Platform for Privacy Preferences (P3P): Privacy Without Teeth
Andrew Van Kirk Duke University [email protected]
March 10, 2005
Abstract
The P3P standard, released by the W3C in its current form in August 2002, is a highly limited attempt to safeguard privacy on the Internet. Official P3P documents make it clear that P3P is designed to allow Web sites to express their privacy policies in machine readable format thus allowing user agents, such as Web browsers, to automatically make decisions based upon those preferences. P3P is relatively successful in accomplishing that goal, on a technological level. However, much more than technological success must be achieved to protect users’ privacy on the Internet. P3P is plagued by poor adoption rates among Web sites, very limited implementation in user agents, and virtually no public understanding of the system. These flaws make have made P3P relatively ineffective in accomplishing its stated goal. Moreover, P3P does not solve the root problem of privacy on the Internet: relationships of trust. Increased transparency of privacy standards, P3P’s stated goal, is only part of an effective privacy solution. Technological changes on the horizon, however, such as unified identity management tools, will provide an opportunity by which P3P could become a valuable part of a larger privacy management system.
1 Introduction
Privacy in our daily online activities stands out among Internet policy issues as an area of growing concern and is the recipient of increasing attention from regulatory bodies. A Federal Trade Commission (FTC) report to congress in May 2000, entitled Privacy Online: Fair Information Practices In The Electronic
Marketplace cited “four widely accepted fair information practices:” notice, choice, access, and security.
A fifth component, enforcement, was also cited as a critical component of privacy protection. The FTC describes these five principles in relation to online privacy as follows:
Notice - Web sites would be required to provide consumers clear and conspicuous notice of
their information practices, including what information they collect, how they collect it...how
they use it, how they provide Choice, Access, and Security to consumers, whether they disclose
1 the information collected to other entities, and weather other entities are collecting information
through the site.
Choice - Web sites would be required to offer consumers choices as to how their personally
identifying information is used beyond the use for which the information was provided...Such
choice would encompass both internal secondary uses...and external secondary uses.
Access - Web sites would be required to offer consumers reasonable access to the information
a Web site has collected about them, including a reasonable opportunity to review information
and to correct inaccuracies or delete information.
Security - Web sites would be required to take reasonable steps to protect the security of the
information they collect from consumers.
Enforcement - The use of a reliable mechanism to provide sanctions for non-compliance.
[Com00]
These five rules are designed to cover the Fair Information Principles, a set of principles developed by the
Organization for Economic Cooperation and Development (OECD) in 1980 to protect data privacy. They are designed to work together as a set to protect privacy. [JtIEF] Notice is of little importance to the user if there is no availability of Choice (particularly in the case where use of a service is, for one reason or another, not really optional, such as online banking). Likewise, Access means nothing if such Access is so insecure anyone can obtain and change others’ personal data. It is only as a group that these five principles work together to protect online privacy.
The Internet, however, evolved without these systems in place. Now, as privacy concerns become increasingly important, various attempts are being made to protect user privacy. Once such attempt is P3P, the Platform for Privacy Preferences, a World Wide Web Consortium (W3C) specification that “enables Web sites to express their privacy preferences in a standard format that can be retrieved automatically an interpreted easily by user-agents.” [CLM+02]
P3P, as a technology, does an adequate job of fulfilling that stated mission. However, of the five principles outlined by the FTC, P3P only covers Notice, which while important, is only one component of a complete privacy solution. Moreover, there are some serious problems with the current P3P standard that have limited its effectiveness in achieving broad consumer awareness of privacy standards. On the whole, P3P is only a partial solution to part of the problem. For privacy concerns on the Internet to be truly addressed, P3P must be modified and used as part of a more complete solution.
2 2 The P3P Standard
2.1 Overview
The P3P 1.0 specification, officially adopted by the W3C only on August 16, 2002, was developed through the consensus process of a W3C working group. P3P is aimed at achieving awareness and transparency for privacy policies on the Internet. Transparency, in fact, is the single reason given by the W3C in its
P3P deployment manual for Web sites.[PM02] The sole purpose of P3P is communication–or, in the FTC terminology–Notice. There is a tendency to exaggerate the capabilities of this standard. Even the W3C fell guilty to the temptation, writing in the introduction to their P3P testsuite that P3P is “emerging as an industry standard providing a simple, automated way for users to gain more control of the use of personal information on Web sites they visit.”[Wor] Similarly, the AT&T Privacy Bird is described as placing users in control.[ATTc]. P3P provides no mechanism for user control–user control is only augmented to the extent that users can somewhat more easily access and make sense of privacy policy information. Furthermore,
P3P can only provide the user with a site’s promise to uphold the policy detailed in P3P format. There is no enforcement mechanism.
However, transparency and awareness do provide some significant benefits to end users. Transparency can lead to increased meaningful communication between Web sites and Web users regarding privacy policies.
Communication is fundamental to any of the other FTC Fair Information Practices. Any technologies or systems that could be put into place to provide users with choice or control would have to depend on mean- ingful communication regarding privacy practices. This communication, even if not tied to any enforcement or security mechanisms, is still a tool by which businesses can potentially earn consumer trust.[JtIEF] Con- sumer awareness of privacy policies could lead to increased public oversight and review, which in turn would lead to better privacy practices on the part of companies, as they are sensitive to customer demands.[JtIEF]
If P3P adoption by sites ever reaches a critical mass and user awareness and use of P3P becomes widespread,
P3P policies could become a differentiating factor among businesses offering similar products and services.
In this way, P3P allows for the possibility of market control of privacy policies.
