Promise of P3P stalls as backers regroup

In ordinary economic times, a protocol like the World Wide Web Consortium's Platform for Privacy Preferences (P3P) might have a hard time gaining acceptance in the marketplace, as mainstream consumers generally exhibit lax security practices when it comes to their own online privacy.

But in an economic downturn, the privacy protocol also is subject to disinterest by Web developers with scarce resources.

P3P allows surfers to specify which information, such as names and shipping addresses, they are willing to automatically share with Web sites. When a site seeks information that has not been cleared, such as a credit card number, a warning is displayed.

Ideally, the process would make people feel more comfortable with the information being shared and more likely to shop or browse. However, in a downturn the urgency attending its development in years past has diminished along with the economic opportunity it was meant to foster.

"The downturn in technology and the e-commerce sector in general has lessened the push or the demand for P3P that we saw even two years ago," said Stephen Keating, executive director of the Privacy Foundation. "The trend line is now longer than we'd expected. We're now seeing that companies like IBM and Microsoft are interested in how privacy issues may affect e-commerce, but the timeline to figure that out is much longer than it appeared to be."

The second economically sensitive problem is that privacy, perhaps already low on Web authors' list of things to do, has dropped further as resources grow scarcer.

"I've talked to a lot of people about this, and for many it's just not a priority," said Lorrie Cranor, the chair of the W3C's P3P working group, an AT&T researcher and the author of a book about P3P published last month. "It's not that they have anything against it, it's just one more thing to do. Meanwhile, everyone's budgets are tightening and they're not sure there's a payoff."

Widespread adoption in doubt
Next month, AOL Time Warner will host a meeting of the W3C--a major Web standards group with authority over the privacy technology--to debate what sorts of revisions may be required.

The protocol came under the W3C's auspices in 1997. The group released its P3P recommendation six months ago, and since then both Microsoft and AOL Time Warner have introduced some P3P features into their browsers, Internet Explorer and Netscape.

But discussions on Nov. 12 and 13 in Dulles, Va., might well turn to wider issues than new bells and whistles for P3P. The more crucial question facing working group members attending the W3C's Workshop on the Future of P3P may be when or whether P3P will see widespread demand and adoption.

According to an ongoing survey being conducted by Ernst & Young, the percentage of top 500 Web domains--as determined by Comscore/Media Metrix--that use P3P has stagnated in recent months. (By counting domains rather than individual sites, the researchers are looking at all sites within yahoo.com, for example, as opposed to treating mail.yahoo.com and news.yahoo.com separately.)

In September, 25 percent of the top 100 Web sites had some sort of P3P functionality, defined either as having a P3P reference file in an accessible location, or including a link to a P3P policy within the site's HTTP header. For the top 500 sites, that percentage dropped to 17 percent.

Those results are virtually unchanged from August, with only four Web domains within the top 500 becoming P3P-enabled, according to Ernst & Young. Only one of those was in the top 100.

Broken down by industry, the "shopping" category did best with a 28 percent adoption rate. At the other end of the spectrum, not a single government site in the top 500 used P3P, the study showed.

Financial services sites, under increasing regulatory pressure to protect the data of their clients, turned in a below-average adoption rate of 11 percent. That indicates the degree of confusion over how P3P and the growing canon of privacy law intersect, study authors said.

"The financial services sector is still in a low adoption rate," said Brian Tretick, principal with Ernst & Young. "That's because there's a lot of concern over how it applies in a regulatory environment."

Effective privacy disclosure
Some companies working on Web privacy are looking to the financial services industry for examples of how not to attack the problem.

Last year, the Gramm-Leach-Bliley Financial Services Modernization Act required that financial institutions disclose to customers how they use private information. The result was a flurry of dense, legally phrased documents that many doubt reached their audience.

"The banks spent millions to tell people what they do with all personal information and give people the opportunity to opt out," said David Steer, representative of Truste, a San Francisco online privacy nonprofit. "And in the end, people just threw them away."

Partly as a result of the Gramm-Leach-Bliley Act, banks and financial services companies are among those that have organized with Truste and with law firm Hunton & Williams' Center for Information Policy Leadership to devise a new method of privacy disclosure.

The new scheme is a nontechnological effort to post the highlights of a privacy statement in a format modeled on the "Nutrition Facts" label the U.S. Food and Drug Administration requires on most food packaging.

"The symbols and labels initiative started because privacy policies were becoming way too long for consumers to read," Steer said. "Web sites need a policy that does two things: It has to be a contract and it has to explain in clear English (the) policies that become only more complex over time. So this 'nutrition label' of privacy is a way of calling out the bits of information that consumers really care about."

Another scheme to help Web surfers come to quick conclusions about a site's privacy policy is AT&T's privacy bird, a P3P-based indicator that rates a site's privacy policies as red or green depending on the surfer's preferences.

Inspiring changes
While the Gramm-Leach-Bliley mailings may have been the catalyst for one new method for publicizing a privacy policy, another federal law that is months away from going into effect may inspire a new flock of P3P adherents.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was written to ensure that workers don't lose their health insurance when they lose or change jobs, but also to protect the privacy of health records. HIPAA could spur significant growth in P3P adoption, Steer said.

"You're seeing laws that really put a lot of the burden on companies to beef up their privacy practices," Steer said. "Health care companies are now scrambling to find a solution (to HIPAA) and they're saying if we're going to spend millions of dollars on privacy, then let's do it right. We will see more P3P adoption but it won't be a rush, it will be a trickle of sites that become P3P compliant. But then, at the end of the day, we're going to have to go out there and teach people how to use it."

And that, according to lawyers familiar with the technology, will be no small task.

"You can't change your Web site without going through and changing your P3P," said Eric Goldman, assistant professor at Marquette University Law School in Milwaukee and former chief counsel for Epinions. "It's really time consuming and costly to re-architect your site...to maintain your site as P3P-complaint regardless of changes you make. And so I think the underlying assumption of P3P was companies will be happy to do this because so many users will demand it, but until users demand it companies will not go through and make all the changes required to be in compliance."

Ultimately, neither education nor the law may wind up having as much effect on P3P as the march of technology.

P3P saw a significant boost in adoption after Microsoft installed basic P3P functionality in Internet Explorer 6. AOL Time Warner soon followed with P3P features in Netscape 7.

The IE 6 implementation "had a pretty big impact on Web site adoption," said the W3C's Cranor. "That sent signals to Web developers that P3P is real, because it was built into a widely deployed product."

Microsoft's implementation, which blocked some third-party Web site cookies if they were not P3P-compliant, sent a signal with some teeth in it.

"By default, some of these cookies were now going to be blocked," Cranor said. "And that was a wake-up call to Web sites who discovered that their cookies were being blocked and they had no idea why. That was their first introduction to P3P."