P3P plan

Here's what you need to know to deploy Platform for Privacy Preferences on your website.

The rise of e-business has led to a tidal wave of data being collected about Web site visitors, ranging from basic information to rich profiles built out of user-submitted forms. However, what exactly is collected, shared and acted upon isn't always evident to end users. This may lead to trust problems between site visitors and site owners, resulting in loss of business and even legal problems.

Privacy policies are meant to describe what a company does with the information it gathers from Web visitors. The problem is today's privacy policies are often difficult to find, overloaded with technical jargon and legalese, and just plain hard to understand. It's no wonder that few users read them.

The World Wide Web Consortium's (W3C) Platform for Privacy Preferences (P3P) 1.0 aims to give users more control over how Web sites use their personal information by providing machine-readable privacy information that lets them act on what they see.

Deploying P3P requires you to convert the privacy practices of your organization into P3P format. To do this, you use a P3P editor such as the aptly named P3P Editor or an online policy generator such as P3P Edit. These tools prompt you to answer a series of multiple-choice questions regarding major aspects of your site's privacy policy. This information is used to generate a full XML-based P3P policy and a compact policy that is presented as a simple HTTP header.

When a P3P-aware browser such as Microsoft Internet Explorer 6 or Netscape 7 visits a Web site, it will attempt to retrieve the P3P policy to make privacy decisions. The browser looks in a well-known place off the root directory - /w3c/p3p.xml - for the full file or a small XML file or HTTP headers that point to the full policy. The P3P-aware browser parses the policy, compares it with privacy requirements a user sets in his browser preferences, and either allows access to the site, warns the user or restricts access (see graphic).

Privacy perceptions

Today, however, most P3P implementations do not generally operate using the full P3P policy. Instead browsers such as Internet Explorer 6 and Netscape 7 support only the compact policy form of P3P.

The compact policy focuses primarily on cookie usage with a short set of keywords transmitted by HTTP headers. Setting the HTTP headers can be accomplished either programmatically if pages are generated using a technology such as ASP, PHP or Java, by setting a server configuration, or using a Web server add-on.

For example, in the case of Apache you might use the mod headers module, while on Internet Information Server, you could use HTTP response headers, including P3P compact policy values, using Microsoft Management Console. You can find the W3C's full deployment guide, including server configuration information, at www.w3.org/TR/p3pdeployment.

Once a P3P compact policy is set and issued to a visitor, his browser compares the policy's privacy statements with the end user's cookie acceptance policy and rejects, denies or modifies the properties of the cookie.

Real-world usage

One of the challenges with implementing P3P is making sure your company's privacy policy is well-thought-out, discussed and accepted internally. This is well beyond the realm of Web administrators, and bridges legal and business issues with technology. However, this isn't really the biggest problem with privacy technologies such as P3P - it's considering end users and how they use technology in a realistic manner.

Users who actually rely on today's browser P3P implementations will find that they just don't go far enough. While they allow for cookie management, which is for many people the root of the privacy question, they don't get into any detailed decisions about data usage or provide much information to end users about what types of policy practices are in place. Web surfers might want to consider using a P3P browser add-on such as AT&T's Privacy Bird, which provides more complete P3P policy handling.

During everyday testing, the privacy bird icon chirped all the time, indicating no information about sites, although it did caw loudly a few times when it found sites issuing privacy policies inconsistent with the set privacy preferences.

With so few sites having privacy policies, some would argue that P3P provides little value to end users at this point. While some surveys suggest that upwards of 25% to 30% of major sites have privacy policies, a survey of more than 850,000 sites from SecuritySpace.com showed that less than 5% of them have compact policies - the ones that would actually matter today.

Even when policies exist, users might be skeptical. According to a recent Harris Interactive survey, most users don't trust online corporations to handle their personal information properly and would like to see third-party auditing be a requirement for Web sites. Users worry that companies will share collected personal data with others or that information might be stolen by hackers or others, potentially resulting in identity theft or annoyances such as unsolicited e-mail.

Trust and enforcement

Today various "approved seal" organizations such as TRUSTe and BBB Online help improve the data-handling trust problem. Data-collecting sites increasingly post privacy seals, although deployment is not ubiquitous. What's more, such programs beg the question of whether users know and trust these approving organizations, and if these organizations have any bite without legislation in place to penalize privacy offenders. So far the trend seems toward industry self-regulation, which suggests that freewheeling data collecting and sharing can continue as long as users are supposedly informed.

To decrease risk of potential legal problems, monitor adherence to your firm's privacy policies and clearly inform employees of the ramifications of site privacy. All too often privacy policies are crafted by a small number of people such as lawyers or site builders, but other employees who come into contact with collected data don't understand the privacy policy any more than a site's visitors.

Emerging privacy monitoring and auditing technology, including ZeroKnowledge Enterprise Privacy Manager, Watchfire Web CPO and IBM Tivoli Privacy Manager, might help you watch internal data collection and usage, but they will never provide the required assurances to make sure the data is not misused.

It's a good idea to add compact P3P policies to your sites to improve user trust. But in the final analysis, understand that privacy on the Web will not be solved solely by technologies such as P3P. Technology will only provide a framework in which policies can be presented. Education and enforcement also are required.

P3P in action

P3P plan

Related Links