3 2.2 Technology Outline
P3P polices are encoded using XML with namespaces. In fact, P3P is ultimately nothing more than the specification of an XML schema, a set of data elements, and a predetermined method of accessing the P3P policy. It is not a new technology, but a specified way to use a previously existing technology–XML. The predefined set of elements given by the W3C in the specification have certain standardized meanings. For example, the
After a Web site’s privacy policy has been encoded as a P3P XML file or files, each with multiple individual policies corresponding to different parts of the site, the file(s) is stored on the server in a place accessible to user agents. Additionally, a separate XML file known as the policy reference file, whose encoding is also defined in the P3P specification, must be created to inform user agents of the location where the policy or policies reside on the server and what portions of the site each policy covers. User agents locate this file by looking in the well known location (/w3c/p3p.xml), reading its location from the HTTP header of each response from the Web site, or reading it from links placed in each HTML page on the site. Web sites must choose one of the three methods to inform user agents of the location of the P3P policies.
A brief written privacy policy and corresponding P3P policy example are given in Appendix A 1
A given P3P policy is not page specific, even though most users have a page-by-page Web experience.
P3P policies can apply to anything with a Uniform Resource Indicator (URI) such as cookies, images, and form data. Thus, one page may be covered by several policies referring to discreet elements on that page.[CLM+02] At the same time, however, one policy may cover many pages and this is probably the more common implementation as it is significantly easier from a Web administration standpoint. The W3C P3P
Deployment Guide estimates that an average of five policies per site should provide adequate granularity in most instances.
P3P policies must correspond to the point that data collection occurs. This means that for a form, the
1A full explanation of the XML encoding of P3P is beyond the scope of this document and is already well covered in the The Platform for Privacy Preferences 1.0 (P3P 1.0) Specification available at http://www.w3.org/TR/P3P/
4 policy must cover the URI of the form submission target. The HTML page that actually contains the form does not do data collection, so a policy for that page is optional. Policies are not simply required to state what information is collected and why it is used, but must also state and declare the data and uses for any information made accessible by the collection of this information. Thus, if a cookie is used to individually identify a user via an ID number, which in turn is used to look up a user’s name in a database to personalize a customer’s browsing experience, the name and purpose for which it is used must also be declared in the cookie’s P3P policy.
P3P also includes a feature termed ’Compact Polices.’ Compact polices are single lines of text that are meant to serve as a shorthand for a full P3P policy. Used only in HTTP responses that set cookies, compact policies simply state the privacy policy of that cookie. They were defined by the W3C group as a performance optimization, but have become the most widespread P3P implementation because Microsoft chose to use them in Internet Explorer 6 (IE6) in deciding whether to accept cookies.
P3P policy pages, written in XML, can be accessed via a URI and thus P3P requires no changes or upgrades to Web server architecture. The W3C gives standard instructions for many Web server platforms, including
Apache and Microsoft Internet Information Service (IIS). From the Web site administration standpoint, this broad compatibility is critical.
Though P3P works over the standard HTTP and HTTPS protocols, the data is meaningless unless some sort of user agent actively retrieves and parses the policy files on behalf of the user. Literature on the subject often overlooks the fact that P3P does require software changes on the user end. Currently, only two Web browsers, Microsoft Internet Explorer 6 and Netscape 7 (and Mozilla 1.4, which is basically the same as
Netscape 7) implement any sort of P3P functionality (see Section 4). Only one available user agent, the
AT&T Privacy Bird, actually qualifies as a full policy reader and it must be installed as an Internet Explorer plugin. So while minimal changes may be required on the server side, rather substantial changes must be made in individual users’ browsing software before P3P becomes a part of the average Web experience.
2.3 Applicable Web Data
Any type of data that can be collected must be identified and its use explained in P3P policies. This not only includes things such as users’ e-mail addresses or telephone numbers, but clickstream data such as IP addresses, site navigation patterns, and referral IPs. In other words, P3P polices must cover data that users
5 provide to sites by choice2 and data generated automatically by browsers and servers that customers have no control over.
3 Implementation of P3P
3.1 Reasons to Implement
Several reasons for a Web site to implement P3P are given by Laurel Jamtgaard in her implementation guide.
(1.) Make privacy polices easier
(2.) Promote privacy-enhancing technologies
(3.) Maintain Web site functionality
(4.) Help build user trust.[JtIEF]
The third reason is particularly important. Because of the way IE6 handles cookies, if a site does not correctly implement P3P compact policies, then site functionality may be lost. IE6 dominates the market for Web browsers and strongly influences site design. As a business, if IE6 won’t display your site correctly, your user base drastically shrinks (and continues to shrink as more consumers migrate to IE6 from previous versions of Internet Explorer).
The argument centered around customer appeal works on several levels. Aside from building user trust, some feel that by increasing the public’s confidence in Internet privacy and making the standards more open, P3P will effectively “weed out bad apples.”[p3p]. Those sites that don’t follow strong privacy policies will be easily identified by their P3P policies and consumers will be less likely to frequent those sites. But it is Microsoft that most effectively boils down the argument for consumer appeal: it is “Good for your business.”[Mic01]
A final reason to implement P3P is the government. This argument actually has two parts. The first is that some feel if the industry is seen as effectively self-regulating in regard to privacy, the government will refrain from passing legislation that would dictate specific privacy requirements. Secondly, some governments, such
2Here choice refers to data that users provide via a form in the course of using a Web site, whether or not that data is optional for the users to effectively use the site or not
6 as the European Union, have already passed privacy standards, and P3P can serve as part of a larger implementation to fulfill those standards.[JtIEF]
3.2 Implementation Issues
There are several real world problems of implementation that must be addressed when developing a P3P policy. P3P requires a corresponding human-readable privacy policy. Thus, if a Web site does not already have a written privacy policy, it must develop one. In fact, even if a site does already have a policy, it is necessary to do a site and policy audit, making sure that the policy correctly corresponds to actual data collection and use. There are several benefits to be gained from doing privacy policy audits, as time consuming and tedious as they may be. Current use of data must be completely examined, thus allowing any differences between policy and practice to be reconciled. Audits should also attempt to plan for the future, thus forcing a company to examine their expected data usage requirements. Finally, relationships with third-parties must be reexamined on a privacy level thereby exposing any changes in third-party policies to which a site’s users may be subject. [JtIEF]
Part of this policy audit will involve determining the level of granularity appropriate to use in a site’s
P3P policies. For example, in a form, the email address might be the only data element to be used for marketing purposes and a site may wish to make that limitation clear. This requires a more detailed P3P implementation, which requires more work and is more difficult to maintain. Nor are situations always so clear cut. Using the previous example, if the email sent began with “Dear Firstname Lastname,” then the users first and last names are being used in marketing as well. In fact, even if data is collected from completely separate URI’s, if any sort of data aggregation takes place, separate policies may not be apply for these URI’s. This can be true even if the data uses are markedly different. Determining what level of granularity is appropriate for a site is a substantial undertaking, and the trade-offs must be kept in mind.
