Platform for Privacy Preferences (P3P): Privacy Without Teeth Andrew Van Kirk Duke University [email protected] March 10, 2005 Abstract The P3P standard, released by the W3C in its current form in August 2002, is a highly limited attempt to safeguard privacy on the Internet. Official P3P documents make it clear that P3P is designed to allow Web sites to express their privacy policies in machine readable format thus allowing user agents, such as Web browsers, to automatically make decisions based upon those preferences. P3P is relatively successful in accomplishing that goal, on a technological level. However, much more than technological success must be achieved to protect users’ privacy on the Internet. P3P is plagued by poor adoption rates among Web sites, very limited implementation in user agents, and virtually no public understanding of the system. These flaws make have made P3P relatively ineffective in accomplishing its stated goal. Moreover, P3P does not solve the root problem of privacy on the Internet: relationships of trust. Increased transparency of privacy standards, P3P’s stated goal, is only part of an effective privacy solution. Technological changes on the horizon, however, such as unified identity management tools, will provide an opportunity by which P3P could become a valuable part of a larger privacy management system. 1 Introduction Privacy in our daily online activities stands out among Internet policy issues as an area of growing concern and is the recipient of increasing attention from regulatory bodies. A Federal Trade Commission (FTC) report to congress in May 2000, entitled Privacy Online: Fair Information Practices In The Electronic Marketplace cited “four widely accepted fair information practices:” notice, choice, access, and security. A fifth component, enforcement, was also cited as a critical component of privacy protection. The FTC describes these five principles in relation to online privacy as follows: Notice - Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it...how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose 1 the information collected to other entities, and weather other entities are collecting information through the site. Choice - Web sites would be required to offer consumers choices as to how their personally identifying information is used beyond the use for which the information was provided...Such choice would encompass both internal secondary uses...and external secondary uses. Access - Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information. Security - Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers. Enforcement - The use of a reliable mechanism to provide sanctions for non-compliance. [Com00] These five rules are designed to cover the Fair Information Principles, a set of principles developed by the Organization for Economic Cooperation and Development (OECD) in 1980 to protect data privacy. They are designed to work together as a set to protect privacy. [JtIEF] Notice is of little importance to the user if there is no availability of Choice (particularly in the case where use of a service is, for one reason or another, not really optional, such as online banking). Likewise, Access means nothing if such Access is so insecure anyone can obtain and change others’ personal data. It is only as a group that these five principles work together to protect online privacy. The Internet, however, evolved without these systems in place. Now, as privacy concerns become increasingly important, various attempts are being made to protect user privacy. Once such attempt is P3P, the Platform for Privacy Preferences, a World Wide Web Consortium (W3C) specification that “enables Web sites to express their privacy preferences in a standard format that can be retrieved automatically an interpreted easily by user-agents.” [CLM+02] P3P, as a technology, does an adequate job of fulfilling that stated mission. However, of the five principles outlined by the FTC, P3P only covers Notice, which while important, is only one component of a complete privacy solution. Moreover, there are some serious problems with the current P3P standard that have limited its effectiveness in achieving broad consumer awareness of privacy standards. On the whole, P3P is only a partial solution to part of the problem. For privacy concerns on the Internet to be truly addressed, P3P must be modified and used as part of a more complete solution. 2 2 The P3P Standard 2.1 Overview The P3P 1.0 specification, officially adopted by the W3C only on August 16, 2002, was developed through the consensus process of a W3C working group. P3P is aimed at achieving awareness and transparency for privacy policies on the Internet. Transparency, in fact, is the single reason given by the W3C in its P3P deployment manual for Web sites.[PM02] The sole purpose of P3P is communication–or, in the FTC terminology–Notice. There is a tendency to exaggerate the capabilities of this standard. Even the W3C fell guilty to the temptation, writing in the introduction to their P3P testsuite that P3P is “emerging as an industry standard providing a simple, automated way for users to gain more control of the use of personal information on Web sites they visit.”[Wor] Similarly, the AT&T Privacy Bird is described as placing users in control.[ATTc]. P3P provides no mechanism for user control–user control is only augmented to the extent that users can somewhat more easily access and make sense of privacy policy information. Furthermore, P3P can only provide the user with a site’s promise to uphold the policy detailed in P3P format. There is no enforcement mechanism. However, transparency and awareness do provide some significant benefits to end users. Transparency can lead to increased meaningful communication between Web sites and Web users regarding privacy policies. Communication is fundamental to any of the other FTC Fair Information Practices. Any technologies or systems that could be put into place to provide users with choice or control would have to depend on mean- ingful communication regarding privacy practices. This communication, even if not tied to any enforcement or security mechanisms, is still a tool by which businesses can potentially earn consumer trust.[JtIEF] Con- sumer awareness of privacy policies could lead to increased public oversight and review, which in turn would lead to better privacy practices on the part of companies, as they are sensitive to customer demands.[JtIEF] If P3P adoption by sites ever reaches a critical mass and user awareness and use of P3P becomes widespread, P3P policies could become a differentiating factor among businesses offering similar products and services. In this way, P3P allows for the possibility of market control of privacy policies. 3 2.2 Technology Outline P3P polices are encoded using XML with namespaces. In fact, P3P is ultimately nothing more than the specification of an XML schema, a set of data elements, and a predetermined method of accessing the P3P policy. It is not a new technology, but a specified way to use a previously existing technology–XML. The predefined set of elements given by the W3C in the specification have certain standardized meanings. For example, the <current/> tag inside of a <PURPOSE> element implies that whatever data is being referred to in this section of the policy is being used only for the current purpose, such as completing an order. Different tags exist for different policy issues: types of data to be collected, parties with access to the data, length the data will be retained, and various other categories. P3P policies are designed with the requirement that a human-readable privacy policy is available, nuances in language and meaning are clarified only in the human readable version. After a Web site’s privacy policy has been encoded as a P3P XML file or files, each with multiple individual policies corresponding to different parts of the site, the file(s) is stored on the server in a place accessible to user agents. Additionally, a separate XML file known as the policy reference file, whose encoding is also defined in the P3P specification, must be created to inform user agents of the location where the policy or policies reside on the server and what portions of the site each policy covers. User agents locate this file by looking in the well known location (/w3c/p3p.xml), reading its location from the HTTP header of each response from the Web site, or reading it from links placed in each HTML page on the site. Web sites must choose one of the three methods to inform user agents of the location of the P3P policies. A brief written privacy policy and corresponding P3P policy example are given in Appendix A 1 A given P3P policy is not page specific, even though most users have a page-by-page Web experience. P3P policies can apply to anything with a Uniform Resource Indicator (URI) such as cookies, images, and form data. Thus, one page may be covered by several policies referring to discreet elements on that page.[CLM+02] At the same time, however, one policy may cover many pages and this is probably the more common implementation as it is significantly easier from a Web administration standpoint. The W3C P3P Deployment Guide estimates that an average of five policies per site should provide adequate granularity in most instances. P3P policies must correspond to the point that data collection occurs. This means that for a form, the 1A full explanation of the XML encoding of P3P is beyond the scope of this document and is already well covered in the The Platform for Privacy Preferences 1.0 (P3P 1.0) Specification available at http://www.w3.org/TR/P3P/ 4 policy must cover the URI of the form submission target.