Technology aimed at informing users of how much information each site requests is in the works for launching later this year. Will the technology mean 'go' for better privacy on the Web?
Starting next year, Web sites that violate user privacy are going to find themselves under an embarrassing cyber spotlight.
The sites will be targeted by a new technology known as the Platform for Privacy Preferences, or P3P. Developed by several companies and privacy advocates in conjunction with the standards-setting World Wide Web Consortium (W3C), the technology will alert surfers whenever they encounter Web sites that seek to collect more data than the user wants to share.
Here's how it works: As soon as someone using an application equipped with P3P technology accesses a Web site, the technology scans the page's P3P privacy policy. This machine-readable policy, written in the special Web language known as Extensible Markup Language, strictly defines what information the site collects from visitors.
A so-called user agent then issues color-coded warnings about any sites that follow data collection practices that go beyond the boundaries of personally defined limits. Users will be able to configure their agents to notify them when they visit sites that do not support P3P. The presumption is that Web sites anxious not to incur the negative publicity of being associated with this Internet red-light district will be more scrupulous about guarding privacy.
Mixed reaction
Yet, the technology itself has touched off a debate among privacy advocates. Besides the color warnings, companies might opt to equip agents with cautionary sirens or other sounds to alert users that they are at risk. But some privacy groups caution that users may mistakenly assume they will be secure on Web sites that get a green light from a P3P application.
In fact, Internet sites will still be able to collect information, whether they are given a green light or a red light. What's more, they add, P3P lacks any teeth or enforcement mechanism.
That's not the point, say supporters.
"The idea is not to solve the privacy problem -- but to give consumers a critical part of the privacy equation," said Jerry Berman, executive director of the pro-privacy think tank Center for Democracy and Technology (CDT). "They will be able to come to a site and find out if that site's policy agrees with his own."
Consumer concerned
The technology debuts at a time when Internet companies are under increasing pressure to reconcile the conflict between pursuing commercial interest by building a customer profile with customer demands for privacy.
A report released in late May by the Federal Trade Commission found that only 20 percent of sites offered privacy polices that honored all of the so-called fair information practices established by the government. These include offering notice about the collection and use of information; a choice in how that information will be used; reasonable access for consumers to information collected about them; and adequate security to ensure proper handling of consumer information.
That is a far cry from what consumers are demanding.
A survey published last October by market watcher Forrester Research reported that almost nine out of 10 consumers want to control what companies are allowed to do with their information.
Yet that same concern about their privacy doesn't extend to reading through the policies posted on Web sites, according to CDT's Berman. While companies are technically "giving notice" to consumers, he noted that the reality is that most Web surfers have no idea what's being recorded about their Internet habits.
"Right now, companies expect users to get lost in the fine print" of their posted policies, he said. Berman further charged that companies with bad information collection practices can paradoxically hide in the legalese, while those that respect privacy are not getting recognised for their efforts.
A programming language for privacy
Proponents say P3P can help change that.
Loosely based on PICS -- the controversial content rating system that flopped in 1998 -- P3P uses a similar idea to put information collection practices in a strict language that can be read by browsers.
Several privacy advocates, including the Center for Democracy and Technology, participated in the brainstorming that laid the foundations of what would become P3P in 1995 and 1996. Yet it wasn't until the W3C got involved that PICS and privacy came together.
"PICS was a way to label Web content that never really got off the ground," said Lorrie Craner, senior technical staff member at AT&T Labs-Research and the chair of the P3P Specification Working Group at the W3C. "Initially a lot of the applications people envisioned labeling sites (by) attaching meta-data. Then it occurred to us that it could be information about a Web site's privacy practices."
Craner and others worked on the specification in 1997 and produced the first reports on P3P that October. The original vision included a way of negotiating the terms of any information sharing between a Web site's policy and a consumer's software "agent." In essence, the W3C hoped to build choice into the technology as well.
Yet, the problems with implementing such a powerful feature put the negotiation part of the technology on hold. "It would have made Web sites less likely to adopt it and make it harder technically and legally for them to use P3P," said Craner.
Scuttling the complex negotiation functions also helped the W3C working group get the technology out the door quickly. Last week, 10 companies showed off their implementations of user agents and policy generators for the technology and made certain each worked with the others. That "bake-off" went surprisingly well, said participants.
No choice for consumers
Still, P3P has a number of other hurdles to leap before it becomes a standard.
For one, many privacy advocates -- including the Electronic Privacy Information Center (EPIC), Junkbusters and Computer Professionals for Social Responsibility -- have lambasted the technology as a false start for consumers.
Privacy advocates worry that the technology will give consumers notice of a company's policy, but little choice in how it's used, said Karen Coyle, a spokeswoman for Computer Professionals for Social Responsibility and a librarian by trade, during a conference call. "There are some assumptions built in that are not well-founded," she said. "One of them is that consumers will have a choice. Consumer data is the coin of the realm, and that means there won't be a lot of sites that offer great privacy."
The report concluded that the technology may actually act as camouflage for companies to avoid regulation and continue to collect information.
Power to browsers
P3P supporters disagreed.
"No one thinks this is a silver bullet," said Ron Perry, co-founder of privacy utility maker IDcide, "but it should help consumers understand what is going on at each Web site."
In addition, the privacy settings promised by Web sites are legally binding, said Perry. Furthermore, the technology finally gives consumers an easy way to discriminate between Web sites.
Essentially, good privacy protections would have some marketing value.
"Web sites that respect privacy will be more apt to use P3P," said IDcide's Perry. "P3P makes advertising their privacy policy viable -- and increases the visibility of how they're protecting your privacy. Today, there is no way to tell people in a simple manner that you are protecting their privacy."
In fact, at the bake-off, developers talked about enhancing search engines with the ability to rank sites according to how consumer-friendly their privacy protections are. Want a good book seller that won't sell your information? Search for one, and at the top will be those with the best privacy practices.
"P3P gives people information, where today they don't have a lot of information," said Martin Presler-Marshall, co-author of the P3P specification and so-called P3P champion for IBM's AlphaWorks Division.
"Any time consumers have more information, they have more power, and that's a good thing."