In her implementation guide, Jamtgaard defines four different approaches to P3P implementation.
1. Lowest Common Denominator Approach: One policy associated with everything on the site. That
policy will generally overstate the data collection and use practices by assuming that all data is collected
from every visitor and all data is compiled together and used for all the purposes that any one piece of
data may be used for.
2. P3P Perfectionist Approach: Each page and feature of the Web site has a uniquely defined policy.
7 This is the ultimate in granularity, and is sure not to overstate data collection practices.
3. P3P Pragmatist Approach: The level of granularity in this approach is determined by the needs of
the business, customers, resources available, and the general temperament of the webmaster.
4. Legalist Approach: This approach is undertaken when P3P is part of a solution to legal requirements.
Government directive thus indicates what the P3P policy must say.[JtIEF]
3.2.1 Compact Policies
Compact polices represent their own class of implementation issues, simply because they are often not optional for sites to implement due to of Internet Explorer’s cookie handling policies. They present a unique set of difficulties to Web site administrators.
Compact policies almost always result in a loss of granularity. For a given HTTP request, all cookies that are set or accessed in that request share the same compact policy. Though it is theoretically possible to have several compact policies for unique cookies from the same domain, this becomes highly unlikely in practice, as these separate cookies often turn up in the same requests. Thus, the compact policy must state the data practices in terms of the broadest cookie.[PM02]
Secondly, compact policies must last as long as the cookie. Thus, for Web sites that use cookies that persist for a long time, such as those online stores use to identify customers, the compact policy associated with that cookie must be valid as long as the cookie persists. This can make changes to privacy policies extremely difficult, as any change desired cannot take place until all existing cookies have expired.[PM02] This problem is much larger than it first appears, as compact policies do not only apply to the actual data stored in the cookie, but all data to which the cookie provides access. This is both difficult for a site to know and to implement.[SK]
3.3 Real-world Implementations and Statistics
To date, P3P has suffered from a relatively slow adoption rate. P3P specialists attribute this to the slow economy, legal uncertainty surrounding P3P policy liability, and the inability of P3P to always express the interrelationships on the Internet. [CW02]
8 The lack of implementation however, is severe enough that other factors might be at work than the sort of general excuses made above. According to the most recent mass survey of P3P use on the Internet, undertaken by AT&T Labs-Research in July 2003, only 30% of the Netscore Top 100 Web sites have full
P3P implementations (i.e. a policy reference file and P3P policies).3 The number drops to 23% of the top 500 sites, and only 10% of the total 5739 examined in the survey. Comparable studies were performed in January
2003 on the top 100 and top 500 sites, at which point 28% and 18% had implemented P3P, respectively, indicating that only small improvements were made in the number of P3P implementations over that six month time period.[BCK03] Furthermore, it indicates that P3P adoption is slowing. If the growth rate was constant at 2% every six months, it would have taken P3P over seven years to reach 30% adoption–about three times longer than P3P has existed as a standard.4
An important reason for this limited penetration is simply that implementing P3P is a lot of work. The required Web site and policy audit is time consuming. Analysis of a site’s privacy policy and assuring a correct P3P representation requires other employees, such as business managers, beyond the technical programmers and Web site administrators. Coordination must also be achieved between the legal and IT departments. As noted, policies can be very specific, and the W3C recommends five polices for the average site. More policies necessitate more work. Additionally, once the policies have been successfully put into place, any changes have to be recorded and documented. Data collected under one P3P policy can only be used under the terms of that policy, so data storage must somehow be connected with the policy under which the data was collected. Finally, any future changes to the Web site, particularly changes that affect the pages or URI’s at which data is collected must be analyzed for potential changes to the P3P polices. In short, the implementation of P3P is not a trivial task. Even with available policy generators and validation tools5 P3P requires a significant amount of work to implement and maintain. Compounded with the issues surrounding the economy, the legal status of P3P, and the inability of P3P to express the nuances of human language policies, it may simply be that P3P’s potential benefits are to small to be worth the hassle.
3This study did not record the number of sites who have implemented only compact polices for compliance with IE6. Presumably that percentage is markedly higher. 4not to mention that it would be another 30 years before P3P is adopted by 90% of the top 100 Web sites! There are some obvious flaws in such statistical interpolation, but it does serve to indicate the problem. 5Among others, IBM provides a well reviewed P3P policy generators, available at http://alphaworks.ibm.com/tech/ p3peditor. The W3C provides a policy validation tool at http://www.w3.org/P3P/validator/20010928/
9 4 User Agents
Three main user agents are currently available to Web users.
4.1 Internet Explorer 6
With the release of Internet Explorer 6, Microsoft implemented some features of the P3P specification. IE6 can display a full P3P policy at the request of the user and in a human-readable format. More importantly, cookies are managed via P3P’s compact policies, with user controlled settings available via the Privacy tab in the Internet Options Dialog box (the full path is Tools–Internet Options–Privacy). There is some online help provided for these features.
