CDT POLICY POST Volume 6, Number 10 May 10, 2000
A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
CONTENTS:
(1) Web Privacy Standard Moves Forward
(2) Background on P3P
(3) Standards Group Looks at Revising Cookies to Give Users More Control
___________________________________________________________________
(1) WEB PRIVACY STANDARD MOVES FORWARD
On June 21, major Internet companies will offer the first public demonstration of a new generation of Web-browsing software designed to give users more control over their personal information online. The new products are based on the Platform for Privacy Preferences Project (P3P), a set of software-writing guidelines developed by the World Wide Web Consortium (W3C), the standard-setting body for the Web.
P3P-compliant Web sites and browsers will be demonstrated at the June 21 "interoperability" session, to held at the AT&T auditorium in New York City, 32 Avenue of the Americas, at 10 AM. Small and large companies, including Microsoft, IBM and Privada, intend to show how their products will incorporate the standard.
CDT believes that tools based on the P3P specification are part of the overall solution for privacy on the Internet, which includes
Software developers, companies and organizations interested in making their sites P3P compatible or seeing what their privacy statement would look like in P3P, privacy advocates interested in learning more about P3P, members of the press, and researchers are welcome to attend the June 21 workshop and should fill out the RSVP form at http://www.w3c.org/P3P/rsvp.html
More information on the June 21 interop session: http://www.w3c.org/p3p/interop
______________________________________________________________
Imagine walking down the street, looking in store windows. As you are about to enter a store, you see prominently displayed on the door an easy-to-read privacy policy that conforms to all local laws. Based on the notice you may decide to enter and shop or you may choose to take your business elsewhere. In this case, you choose to enter. After browsing the aisles, you select a product and head to the checkout counter. You hand over your credit card, cash or other form of payment and walk out with your purchase. The information you provided during the transaction will be used only for the purposes stated in the store's policy.
This is the P3P vision of online commerce. P3P is designed to provide Internet users with a clear understanding of how personal information will be used by a particular Web site. Web site operators will be able to use the P3P language to explain their privacy practices to visitors. Users will be able to configure their browsers or other software tools to provide notifications about whether Web site privacy policies match their preferences. Parents will also be able to set privacy rules that govern their children's activities online. Once Web sites and Internet users can better communicate about privacy, consumers will be able to make better judgments about which Web sites respect their privacy concerns.
P3P 1.0 creates the framework for machine-readable privacy policies. Web sites can express their privacy policies in a standardized format that can be read by web browsers and other end-user software tools. These tools can display information about a site's privacy policy to end users and take actions based on a user's preferences. Such tools might provide positive feedback to users when the sites they visit have privacy policies matching their preferences and provide warnings when a mismatch occurs.
P3P is not a panacea for privacy, but it does represent an important opportunity to make progress in building greater privacy protections in the Web experience of the average user.
For more information on P3P, and responses to some of the criticisms of P3P, see "P3P and Privacy: An Update for the Privacy Community," by CDT and the Ontario Information and Privacy Commissioner: http://www.cdt.org/privacy/pet/p3pprivacy.shtml
The P3P home page is http://www.w3c.org/p3p/
_________________________________________________________________
(3) STANDARDS GROUP LOOKS AT GIVING USERS MORE CONTROL OVER COOKIES
P3P is not the only Internet standard that could improve privacy. Another major Internet standards body, the Internet Engineering Task Force (IETF), is working on two standards that would create new guidelines for the appropriate use of cookies.
While cookies are helpful for Web sites looking to maintain relationships with visitors, they have been implemented in ways that give users very few choices and have been used by some to subvert privacy. On most browsers, users are given only the option to either accept or reject all cookies or to be repeatedly bombarded with messages asking if it is OK to place a cookie.
The IETF is considering two complementary "Internet drafts" that would encourage software makers to design cookies in ways that give users more control. These drafts lay out guidelines for the use of cookies, suggesting that programmers should make sure that:
The drafts can be found at: http://www.ietf.org/internet-drafts/draft-iesg-http-cookies-03.txt and http://www.ietf.org/internet-drafts/draft-ietf-http-state-man-mec-12.txt
The IETF is expected to make its decision to move forward with these, and perhaps other cookie specifications, before the end of the summer and will invite public comments at that time.
Detailed background on cookies can be found at http://www.cookiecentral.com
_____________________________________________________________
Detailed information about online civil liberties issues may be found
at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_6.10.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 6.10 Copyright 2000 Center for Democracy and Technology