Consortium takes shot at sorting out Web privacy and marketing interests

Cambridge, Mass. - The World Wide Web Consortium (W3C) is trying to strike the right balance - a balance between Web site operators' need to collect information about visitors for marketing purposes and visitors' right to privacy.

However, as work on the group's Platform for Privacy Preferences (P3) project gets underway, some observers are concerned that the W3C's high ideal of user privacy may be falling victim to the more base desire of making a buck off valuable user data.

The P3 specification is supposed to define a common format for letting an end user view a Web server privacy policy before the user's browser releases end-user data. The W3C said it hopes to have its recommendation out by fall.

Profiles in privacy

The P3 format includes a range of privacy profiles, such as whether the Web merchant will resell the data the user discloses or otherwise recycle it for marketing purposes, according to Tim Berners-Lee, W3C director and inventor of the Web.

"The basis of P3 is that on the user side, there is a right and a choice to how that information is used," Berners-Lee said.

Berners-Lee announced the P3 initiative at last month's Federal Trade Commission (FTC) hearings in Washington, D.C.

The FTC, which is concerned that consumer privacy has been largely ignored as Web-based electronic commerce grows, last month spent a week hearing testimony about current online marketing practices.

The W3C picked up the P3 privacy policy idea from the Internet Engineering Task Force's (IETF) Internet Privacy Working Group.

The IETF group came up with the concept "as the first attempt to implement notice and choice within the framework of the Internet," said Deidre Mulligan, staff counsel at the Center for Democracy and Technology (CDT), an IETF participant.

The idea is that Web site operators can detail their privacy practices, even creating different policies for each Web page.

At the FTC hearings, Berners-Lee gave a demonstration of what he called a P3 mock-up, showing how an end user could call up a Web site's privacy policy before providing personal information.

OPS in question

However, observers said it is questionable whether this stringent privacy element actually will make it into the P3 specifications planned for release within a few months.

The outcome is questionable because the technical foundation for P3 is the Open Profiling Specification (OPS), which mainly focuses on how to efficiently transfer user data, not keep it private.

OPS was submitted to the W3C as the basis for P3 by Netscape Communications Corp. and Cambridge, Mass.-based start-up Firefly Network, Inc. OPS is based on Firefly's client/server Passport technology, said Saul Klein, Firefly's vice president of marketing.

The Passport client software lets end users quickly transmit data about themselves to Web servers running Passport software.

This setup can simplify credit card processing or the delivery of information of interest to end users.

Barnes & Noble, Inc. and Yahoo, Inc. are among the sites using Passport, Klein said.

However, privacy advocates stressed that OPS has no mechanism for reviewing privacy policies - P3's stated goal.

"P3 is about protecting privacy. It would let me ask, 'What are your data practices?' " Mulligan said. "But OPS doesn't give me any information about the data protection practices of the entity you are dealing with. OPS is about transferring data."

"That observation is not completely incorrect," said Joseph Reagle, a policy analyst at the W3C.

He conceded that the privacy part of P3 needs work.

But OPS will definitely be a part of P3, said Philip DesAutels, who is managing the P3 effort. "We are not modifying OPS," he said.

About 30 W3C member companies - including AT&T, Microsoft Corp., IBM and Netscape - met two weeks ago to hold the first meeting regarding P3.

Although Netscape arch rival Microsoft has publicly voiced support for OPS, there could still be a dogfight over P3 at the W3C. Microsoft submitted a P3 proposal of its own.