The simple display of a full P3P policy is completely unhelpful. It does nothing to automate privacy settings between browser and server and is extremely difficult to find (the menu path is View–Privacy Report–
Summary, but that only works if you highlight the correct item in the list of page components). The policy, once viewed, is still quite technical and would likely be unhelpful to a user who does not understand P3P to begin with. Also, even for an relatively advanced user such as myself, it is extremely difficult to make any sense out of IE’s display of P3P policies. The policy summary for www.msn.com, for example, lists nine different policies. There is no clear indication of which policies go with which parts of the site. Basing one’s privacy decisions on this computer generated text is simply not a realistic option.
Thus, what IE6 really provides is “advanced cookie filtering,” based upon a combination of the P3P compact policy specification and Microsoft’s understanding of cookies as either first- or third-party. First-party context is that associated with the host domain, while third-party context comes from any other domain
(e.g. a cookie from DoubleClick). The difference between first and third party cookies is not in the P3P specification, and this particular understanding is the creation of Microsoft.[GL01]. IE6 will either deny, leash, downgrade, or accept a cookie based upon a combination of factors: the compact policy associated with the cookie, the cookie’s context (first or third-party), and the user’s privacy settings.6 A compact policy is deemed unacceptable if the cookie “contains or allows access to personally identifiable information that is used for unstated purposes or to provided to unstated recipients without user consent.” The collection of
P3P compact policy markers used by P3P to determine if a given policy is acceptable is only a subset of the
6a leashed cookie is one that is only sent on requests to download first-party content while a downgraded is a persistent cookie that is deleted upon the end of the browsing session–i.e. a persistent cookie turned into a session cookie
10 actual P3P specification.[GL01].
The default setting for privacy is “Medium.” The vast majority of users never change this setting, and thus there has been a great deal of focus on how sites can comply with this level of cookie filtering.[Cra02]. Though
five other privacy settings exist in IE6, Microsoft has effectively defined cookie privacy on the Internet with the default setting. At this Medium level, sites must be sure that the third party cookies they use have acceptable cookie policies, or else they will simply be denied by IE6. It is this feature that has effectively mandated the use of P3P compact policies for many sites. When set to Medium, IE6 will treat cookies as follows:
Cookie type and policy First-Party Third-Party Context Context Persistent cookie: no compact policy Leash Deny Persistent cookie: unsatisfactory compact Downgrade Deny policy Persistent cookie: acceptable compact Accept Accept policy Session cookie Accept Treat like a persistent cookie with regard to presence or content of the compact pol- icy
Table 1: Default IE6 Handling of Cookies, from [GL01]
Though Microsoft recommends that a full P3P implementation be performed as part of complying with these privacy regulations [GL01], IE6 does not demand that sites implement any features other than the simpler, and significantly easier, compact policies.
Microsoft’s goals with this privacy implementation were for the end user experience to be unobtrusive, simple, and working “out of the box.” For businesses, Microsoft wanted IE6 to be non-disruptive to sites’ business model while helping them to boost consumer confidence. The limited compact policy implementation provided by IE6 certainly works the first time IE starts up. It is also unobtrusive: not only do most users not even know about it, but the only indication given that IE6 has blocked a cookie is a small icon on the status bar (See Figure 1. The system is not inherently simple however, as most users probably do not understand the difference between first and third-party cookies or know the definitions for downgrade and leash. Thus, it is hard for users to determine how a change in privacy settings will change their browsing experience. Microsoft was so successful at achieving the unobtrusive goal, however, that most users are unlikely to ever be confronted with this complexity. Their success in hiding this implementation from the users seems to undermine their business goal of helping to boost consumer confidence. It is difficult to
11 imagine that consumers could be more confident if they never notice a change. I cannot speak as to how disruptive this is to sites’ business models, but the technical implementation requirements are fairly minimal and the default standards by which cookies are judged unacceptable are set quite low.
Figure 1: The Internet Explorer cookie icon (the eye with a do-not-enter sign)
4.2 Netscape 7
Netscape 7 and Mozilla 1.4 (Netscape/Mozilla) implement P3P very similarly to IE6. This is surely not a coincidence, as Microsoft led the market and Netscape/Mozilla followed. There are only two substantive differences between the P3P implementations of IE6 and Netscape/Mozilla.
1. Netscape/Mozilla provides only three privacy settings, Low, Medium, and High, in comparison with
Internet Explorer’s six. Of course, like the IE6 implementation, average users do not change these settings,
so the Medium policy becomes the standard. The privacy preset in Netscape/Mozilla is significantly more
lenient than that in IE6. Under the default setting, no cookies are denied. Cookies that would have been
downgraded, leashed, or denied by IE6 are simply marked as “flagged” and a small icon is displayed at
the bottom of the browser window (See Figure 2). The “flagging” of a cookie does not inhibit the cookie
in any way, it merely allows for questionable cookies to be easily located in the Cookie Manager. Thus,
Netscape/Mozilla’s implementation of P3P policies changes nothing in terms of site operation or browsing
experience.
2. Like IE6, Netscape/Mozilla allows users to view full privacy reports in a human-readable format based on
the P3P policy. Also like IE6, these policies are hard to understand at it is unclear how they correspond to
elements of the Web site. However, finding the policy for a site is significantly easier in Netscape/Mozilla,
as the View-Page Info-Privacy tab is more logically designed and easier to understand. It is arranged by
page components in a hierarchical menu, as opposed to a random listing of the URI’s of page components
in IE6.
