A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
CONTENTS:
(1) Web Privacy Standard Set as W3C Recommendation
(3) Information on Access to P3P Tools and Sites
On April 16, the World Wide Web Consortium (W3C), the standard-setting body for the Web, issued the Platform for Privacy Preferences Project (P3P) 1.0 Specification as an official "Recommendation." The P3P 1.0 Specification is essentially a common language for expressing Web site privacy policies in machine-readable form. It allows users to set their Web browsers to automatically read Web site privacy policies and match them against a user's own preferences. Declaring P3P a W3C Recommendation indicates that it is a stable document, that it contributes to Web interoperability, and that the W3C Membership favor its widespread adoption.
P3P was designed by a Working Group composed of privacy advocates including CDT, Web technology leaders, data protection commissioners, and global ecommerce companies.
P3P alone will not resolve the privacy issue, but P3P is an important step in privacy protection because it can help consumers gain a better understanding of how Web sites collect and use their personal information. P3P-automated browsers allow users to easily view and understand privacy practices of the sites they visit. This awareness can empower users to control when, and to what extent, their personal information is released. Also, by giving consumers a standard way to compare practices across sites, this new transparency can help build a greater marketplace for privacy. The finalization of the standard should encourage Web sites and online businesses to build P3P into their sites. And the P3P vocabulary and P3P tools could also help regulatory and self-regulatory agents check for compliance with baseline standards.
The P3P Specification, the W3C announcement and a wealth of other information may be viewed at http://www.w3c.org/P3P/#news.
Imagine walking down the street, looking into store windows. As you are about to enter a store, you see prominently displayed on the door an easy-to-read privacy policy that conforms to all local laws. Based on the notice you may decide to enter and shop or you may choose to take your business elsewhere. In this case, you choose to enter. After browsing the aisles, you select a product and head to the checkout counter. You hand over your credit card, cash or other form of payment and walk out with your purchase. The information you provided during the transaction will be used only for the purposes stated in the store's policy.
This is the P3P vision of online commerce. P3P is designed to provide Internet users with a clear understanding of how personal information will be used by a particular Web site, upfront, without having to read small-print legalese. Web site operators can use the P3P language to explain their privacy practices to visitors. Users can configure their browsers or other software tools to provide notifications about whether Web site privacy policies match their preferences. Parents can set privacy rules that govern their children's activities online. Consumers can make better judgments about which Web sites respect their privacy concerns.
P3P 1.0 creates the framework for machine-readable privacy policies. Web sites can express their privacy policies in a standardized format that can be read by Web browsers and other end-user software tools. These tools can display information about a site's privacy policy to end users and take actions based on a user's preferences. Such tools can notify users when the sites they visit have privacy policies matching their preferences and provide warnings when a mismatch occurs.
P3P is not a panacea for privacy, but it does represent an important opportunity to make progress in building greater privacy protections in the Web experience of the average user. There is still a strong need for additional privacy enhancing technologies; better consumer education; and baseline legislation to create a national standard for privacy expectations online. CDT strongly advocates the development of such initiatives, as well as the continued development of P3P.
For more information on P3P, see "P3P and Privacy: An Update for the Privacy Community," by CDT and the Ontario Information and Privacy Commissioner: http://www.cdt.org/privacy/pet/p3pprivacy.shtml.
The P3P home page is http://www.w3c.org/p3p/.
There are several informative sites for consumers and businesses on P3P Implementation:
For an overview of P3P's history, FAQs and other background information on P3P and its derivation, the W3C provides an excellent resource at http://www.w3c.org/p3p/
Businesses interested in enabling their Web sites with P3P will find the necessary implementation guides at the P3P home page, http://www.w3c.org/p3p/. Other helpful assistance may be found at http://www.p3ptoolbox.org.
To assist in proper P3P implementation, the W3C has created a P3P policy validator, a tool that checks P3P policies to ensure no errors exist within the implementation code. The P3P policy validator is located at http://www.w3c.org/p3p/validator
For consumers and the general public, P3P-enabled Web browsers and plug-ins are available. These include Microsoft's Internet Explorer 6.0, which can be downloaded at http://www.microsoft.com/windows/ie/downloads/default.asp and AT&T's Privacy Bird at http://www.privacybird.com. Netscape is expected to implement P3P in the Navigator browser in its next development cycle.
A complete implementation package has been created by the Joint Research Centre in Ispra, Italy -- http://p3p.jrc.it/index.php
Also, for an analytical background on P3P's development as a W3C Recommendation, its criticisms and rebuttals thereof, the P3P homepage provides documents and periodicals covering such issues: http://www.w3c.org/P3P/#papers
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.09.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 8.09 Copyright 2002 Center for Democracy and Technology
