Does P3P equal privacy?
Online privacy isn't the issue it once was, if indeed people really ever cared about it.
Oh sure, everyone's in favor of privacy in the same way that they're in favor of Mom and apple pie, but exactly how software should preserve privacy is a more controversial issue. Were they aware of the trade-offs involved, I'm not so sure how committed people would be.
The main industry initiative facilitating user privacy is the W3C initiative, Platform for Privacy Preferences (P3P). P3P provides a way for site authors to make their privacy policies available in an automated and structured manner. There's nothing about it that enforces privacy, though. The site's policy may say that they'll sell your name and e-mail address to every pornographer who'll pay for it, and then it's fine for them do that, because you've been warned. Clearly this is not the be-all and end-all of privacy, nor does it claim to be.
So what good does P3P do you? If you have a browser that supports P3P you can set rules for the types of sites with which you'll do business, and especially from which sites you'll allow cookies to track you. All of this presumes, of course, that privacy policies are not lies. If a site's privacy policy states that personally identifiable information (PII in privacy jargon) will be handled in a particular way but then the policy isn't followed, P3P can't root out the conflict. However, the site's P3P policy may be legally binding, so violation of the policy could be a liability for those running the site. Stronger P3P policies will contain a "< DISPUTES resolution-type=independent >" element which defines an outside dispute resolution agency to which users can go with complaints (TRUSTe, for example).
Internet Explorer 6 was released some time ago, but by that time the basic shape of the P3P standard was in place. Microsoft made a fairly big deal of P3P at the time (since there was little else to recommend IE6 over IE5.5), but it suffered from "chicken and egg syndrome," in that nobody had implemented P3P on their sites. The problem is that several months later, P3P adoption is still lagging far behind where it should be.
IE6 did not implement P3P completely; it used only "compact policies." Compact policies are very terse codes sent as headers with a Web page--as opposed to full, verbose XML documents. There are two advantages to compact policies: They're easier to implement, and they add only a small amount of overhead to the page retrieval process. A full P3P implementation could involve retrieving and parsing long XML documents with every page.
Microsoft shipped IE6 with P3P activated, but in its "medium" setting (see the Privacy tab in IE6's Tools/Internet Options menu). This means that certain cookies will be rejected if the site lacks a privacy policy or if the policy doesn't meet certain conditions. The important point here is that IE6 rejects cookies from some sites that were accepted by earlier versions of IE. (Microsoft's explanation of IE's P3P implementation can be found here.)
I run IE6 on most of my systems and I noticed immediately upon upgrading that cookies no longer worked on a few sites. But it didn't really make me mad until a few weeks ago when my online brokerage decided to make a significant site modification on April 13, a couple of days before I and many other customers had to access our IRAs. (Note to everyone out there with a financial Web site: Two days before tax day is a stupid time to modify your site.) I couldn't log on, and the only thing that tech support could recommend was to configure IE6 to accept all cookies from any source, effectively disabling privacy.
You'd think that financial sites would be the first to embrace technology like P3P, but such is not the case. Josh Freed of the Internet Education Foundation--which studies and promotes the adoption of P3P--says that only 40 of the top 100 Web sites (and 26 of the top 50) have implemented or are implementing P3P. I guess 40 percent is better than nothing, but I see the glass as 60 percent empty right now. I'm disappointed with all of you out there who haven't implemented policies yet.
So what's the significance of all of this for corporate IT? Part of it is that some of you run Web sites for the public to use. If you gather any information about your users--especially if you use cookies, even for perfectly innocent and legitimate reasons--you need to implement P3P on your site. Right now you can get away with not implementing it (and merely being inconsiderate to your users), but one day there will be a critical mass of users with P3P-enabled browsers--not just IE6 and its successors, but also a Mozilla P3P project. You should also be aware of privacy issues for your users in general, and of P3P-related issues for your browser users.
Site authors probably look at the P3P spec and groan at having to learn all that new stuff, but there's less to it than you'd think. IBM and Microsoft both offer good tools, each with its own strengths and weaknesses, and the W3C has links to others as well. I've heard great things about AT&T Research's Privacy Bird. The tricky part--because you'll need to involve other people in your company--is deciding exactly what the policy should be, not just the implementation of it.
After 9/11, concerns about privacy have taken a back seat to security issues from the other point of view: Instead of providing for users' privacy, we want to be able to identify them. Perhaps this has something to do with P3P being adopted more slowly than it should be, but I think that's mostly a convenient excuse. Adopting P3P, both as a content provider and on the client side for your own users, is just the right thing to do.
Has your company implemented P3P? TalkBack to us or send a note to Larry.