Figure 2: The Netscape/Mozilla cookie icon, to the left of the lock
12 4.3 AT&T Privacy Bird
The AT&T Privacy Bird, still in beta, is a browser plug-in (currently only available for Microsoft Internet
Explorer 4.0, 5.0, 5.5, 6.0) that searches for and reads full P3P policies and notifies the user whether the site’s policy matches the user’s privacy preferences. If the site is acceptable according to the user’s privacy preferences, a green bird is displayed and a happy chirping sound is played. If the site’s policy is unacceptable, an angry ready bird is displayed along with a squawking sound. If a site does not have a P3P policy, the user is also notified via an “uncertain” yellow bird, but no sound is played(See Figure 3).7 Privacy Bird also displays full P3P policies like IE6 and Netscape/Mozilla and does so in a way that is much easier to understand. The difference is that Privacy Bird makes extensive use of the
Figure 3: The three AT&T Privacy Birds, green, yellow, and red (happy, uncertain, and angry)
Privacy Bird requires the user to set up his or her privacy preferences or to choose one of the default preset options. The interface is relatively simple and easy to understand, though it does tend to ignore the details of P3P in favor of broad categories and generalizations.
Generally, the use of Privacy Bird does little to change the browsing experience, as most sites do not implement P3P. The default setting, Medium, is also strong enough that many sites with P3P privacy policies are marked with a red bird. According to the AT&T Labs-Research survey on P3P implementation,
33 out of the Netscore Top 100 Web sites received a red bird on the Medium setting in Privacy Bird. 22 received a red bird even on the Low setting.[BCK03] Thus, according to the Privacy Bird defaults, much of the Web does an inadequate job of protecting user privacy. This conclusion might be justified, but the existence of an angry red bird at so many sites is bound to decrease consumer confidence in the Internet– precisely opposite the goals of P3P. Perhaps a somewhat more lenient default setting would make the Internet seem a little less scary.
The AT&T Privacy Bird is a browser plug-in and thus must be downloaded separately from IE at www. privacybird.com. It would be valuable to know the exact number of Privacy Bird downloads, but it seems that its use is very limited. Also, though it has been available for some time, the Web site currently lists the software as a beta version. 7As a large majority of Web sites do not have P3P polices, it is a good thing that no sound is displayed. Internet browsing could become a very noisy experience. Of course, the Privacy Bird can simply be muted.
13 Privacy Bird is the only widely available tool that attempts to fulfill the original P3P goal of allowing users clear notice of a site’s privacy practices. Perhaps if the use of the tool reached a critical mass it would be an impetus for widespread P3P adoption by Internet sites. Right now however, the AT&T Privacy Bird is most useful for reminding users, via the yellow bird, that the Internet is not, by and large, using P3P.
5 Problems with P3P
5.1 Internal Problems: How the implementation hurts the concept
There are several aspects of the current P3P specification that limit P3P’s usefulness as a privacy tool.
First, the vocabulary of P3P fails to capture the nuances of human-readable privacy policies. P3P thus results in a loss of information. There simply are not, and perhaps never could be, XML tags for every possible usage case.[CW02] When the specified tags do not exactly correspond to a site’s actual data usage practices,
P3P demands that the site choose the closest possible vocabulary match and then explain the differences in a special P3P field and provide a human-readable privacy policy. This is a cumbersome solution, and actually belies one of the most fundamental flaws in the P3P system. Repeatedly in the specification, anything overly complex is simply offloaded to the human-readable privacy policy. Thus, the human policy ends up bearing all the crucially important details and P3P can only serve as a partial shortcut.
In part because of these P3P vocabulary limitations, no one is precisely clear on the legal state of a P3P policy. Some critics have encouraged implementers to include legal disclaimers, stating that P3P policies are not legally binding. Citibank and BITS are among companies that have advocated this position. However, it is not clear that P3P policies can be disclaimed, and a former FTC official believes that, if challenged in court, they would be found as binding as any human-readable policy. Companies’ have been unwilling to be held legally accountable for P3P polices, particularly as they are not as expressive as natural-language polices and could potentially conflict with the human-readable policies. There is also some concern that user agents may not represent sites’ P3P policies correctly.[CW02][HS] This not only could prove misleading to users, but could be patently harmful to sites whose traffic may be cut as a result of these inaccurate representations of their privacy policies. There is no requirement for user agents to use the same, approved human language when representing P3P polices to the user. All that is required is they should follow the
“spirit” of the P3P specification.[CLM+02] There are clear problems with enforcing a legally binding policy
14 if the language in which the policy is expressed to the user is left up to some application designer’s idea of
the P3P policy “spirit.”
As mentioned previously, P3P attempts to strike a balance between users and businesses. Users want
simplicity. Businesses would rather have complexity leading to greater exactness. Human-readable privacy
policies can be as exact as the business desires, but are often obfuscated by legalese. According to the Center
for Democracy and Technology, P3P cuts through this legal language.[MSC+00] Yet humans do not read
XML easily, and P3P is already complex enough that the user agents have trouble effectively expressing privacy policies to users. Still many businesses are unhappy with the expressive capabilities provided by
P3P. This tension between simplicity and complexity remains unresolved; P3P is simply a new arena in which the struggle is taking place.
Finally, for P3P preferences to ultimately be meaningful, the users must do some work to learn about privacy and set their preferences. In their discussion of P3P and IE6, technology lawyers James Harvey and Karen
Sanzaro note that the assumption that users will actually configure their preferences is naive. Furthermore, user demand and awareness of P3P has been virtually non-existent.[HS] In fact, this last point is the most damning of the criticisms about P3P: it is designed to solve a problem that most people simply do not care enough about to change their behavior. P3P cannot help with privacy if people are not interested in taking action.
5.2 External Problems: Why the Concept Is Wrong
It is also worth examining whether the problem P3P solves even warrants its own technical solution. Trans- parency is one of the necessary prerequisites for privacy, but P3P provides nothing more than transparency.
