considered deploying; 61% of respondents show no interest in P3P, while only 22% expect to have P3P deployed by year's end.

"P3P is on our radar, but our current privacy standards are strong," says Neil Hunt, VP of Internet engineering at Netflix.com, a DVD rental site. Like many E-commerce sites, Netflix has a link to its privacy policy that users can peruse before handing over personal data. Netflix also has partnered with Trust-e, one of several privacy certifiers--nonprofit watchdog organizations that provide privacy oversight and dispute resolution for consumers. Sites that agree to privacy rules put forth by the privacy organizations are allowed to display a graphic seal on their sites.

American Airlines Inc., which partners with the Better Business Bureau's privacy-seal organization, also has no plans to deploy P3P. "We adhere to strict privacy guidelines that are outlined on the aa.com site and we participate in the Better Business Bureau's BBBOnline privacy program," says Rob Friedman, managing director of personalized marketing for American Airlines. "We believe that these are adequate measures to ensure our customers' privacy." For Netflix, American Airlines, and other sites, P3P won't become a force to deal with until Internet Explorer 6.0 is widely deployed--around mid-2002.

Microsoft is also adding P3P support to its Passport online authentication system in an attempt to assuage critics who fear Microsoft will track users' surfing habits with it. That action didn't convince privacy advocates, however, who wrote in an updated complaint to the Federal Trade Commission that P3P "fails to provide any assurance of compliance with baseline privacy standards."

AT&T, IBM's Tivoli subsidiary, and NEC are other vendors that are committed to supporting P3P in various products and services. But many other software makers aren't yet committed to P3P. "At the moment, we aren't sure whether P3P is the best solution," says Live Leer, a PR manager for Opera Software AS, creators of the Opera Web browser. Similarly, P3P isn't in Netscape's version 6.1 browser, released last week, or America Online's software, which is used by 30 million people.

With the release of Internet Explorer 6.0, it's certain that P3P will be on some user desktops this fall, but will it make a difference in users' online privacy experience? Ultimately, P3P will have little effect unless sites deploy it and there are sufficient privacy laws to back it up.