X

W3C drafts privacy system

The consortium proposes a system that allows for sites to disclose their data-collection practices and lets users choose how much data to give away.

5 min read
The World Wide Web Consortium (W3C) today released a working draft for a system that allows Net sites to seamlessly declare their data-collection policies, while at the same time letting surfers decide which personal details they are willing to give up in exchange for goods and services.

Dubbed the Platform for Privacy Preferences (P3P), the W3C's system will work behind the scenes as people travel the Net.

The availability of such technologies aims to quell international online privacy concerns--which federal agencies and the White House fear will hamper e-commerce. However, some consumer advocates argue that products such as P3P don't enhance privacy, but rather help create an environment in which people feel compelled to barter their names, email addresses, and other demographics as a condition of using the Net.

When a site utilizing P3P is accessed, its data collection and privacy practices are presented to a visitor's browser. Then, based on the surfer's settings, which are imbedded in her Web browser, the site will automatically register the user's personal preferences. It will know the following: what personal information can be harnessed, whether it can track the visitor's activity while she is on the site, and whether the site is authorized to share that data with third parties or if the user wants to remain completely anonymous and unmonitored.

At all times, individual sites and Net users can negotiate these boundaries.

For example, P3P notifies users when a site's practices don't mesh with their preferences. A site could refuse to admit people unless they forfeit certain data, users could agree to the conditions or leave, or the site could offer an alternative.

On the other hand, Net users' default preferences may be set at "anonymous" except for when they enter a subscription-based news site that requires their user name and password. In those instances, users might tweak their P3P settings to let a specific site grab their personal information, which allows them to easily access the site.

"We're creating a platform for people to use to negotiate, communicate, and decide on something that is beneficial for them. The way you set your setting will have a big impact on your privacy," Joseph Reagle, P3P project manager, said today.

"You set your generic preferences to what you generally feel comfortable with, and then you grow your relationships with [Net sites]," he added. "This is no different from how you grow trust in the real world."

Eventually, organizations will be able to recommend default P3P settings, Reagle added, which Net users can easily integrate into their browsers.

Reagle suggested at least a three-tiered setting, the first of which lets users stay completely anonymous. The second setting could allow a site to monitor a user semi-anonymously to calculate traffic for advertisers, for example. And a third setting might permit a site to use a numerical ID to track a specific user's interests, such as a sports news site that gathers headlines based on a person's favorite teams.

The working draft of the P3P 1.0 specification is now open for public comment. In about six weeks, a revised version will be released so that developers can begin working to implement P3P. The project hopes to issue final recommendations by October.

P3P has been endorsed by both Vice President Al Gore, who last Thursday called for an "electronic bill of rights" to protect individuals online, and former Federal Trade Commissioner Christine Varney, who led the agency's probe into online consumers' privacy issues and now represents Netscape Communications for a private law firm.

It is no surprise the White House supports P3P. The administration is trying to stave off regulation of e-commerce in the face of more than 50 Net privacy bills pending in Congress and a strict European Union privacy directive that goes into effect this fall.

"I welcome this important new tool for privacy protection. It will empower individuals to maintain control over their personal information while using the World Wide Web," Gore said in a statement.

Parties working on P3P include those with a stake in the success of e-commerce such as America Online, AT&T, the Direct Marketing Association, and Microsoft, whose Internet Explorer browser will support P3P, as will Netscape's Web browsers. Nonprofits such as TRUSTe and the Center for Democracy and Technology also are working on the project, which is backed by the Internet Content Coalition, cochaired by CNET's Chris Barr and Ziff Davis' Dan Farber.

P3P does not include a similar system--the Open Profiling Standard--proposed by Netscape, Internet tools maker Firefly Network, and certificate authority VeriSign. OPS would let users store a personal profile on their computer and then decide whether to disclose that data to sites.

"P3P was initially focused on enabling the expression of privacy practices and preferences. OPS's focus was on the secure storage, transport, and control of user data," states the W3C.

But Reagle added that parts of OPS were reviewed when drafting today's proposed P3P system. "There is nothing in P3P specifications that is OPS. But there are things that the designers learned from OPS," he said.

Still, P3P and OPS are criticized by some privacy groups for catering to marketers, services, and content providers, which in the interest of building successful online businesses want to learn all they can about surfers. This balance does not favor privacy, these consumer advocates argue.

"P3P is heading in the wrong direction. The best techniques for protecting privacy are those that limit or eliminate the collection of personal information," Marc Rotenberg, director of the Electronic Privacy Information Center, said today.

"P3P makes it very easy for Web sites to turn away people who won't give up their information. We don't think that is the right approach," he added. "People need a very simple uniform privacy standard that uses protocols, based on encryption [for example], that allow them to be completely anonymous."

The W3C's Reagle said the flexibility of the marketplace and consumer demand will ultimately decide this privacy debate, not the technology itself. "I don't know how the balancing act plays out, but P3P doesn't swing it one way or the other," he said.

Despite concerns, a list of influential online companies and government officials are behind P3P, increasing the likelihood that it will be embraced.

"Currently, legislation is uneven in its ability to provide this protection. Solutions like P3P, developed through consensus, mean that privacy on the Net can be improved right now," Ann Cavoukian, an Ontario Information and Privacy Commissioner, said in a statement.