As the W3C states in its summary report
it does not address other fundamental privacy needs such as purpose limitation or security, nor
does it in and of itself provide for the enforcement of privacy rights when they are breached.
[CW02]
Fundamentally, P3P does not enable the establishment of a relationship of trust. The relationship that is created, a relationship of awareness, always favors the site as it is the site that gets to present the information and the user simply views it through a P3P user agent.[MSC+00].
15 Part of a true relationship of trust would be the establishment of some sort of consent mechanism, by which users can explicitly agree to a site’s P3P privacy policy. Instead of the current one-sided relationship, this would be a two-sided relationship, since the user could choose whether or not to accept the policy as presented by the site. Such a system seems imperative before the dreams of P3P architects, such as user agents automatically filling in forms based on users’ privacy preferences, are implemented.8
Trust is further dependent on security, and area to which P3P does not apply. As far as P3P is concerned, transmitting one’s Social Security Number over an unencrypted connection is no less ’private’ than sending it over an encrypted SSL connection. The word ’privacy’ in P3P really only refers to how data is used by legitimate Web sites. Harvey and Sanzaro note that this limited use of the word may be confusing to some users, as ’privacy’ often is used in general language to denote a certain level of secrecy and protection.[HS]
Finally, P3P provides no mechanism for enforcement of stated privacy policies. Enforcement is not really within the domain of the W3C as a standards body, but without some effective mechanism of ensuring that publishers of misleading or false P3P policies are punished, P3P is not very useful. Some sort of enforcement, whether through the industry (e.g. privacy seal programs) or the government, is desirable to enforce protection of users’ data.9 At the very least, P3P should not be seen as a way to avoid government intervention into privacy protection, as some have argued.[MSC+00][JtIEF] Such a position tries to replace
Enforcement with Notice, and the two principles are complementary, not synonymous.
It is worthwhile to consider the counter argument, namely that
the P3P specification is designed to do one job and do it well - to communicate to visitors, simply,
automatically and transparently a Web site’s stated privacy policies.[JtIEF]
Certainly other standards could be used in conjunction with P3P to provide a more complete solution. In fact, just such a possibility may be in P3P’s future and will be discussed below. The current P3P specification, however, is problematic enough that it is hardly worth the trouble if it is only going to do that one job. P3P provides a framework for informed choice, but “P3P does not help protect privacy in and of itself.”[MSC+00]
Without the other components, P3P is difficult to implement and maintain and does not really accomplish much in the end. 8This ideal was mentioned by Lorrie Cranor, leader of the W3C working group on P3P. [CW02] 9Stephanie Glaser noted on gigalaw.com that since September 11, the general trend within the United States has been toward security, at the expense of privacy, so the government is not currently a likely source of privacy enforcement.[Gla]
16 6 Future of P3P
There are several challenges facing P3P in the future. As per the current P3P goals, aimed at providing the
user with transparency, several of the important new developments currently presenting themselves revolve
around keeping up with the changing technological and legal environments. For example, can P3P be used
over Internet protocols other than HTTP, such as Web services? How will P3P work with mobile devices,
where bandwidth constraints are much higher and location data becomes very sensitive? Legally, the current
P3P vocabulary does not correspond to the privacy guidelines of the European Union. Changes will have
to be made to the P3P specification to ensure that P3P corresponds to existing privacy laws and those that
will pass in the future.[CW02]
However, on the horizon is a much bigger change in the way that personal information is managed on the
Internet, a change that could place P3P within the framework of consent and security that it could allow
it to be a valuable tool for protecting privacy. There are several pushes currently for a managed identity
system that would be constant across many systems, chief among these are Microsoft’s Passport service, and
the Liberty Alliance (a consortium of companies whose unifying attribute is not being Microsoft).10
These single sign-on services will manage a users’ personal information by linking it to a universal identity,
such as an email address. Thus, one username and password will allow a user to authenticate himself or
herself at sites around the Internet. Because these services will manage private user information, they are
designed with security features, such as encryption. P3P could potentially fill a role as a language for
specifying privacy preferences of both the users and the sites. For example, a Web site might ask the Liberty
Alliance system for a specific piece of data, the users’ first name. The user could have set her privacy
preferences to specify that her first name should not be given to sites who intend to use it for marketing.
The Liberty Alliance system, in turn, would only provide the first name to the Web site if the site had a P3P
policy ensuring that her first name would only be used for site customization, or some other non-marketing
purpose.
This is just one example of how P3P might be able to fill an important role in these systems by determining
what information the user is willing to give to Web sites and under what conditions. The occurrence of
such a transaction allows for an actual privacy agreement between users and Web sites, something that is
10This paper is not intended to be a technical discussion of either of these systems, and treats them as roughly the same. There is some consensus among industry members that the two systems will need to merge before they really catch on. Further information about Microsoft Passport can be found at www.passport.com and information on the Liberty Alliance is available at www.projectliberty.com
17 missing in the way in P3P is currently used. Interestingly, P3P was originally designed to perform this sort of handshaking between users and sites automatically, but the feature was taken out of the specification during the working group process.[MSC+00] Piggy-backing on these other systems could be a way for P3P to aid in achieving this much more complete privacy solution involving Notice, Choice, Access, and Security.
Added onto a single sign-on system, P3P could actually build relationships of trust between users and Web sites, and build them in such a way as to preserve user privacy. This is currently a topic that W3C working group members are exploring.[CW02]
Of course, such an implementation will still require users who are moderately proactive in protecting their privacy. Such a mentality might just not come about. The development of a critical mass of sites using
P3P, such that the dominant color of the AT&T Privacy Bird would not be yellow, is also questionable.[p3p]
Quite simply, it is still possible the P3P, with its shortcomings, might fail.
