The Platform for Privacy Preferences Project (P3P)

Overview

As the use of Information Technology has become increasingly widespread, so concern has grown about the nature and management of the information stored. This is particularly the case in relation to personal data - information directly pertaining to the individual. The movement for data protection, for privacy, has grown in tandem with the increasing sophistication of tools for gathering and storing such data.

As the Internet has moved into mainstream use, so the issue of privacy in the online environment has become more pressing. The issue has focused on two main areas. Firstly, online security; the safety of information passed over the Internet and held on Internet-facing computers (eg. credit card details). Secondly, online privacy; the extent to which one's actions in cyberspace can be observed and catalogued by others. An important aspect of this latter relates to the perceived use that marketeers can make of the information gathered.

The Platform for Privacy Preferences Project (P3P), a proposal by the World Wide Web Consortium (W3C), is aimed at this second issue of online privacy. The essence of the idea is that websites should carry specially configured, machine-readable privacy statements, designed to be read automatically by web browsers. Thus, if a site's P3P statement is in conflict with the web browser's privacy settings, the browser can take appropriate action to avoid whatever data practice is disliked. For example, a browser could be set up to block navigation to any site which says that it passes on personal information to third parties.

As the example just given illustrates, P3P involves a static 'notice and choice' paradigm. Each website advertises its data practices, and users then choose (via antecedently specified preferences) whether or not they are happy enough with these practices to use the website. Prototype versions of P3P contained a method whereby browsers and sites could enter a 'negotiation' about data practices, but this element of P3P was later dropped as being overcomplicated.

It is important to realise that a P3P statement itself does not provide any guarantee that the hosting site actually follows the data practices described - the creator of the statement could just be lying about his practices (it has not yet been tested whether P3P privacy policies can be legally enforcable). Furthermore, the P3P statement clearly cannot override any legal requirement a site has under local laws. It thus follows that P3P should not be seen as any kind of alternative to privacy legislation. Its advocates believe, however, that it is a technology which works usefully within the bounds of structures laid down by law.

The Current State of P3P

The P3P 1.0 Working Draft was issued on September 28th. Currently a 'candidate' recommendation of the W3C, it is expected shortly to be upgraded to a 'proposed' recommendation.

At present, only Internet Explorer 6 implements P3P. The default privacy settings in IE 6 have managed to worry both privacy lobbyists (for being too lenient) and marketeers (for being too strict). The main restriction in the default setting is to block certain third party cookies (read more about this at http://www.microsoft.com/presspass/press/2001/mar01/PrivacyToolsIEfs.asp). When beta versions of IE6 were first released, this restriction caused some problems for large-scale Internet advertisers like DoubleClick. However, most such organisations have now addressed the problem.

Readers should treat with scepticism the claim found in some places that IE 6 by default blocks 'all', or 'most' cookies. This is a distortion of the truth, and is often made for self-serving purposes.

At present, the great majority of websites, which collect little or no personal data about their users, gain no benefit from introducing P3P policies. Since implementing such policies can be a somewhat long-winded and confusing affair, P3P is unlikely to be in widespread use any time soon.

We can, however, identify a number of possible - if unlikely - factors which could drive P3P to general use. Firstly, we can imagine a body like the US, or the EU, introducing legislation requiring sites to provide privacy statements. Secondly, we can imagine that the default settings of popular browsers could become more obstructive to sites without P3P policies. Thirdly, we can imagine that the major search engines could start to give advantages in rankings to sites with such policies.

Criticism of P3P

In the three years it has been in development, many criticisms have been thrown at P3P. We can divide these up into three categories. Firstly, there are complaints that it has been done badly, that there are internal weaknesses in the protocol. Secondly, there are complaints that it is useless, that it does not solve the problems it sets out to address. Thirdly, there are complaints that it is worse than useless, that introducing P3P is in fact damaging to efforts for online privacy.

'P3P has been done badly'

Some critics have complained that P3P has been done badly on the grounds that the data model it uses is 'complex and confusing'. It is not yet clear if this is a good criticism, however. The data model is difficult to grasp in its bare form, true, but this does not show that all ways of manipulating the data model must be similarly confusing. To illustrate the point, consider that the people who find HTML code complex and confusing may understand well enough how to use web browsers. The important question, therefore, is whether the tools that use the P3P protocol must themselves do so in a confusing way. But since such tools are currently in their infancy, it is probably too early to tell.

A more worrying point, noted in passing in an article by Karen Coyle (http://www.kcoyle.net/response.html), is that some of the categories used in the data model are just too broad to be useful. She complains, for instance, that:

"... the gathering of data about customers for the full range of marketing and product development is called 'research and development.' "

'P3P is useless'

The criticism that P3P is useless is made in a number of different ways by different critics. Some point to the fact that it does not include a method of enforcement. However, to us this doesn't seem to be a criticism of P3P so much as an argument for there being laws against lying on P3P statements.

