CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Turning up the heat on Web privacy

Lorrie Cranor of the World Wide Web Consortium is urging Webmasters to adopt better privacy regulations. She has a message: Now is the time to start acting more responsibly.

When Microsoft introduced version 6 of its Internet Explorer browser last year, many Webmasters were puzzled to find that their cookies were being blocked in increasing numbers. The culprit was IE's default implementation of the Platform for Privacy Preferences (P3P), and for that, the irate Webmasters had Lorrie Cranor to thank.

Cranor, a principal technical staff member at AT&T Labs-Research, has become virtually synonymous with P3P. She is the chair of the World Wide Web Consortium's (W3C) P3P working group. She designed AT&T's "privacy bird," a software download that turns different colors based on a Web site's P3P settings.

This year, Cranor wrote the book on P3P. Published by O'Reilly & Associates, Cranor's is currently the only title devoted to the subject, though John Wiley & Sons will publish a similar manual in March.

Cranor and her working group last week brought corporate, educational, standardization and government representatives to America Online's Dulles, Va., campus for a two-day . In an interview with CNET, Cranor described the workshop and speculated on the future of the W3C's controversial privacy platform.

Q: Critics of P3P say it's just too complex and costly for the average Web site to implement and maintain. Is that a fair criticism? Is the complexity something that future versions of P3P will worsen or alleviate?
A: No, I don't think that's fair. The average Web site is a small Web site with a single Web server. There are now a variety of tools available for creating P3P policies and documentation that tell you how to do it. Someone who doesn't know anything about P3P will need to do some reading first to get up to speed--a lot of the problems Web site developers are having with P3P are because they are trying to just do some hacks to prevent IE 6 from blocking their cookies without understanding what P3P is or how to use it properly.

Why do we need P3P at all? What's a concrete privacy scenario that could convince the average Web surfer that this technology is important?
A few years ago, hardly any Web sites had privacy policies. Now they have policies, but they are very long and full of legal jargon, so hardly anybody reads them. P3P enables a Web browser--or other software--to read these policies automatically and let the user know if there's something that might conflict with their preferences. The browser might also display an English language summary of the site's policy that is a lot shorter and easier to understand than the full policy. And the browser might make cookie-blocking decisions based on the P3P policy. Instead of choosing between accepting all cookies or blocking all cookies, users can instruct their browser to block only the cookies that are going to be used in ways they find objectionable.

In order to create a P3P policy, sites have to answer a series of multiple-choice questions. Many sites have privacy policies that don't actually answer all these questions, so sites are having to make disclosures about some aspects of their privacy policies that they never talked about before. So P3P is increasing the transparency around Web site privacy policies. As a result, some sites are actually improving their privacy practices--rather than tell the world about a policy that might make them look bad; some are actually cleaning up their acts. As more sites become P3P-enabled, I think consumers will also be able to use P3P to comparison shop. Not only will you be able to compare the products and prices offered on various sites, but you will be able to compare their privacy policies as well. This in turn is also likely to lead to better privacy practices.

Some sites are actually improving their privacy practices--rather than tell the world about a policy that might make them look bad, some are actually cleaning up their acts.
P3P earned its W3C recommendation six months ago, but it was first drafted seven years ago. What's the most significant way in which it has evolved in that time?
The initial discussions that lead to P3P began in 1995, but the work of actually drafting the specification began in 1997. Initially there was a vision of a tool that would allow users to actually negotiate with Web sites over their privacy policies. Later we decided to focus on the less ambitious goal of simply informing users about each site's policy.

Who showed up to last week's conference?
We had about from industry, government, academia and nonprofits. From industry, we had representatives from AT&T, AOL, IBM, Microsoft, DoubleClick, Coremetrics, Citigroup, Ericsson, Fidelity and others. We also had representatives from the Center for Democracy and Technology, the Electronic Privacy Information Center, Liberty Alliance, the European Commission, the Federal Trade Commission and the New York Attorney General's office. The Ontario Privacy Commissioner also participated.

The conference asked where P3P was going in the future. What's the answer?
We had a lot of great discussions and many ideas were put forward. Some of the ideas we talked about were long-term goals and some were short-term issues that might be addressed over the next year. We did not make any definite decisions, but we got a sense of everybody's priorities and got volunteers to write up short proposals for work in a number of areas. These will be discussed on our workshop mailing list, and then we will put together a proposed charter for a working group to start doing the work.

What were some of the more out-there suggestions for changing P3P? What were some of the most likely to succeed?
We didn't get too much in the way of "out-there" suggestions, as we deferred most of the discussion about longer-term goals to our next workshop, which will take place in Germany some time next summer.

I think in the short term, the emphasis will be on relatively minor changes to the P3P specification that will make it easier for more sites to P3P-enable quickly and be backwards-compatible with P3P 1.0. We will be looking for ways to improve P3P compact policies, adding a few new terms to "P3P vocabulary" that is used to create P3P policies, making some recommendations on ways that P3P software can display P3P policies in user friendly language, and coordinating with other groups to find ways to leverage P3P in other efforts such as Web services and identity management. A longer-term effort will probably look at ways that we might add a mechanism to P3P that would allow users to consent to a set of data practices described in a P3P policy

I would like to see the adoption rate pick up even more, but I would not characterize P3P as having stalled.
The last time we spoke, you acknowledged that P3P adoption was slower than you would have liked. How much of the conference was devoted to figuring out how to speed things up?
Well first of all, while I did say that adoption was slower than I would have liked, I also said that I was pleased that so many sites have already adopted P3P. You can look at it as the glass being half full or half empty. You can say "six months have passed and only a quarter of the most popular sites have adopted P3P" or you can say "in only six months we are already seeing P3P policies on over a quarter of the most popular sites." Yes, I would like to see the adoption rate pick up even more, but I would not characterize P3P as having "stalled" as your article last month suggested.

Anyway, at the workshop we did spend some time talking about adoption rates, and a number of people stood up and said they felt very positive about the way P3P adoption was going and the number of P3P-related products now available. We also talked about what some of the obstacles might be to getting more sites to adopt P3P. Our focus was mostly on whether there were things we could change about the P3P specification that would help get more Web sites to adopt P3P. The biggest issues that come up were difficulties sites have in describing their practices in the P3P compact policy format, and uncertainty about how P3P policies relate to a site's full human-readable privacy policy.

In a you co-authored and submitted to the conference last week, you wrote, "the technological mediation by software agents that is designed to ease the ability of users to understand the privacy practices of Web sites risks adding ambiguity, confusion and legal uncertainty." Can you briefly summarize the solutions you envision for these difficulties?
In the paper we talked about the problems caused by the fact that different P3P "user agent" software provides users with differing summaries of the same privacy policy. In some cases these differences are simply differences in emphasis, but in some cases some of the information provided by P3P user agents may not be entirely accurate. This is not a huge problem today, but we see it as potentially becoming more problematic in the future--not just for P3P, but for other systems in which software agents translate computer-readable information into human-readable language.

In the case of P3P, the problem stems from the fact that the P3P specification places few requirements on user agent implementers. We don't want to restrict implementers in ways that will make it difficult or impossible to implement P3P in new situations--for example, on mobile phones. However, I think it makes sense to provide some guidance to implementers about how to translate the complicated privacy concepts in the P3P vocabulary into user friendly language.