7 Conclusion
Ultimately, no technological solution can solve P3P’s two most glaring flaws (which are related to one an- other): the lack of implementation and the requirement of somewhat active users. An Internet privacy system, no matter how good or bad the specification, is completely ineffective without wide adoption, some- thing that P3P has not achieved (with the possible exception of compact policies, because of their forced implementation within IE6 and Netscape 7). Secondly, P3P, and probably any privacy system, will require some work on the part of the user, if only to adjust the cookie settings. Otherwise, Microsoft will effectively determine privacy standards on the Internet. Today, making full use of P3P involves downloading a tool like the AT&T Policy Bird and setting privacy preferences within the program. This is not a realistic pattern for user adoption. “Consumers unwilling to adjust their cookie choices in their current browsers are not likely to take the time to learn about and set their P3P preferences” [HS]. For the intricacies of P3P to be meaningful (and remember, many companies find that P3P is not as descriptive–or intricate–as they desire) users have to understand those intricacies. That simply does not seem to be a realistic outcome. If P3P becomes part of a larger, more useful system such as Passport or Liberty Alliance, users may begin to make use of the advantages it can provide.
18 A P3P Policy Example
This is the human privacy policy and corresponding P3P policy for oreillynet.com. The human-readable policy is available at http://www.oreillynet.com/pub/a/mediakit/privacy.html while the P3P file can be found at http://www.oreillynet.com/w3c/policy.xml#general. Particularly note how the P3P pol- icy for Aggregated Tracking Information contains the full text of the Aggregated Tracking portion of the human-readable policy. This is a complicated section of the policy, and by placing this information in the
A.1 Human-Readable Privacy Policy
O’Reilly & Associates, Inc. Privacy Policy
Purpose and Scope
This policy discloses what information we gather about you when you visit any of our Web sites (all oreilly.com and O’Reilly Network sites) or buy product directly from us. It describes how we use that information and how you can control it. Our privacy policy addresses:
Information O’Reilly gathers and tracks
O’Reilly collects two kinds of information about users: 1) data that users volunteer by signing up to receive news and product information, entering contests, completing surveys, or buying directly from us; and 2) aggregated tracking data we collect when users interact with us.
Personal information
We use the personal information you provide voluntarily to send information you’ve requested and to fulfill orders. The specific use of your personal information varies, depending on how you contact us:
* When you sign up to receive O’Reilly Network newsletters and/or O’Reilly product and company news at elists.oreilly.com, you must provide your name, email address, and a password. We never sell or rent your email address or other personally identifiable information you provide when subscribing to our elists. * When you register for an O’Reilly conference, or sign up for a conference email list, we will send you email announcements and updates about O’Reilly conferences. We send conference brochures to past conference attendees. * When you order books directly from us, or request book catalogs, we add you to our snailmail list, and we’ll send you catalogs and other marketing pieces. * When you enter a contest or sweepstakes, we may ask for your name, address, and email address so we can administer the contest and communicate with entrants about the results.
We share customer information only with affiliated companies (see http://www.oreilly.com/affiliates.html) and as described below:
* With third parties we retain to perform functions on our behalf, such as fulfilling orders, processing credit card payments, managing mailing lists, and delivering packages. These parties are restricted from using your information for any other purpose. * We rent our snailmail list for one-time use to third parties we deem relevant and appropriate. We do not rent or sell our email lists. * We release personal information when we believe that release is appropriate to comply with the law, or to protect the rights, property, or safety of
19 O’Reilly & Associates, our users, or others. This may include exchanging information with other companies and organizations for fraud protection and credit risk reduction.
Aggregated tracking information
We analyze visitors’ use of our sites by tracking information such as pageviews, traffic flow, search terms, and click through. We use this information to improve our sites. We also share this anonymous traffic and demographic information in aggregate form with advertisers and other business partners. We do not share any information with advertisers that can identify an individual user.
We use WebSiteStory’s Hitbox, a third party web analytics service to improve our web site performance and user experience. We use this information to improve usability on our sites and to help support our customers online needs. Hitbox does not reveal any personally identifiable information, such as names or email address.
For more information on the Hitbox service and privacy policy, please see their privacy policy and privacy FAQ.
Cookies
A cookie is a small data file that we transfer to your computer’s hard drive through your web browser when you visit our sites. Cookies enable our systems to recognize your computer, so that we can provide you with personalized information and features. We also use cookies to track user traffic patterns.
On our sites, we and some of our advertisers use a third-party ad server to display ads. These ads may contain cookies. The ad server receives these cookies, and we don’t have access to them.
You can set your browser to warn you before accepting cookies or to block cookies. If you block cookies, you may not be able to use certain site features or functions.
Third Party Cookies
In the course of serving advertisements to this site, our third-party advertiser may place or recognize a unique cookie on your browser.
Third Party Advertising
The ads appearing on this Web site are delivered to you by DoubleClick, our Web advertising partner. Information about your visit to their site, such as number of times you have viewed an ad (but not your name, address, or other personal information), is used to serve ads to you on this site. For more information about DoubleClick, cookies, and how to ”opt-out”, please click here: http://www.doubleclick.net/us/ corporate/privacy
Notification of Changes
If we change our Privacy Policy, we will post those changes on www.oreilly.com. If we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users via email. Users will be able to opt out of any new use of their personal information.
How to update, correct, or delete your information Email: To update or unsubscribe from our email newsletters or product announcements, go to elists.oreilly.com. To get help from a human, send email to [email protected] or call 800-998-9938 or 707-829-0515.
Snailmail: To change your address, delete your name from our mailing list (for paper catalogs or brochures) or to opt-out of third-party mail, send email to [email protected] or call 800-998-9938 or 707-829-0515.
20 A.2 P3P Encoding of Privacy Policy
21
Our Web server collects access logs containing this information.