Of more serious concern is the thought that runs along the following lines. Most users of web browsers don't have the background knowledge - or time - to adjust their privacy settings. And most manufacturers of web browsers set the privacy defaults in these browsers very leniently, because they themselves benefit from a relaxed regime. Hence: most web users will never be put in a position where they are forced to make an informed choice about their online privacy.

Of course, this is only the beginnings of a good argument if it is impossible to educate the users of web browsers about their options, and impossible to force the manufacturers of web browsers to set less lenient privacy defaults. The pessimistic approach sees both of these claims as sadly plausible, but we do think that there may be scope in pressing for legislation on default privacy settings.

'P3P is damaging'

The most 'hard-core' critics of P3P argue that the P3P project actually damages online privacy. Such critics argue that in the 'notice and choice' paradigm is a tacit acceptance of the idea that it is acceptable to agree to violations of one's privacy. Since they think that violations of privacy should in fact be outlawed, they think that P3P is wrong-headed.

In his article Technical Standards and Privacy (http://www.junkbusters.com/standards.html), Jason Catlett uses a colourful analogy to make this point. He raises for consideration the problem of online software privacy, and questions if the right answer is a 'Platform for Piracy Preferences Project'. Under this imaginary scheme, sites would be urged to declare their practices with regard to pirated material, and users urged to use only those sites which respect software copyright.

Catlett notes that nobody serious about tackling software privacy would be happy with a scheme as just described; they would, instead, demand enforcement via legislation. Catlett then claims that the proponents of P3P are in an analagous position to the proponents of the Platform for Privacy Preferences Project, and are thus in the wrong.

Unfortunately for Catlett, though, the cases aren't really analagous. The trouble with software piracy is that a third party's rights are infringed, and their rights continue to be infringed if we opt to use a website which declares itself as pro-piracy. But we do not infringe our own right to privacy if we knowingly choose to use a website which states that it will broadcast all the material we supply it with. We may have rights to privacy, but there is nothing that forces us to exercise these rights.

P3P: Technical Details

Since it is claimed above that P3P policies are not important for most websites, this section will just be a brief overview of the technical details of P3P, with links to more detailed resources at the end.

A website which is P3P compliant contains at least two special XML files. The first is a 'P3P Reference File'. The purpose of this file is to associate particular web pages (or, more precisely, 'HTTP Entities', which are slightly more basic than web pages) with one or more 'P3P Policy Files'. The Policy File associated with a particular HTTP entity specifies the data practices for that entity. Policy Files for cookies are specified in isolation from other Policy Files.

The location of the Reference File itself can be given to a browser in three different ways. It can be specified with an HTML <link> element, can be passed in special P3P HTTP headers, or else is to be found in a 'well-known location', viz: the 'p3p.xml' file in the 'w3c' directory off the root of the webserver.

As noted, the Policy File specifies the data practices for an entity. The data it contains may include: the details of the organisation collecting the data; the type of data being collected; the purpose of the data collection; any outside recipients of the data. It will also include details of whether users can make changes in the stored data; any dispute resolution process; and the location of the corresponding human-readable privacy document. Note that this latter is a necessary requirement - the details in each Policy File must also be accessible in a natural language form.

The P3P protocol contains data sets which describe various different types of data. For example there is the kind of data that one might take in a registration form - user name, email address, etc. It also covers the kind of data that is collected automatically in web logs - IP addresses, referring URL, etc. It is expected that the number of inbuilt data types will increase as P3P matures, but it is also possible for organisations to specify their own data types.

The following resources are useful in learning more about P3P, and for the process of writing your own P3P policies. They have been picked out from the larger list of papers and resources at: http://www.w3.org/P3P/.

P3P Deployment Guide

Goes through the background work required for producing a P3P privacy policy.
http://www.w3.org/TR/2001/NOTE-p3pdeployment-20010510

How to Create and Publish Your Company's P3P Policy (in 6 Easy Steps)

A step by step overview to putting up a P3P policy.
http://www.w3.org/P3P/details.html

Web Privacy and the P3P Standard

An overview of the different XML elements which go to make up Policy Files and Policy Reference Files.
http://www7.software.ibm.com/vad.nsf/Data/Document2363?OpenDocument&p=1&BCT=1Footer=1

References for P3P Implementations (item 2)

Programs which help you produce P3P Policies (n.b. most of these require some IT experience to get them working).
http://www.alphaworks.ibm.com/tech/p3peditor
http://www.w3.org/P3P/implementations

The P3P Validator

Online resource for validating your site's P3P Policy.
http://www.w3.org/P3P/validator/

P3P 1.0 Specification

http://www.w3.org/TR/P3P/

Link Building Information