P3P: Green light for online privacy?

Will technology aimed at informing users about how much information each site requests be a 'go' for better privacy on the Web?
Written by Robert Lemos, Contributor

Starting next year, Web sites that violate user privacy are going to find themselves under an embarrassing cyber spotlight.

The sites will be targeted by a new technology known as the Platform for Privacy Preferences, or P3P. Developed by several companies and privacy advocates in conjunction with the standards-setting World Wide Web Consortium (W3C), the technology will alert surfers whenever they encounter Web sites that seek to collect more data than the user wants to share.

Here's how it works: As soon as someone using an application equipped with P3P technology accesses a Web site, the technology scans the page's P3P privacy policy. This machine-readable policy, written in the special Web language known as Extensible Markup Language, strictly defines what information the site collects from visitors.

A so-called user agent then issues colour-coded warnings about any sites that follow data collection practices that go beyond the boundaries of personally defined limits. Users will be able to configure their agents to notify them when they visit sites that do not support P3P. The presumption is that Web sites anxious not to incur the negative publicity of being associated with this Internet red-light district will be more scrupulous about guarding privacy.

Yet, the technology itself has touched off a debate among privacy advocates. Besides the colour warnings, companies might opt to equip agents with cautionary sirens or other sounds to alert users that they are at risk. But some privacy groups caution that users may mistakenly assume they will be secure on Web sites that get a green light from a P3P application.

In fact, Internet sites will still be able to collect information, whether they are given a green light or a red light. What's more, they add, P3P lacks any teeth or enforcement mechanism. That's not the point, say supporters.

"The idea is not to solve the privacy problem -- but to give consumers a critical part of the privacy equation," said Jerry Berman, executive director of the pro-privacy think tank Center for Democracy and Technology (CDT). "They will be able to come to a site and find out if that site's policy agrees with his own."

The technology debuts at a time when Internet companies are under increasing pressure to reconcile the conflict between pursuing commercial interest by building a customer profile with customer demands for privacy.

A report released in late May by the Federal Trade Commission found that only 20 percent of sites offered privacy polices that honoured all of the so-called fair information practices established by the government. These include offering notice about the collection and use of information; a choice in how that information will be used; reasonable access for consumers to information collected about them; and adequate security to ensure proper handling of consumer information. That is a far cry from what consumers are demanding.

A survey published last October by market watcher Forrester Research. reported that almost nine out of 10 consumers want to control what companies are allowed to do with their information.

Yet that same concern about their privacy doesn't extend to reading through the policies posted on Web sites, according to CDT's Berman. While companies are technically "giving notice" to consumers, he noted that the reality is that most Web surfers have no idea what's being recorded about their Internet habits.

"Right now, companies expect users to get lost in the fine print" of their posted policies, he said. Berman further charged that companies with bad information collection practices can paradoxically hide in the legalese, while those that respect privacy are not getting recognised for their efforts.

To Part II

What do you think? Tell the Mailroom. And read what others have said.

Take me to the XML Special

Editorial standards