22
23
We use WebSiteStory’s Hitbox, a third party web analytics service to improve our web site performance and user experience. We use this information to improve usability on our sites and to help support our customers online needs. Hitbox does not reveal any personally identifiable information, such as names or email address.
For more information on the Hitbox service and privacy policy, please see their privacy policy and privacy FAQ located at: http://www.websidestory.com/cgi-bin/wss.cgi?privacy&privacy&index.
24
When you sign up to participate in forums or to receive O’Reilly Network newsletters and/or O’Reilly product and company news at elists.oreilly.com, you must provide your name, email address, and a password. We never sell or rent your email address or other personally identifiable information you provide when subscribing to our elists.
25
When you register for an O’Reilly conference, or sign up for a conference email list, we will send you email announcements and updates about O’Reilly conferences. We send conference brochures to past conference attendees.
26
27
References
[ATTa] ATT. AT&T Privacy Bird frequently asked questions. http://www.privacybird.com/faq. html. [ATTb] ATT. AT&T Privacy Bird tour. http://www.privacybird.com/tour/1_2_beta/tour.html. [ATTc] ATT. Download AT&T Privacy Bird now. http://www.privacybird.com. [BCK03] Simon Byers, Lorrie Faith Cranor, and David Kormann. Automated analysis of p3p-enabled web sites. In Proceedings of the 5th international conference on Electronic commerce, pages 326–338. ACM Press, 2003.
[CA] Lorrie Faith Cranor and Manjula Arjula. Use of a P3P user agent by early adopters. citeseer. nj.nec.com/558283.html. [CLM+02] Lorrie Cranor, Marc Langheinrich, Massimo Marchiori, Martin Presler-Marshall, and Joseph Reagle. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. http://www.w3.org/ TR/P3P/, 2002. [Com00] Federal Trade Comission. Privacy online: Fair information practices in the electronic market- place. Technical report, Federal Trade Comission, May 2000. [CRA99] L. Cranor, J. Reagle, and M. Ackerman. Beyond concern: Understanding net users attitudes about online privacy. http://www.research.att.com/resources/trs/TRs/99/99.4/99.4.3/ report.htm%, 1999. [Cra02] Lorrie Cranor. Help! IE6 is blocking my cookies. http://www.oreillynet.com/pub/a/ javascript/2002/10/04/p3p.html, Oct 2002. [CW] Lorrie Cranor and Rigo Wenning. Why P3P is a good privacy tool for consumers and companies. http://www.gigalaw.com/articles/2002-all/cranor-2002-04-all.html. [CW02] Lorrie Cranor and Daniel Weitzner. Summary report - W3C workshop on the future of P3P. http://www.w3.org/2002/12/18-p3p-workshop-report.html, 2002. [DGGW03] Edwin M. Delaney, Claire E. Goldstein, Jennifer Gutterman, and Scott N. Wagner. Automated computer privacy preferences slowly gain popularity. Intellectual Property & Technology Law Journal, 15(8):17, Aug 2003.
[Fra01] Rob Franco. Internet Explorer 6 privacy user experience. Powerpoint Presentation http:// www.microsoft.com/winme/01mitt/01may/15364/Experience/default.ht%m, May 2001. [GL01] Aaron Goldfeder and Lisa Libfried. Privacy in internet Explorer 6. http://msdn.microsoft. com/library/en-us/dnpriv/html/ie6privacyfeature.a%sp, Oct 2001.
28 [Gla] Stephanie B. Glaser. To post an online privacy policy or not. http://www.gigalaw.com/ articles/2001-all/glaser-2001-11-all.html. [Gol01] Aaron Goldfeder. Internet explorer 6 privacy features. Powerpoint Presentation http://www. microsoft.com/winme/01mitt/01may/15364/features/default.htm, May 2001. [HS] James A. Harvey and Karen M. Sanzaro. P3P and IE 6: Raising more privacy issues than they resolve. http://www.gigalaw.com/articles/2002-all/harvey-2002-02-all.html. [JtIEF] Laurel Jamtgaard and the Internet Education Foundatation. The p3p implementation guide. http://p3ptoolbox.org/guide/. [Len] Tom Lendacky. The platform for privacy preferences. http://www.mozilla.org/projects/ p3p/. [Mic] Microsoft Corporation. Internet Explorer 6 privacy feature FAQ. http://msdn.microsoft. com/workshop/security/privacy/overview/privacyfaq%.asp. [Mic01] Microsoft Corporation. Resources for creating P3P - based privacy statements. Powerpoint Presentation http://www.microsoft.com/winme/01mitt/01may/15364/Resources/default. htm%, May 2001. [MSC+00] D. Mulligan, A. Schwartz, A. Cavoukian, , and M. Gurski. P3P and privacy: An update for the privacy community. http://www.cdt.org/privacy/pet/p3pprivacy.shtml, Mar 2000. [p3p] p3ptoolbox.org. Why implement P3P? http://www.p3ptoolbox.org/why.shtml. [PM02] Martin Presler-Marshall. The Platform for Privacy Preferences 1.0 deployment guide. http: //www.w3.org/TR/p3pdeployment, Feb 2002. [SK] Karen Sanzaro and David Keating. Online privacy policies and practices under fire. http: //www.gigalaw.com/articles/2000-all/sanzaro-2000-03-all.html. [SKBP] Larry Singer, Richard Keck, Jon Buffington, and Bill Poulos. Roundtable discus- sion: Internet privacy and the law. http://www.gigalaw.com/articles/2001-all/ rountable-privacy-2001-04-all.%html. [Sol02] Howard Soloman. Privacy policies under fire–businesses that don’t adopt p3p stanard will suffer: commissioner. Computing Canada, 28(14):1, Jul 2002. July, 5, 2002. [Wor] World Wide Web Consortium. Testsuite for the Platform for Privacy Preferences (P3P) project. http://p3ptest-1.w3.org/.
29