USA India
Home Articles UserTV Press Releases Dictionary Books Education Careers B-Channels Resources Forums Blogs Classifieds
Friday 4 Jul, 2008 eNewsletter Register Login
Archives
Articles By Date
Articles By Category
 
 
 Archives >> Details
Privacy's new platform
Finally, users have control over how sites use their personal information.
Posted by : James Mathewson

One of the major sources of friction for e-commerce is privacy. In poll after poll, consumers consistently say they are most concerned about how their personal data is used by the Web sites they visit. Cookies get implanted onto users' hard drives and used by any number of sites to help target marketing messages of all kinds. Any time a user fills out a form or surrenders her credit-card number, she risks that data being used in ways she had not intended. And the privacy policies posted on sites are hard to understand even for lawyers.

The Platform for Privacy Preferences (P3P) will soon change all that. Developed by the World Wide Web Consortium (W3C), P3P is a specification that standardizes privacy policy generation and enables browsers and plug-ins to translate sites' policies into point-and-click user interfaces.

At its most basic level, P3P is a standardized set of multiple-choice questions covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P-enabled browsers can read this snapshot automatically and compare it to the consumer's own set of privacy preferences. If a site violates those preferences, the browser can issue alerts or even block sites that don't conform.

"What makes P3P so good is that it empowers users to make choices on the information collected," says Josh Freed, director of privacy technology for Washington, D.C.-based Internet Education Foundation. Because of the power it gives consumers, it will force sites not only to P3P-enable their privacy policies, but also to improve the policies they have, he adds. If a site does not cater to user privacy preferences, it will lose their business to sites that do.

"P3P is forcing sites to take a second look at data collection, storage, use, sharing, access, and security," Freed adds. "Companies are discovering that they do things with user data that they don't need to in order to make money. The end result is better policies."

"A year from now, the major Web sites will be P3P-enabled," says Lorrie Cranor, head of the W3C's P3P working group. "By that time, it will not be a question of whether smaller sites make themselves compliant, but when."

Unpaved way for privacy

As promising as P3P is, it still faces significant challenges before it becomes ubiquitous. To date only about one-third of the top 100 sites are P3P-enabled, according to Richard Purcell, director of corporate privacy for Microsoft and an active member of the P3P working group. Another third of those are in the process of becoming P3P-compliant, which could take up to six months. "The rest of the sites are more long-term prospects at this point," he says.

Indeed, the adoption rate among sites is the big question mark. After all, several standards and sets of best practices for privacy have been released in the past without much effect on the actual privacy policies of such companies as Amazon.com, whose privacy policies seem to change with the seasons.

Jules Polonetsky, chief privacy officer for New York City-based DoubleClick and a member of the P3P specification group, contrasts P3P with the work on best-practices efforts, and with a notable failure in TV. "All that work on best practices was doomed to fail because adoption was entirely optional," he explains. "But when Microsoft incorporated P3P into IE [Internet Explorer] 6, sites began to see it as necessary for future survival."

"Clipper chips are installed on every new TV sold in America, yet no one bothers to use the technology to filter content and ads. Why? Because none of the networks have any incentive to program in clipper-enabled ways," Polonetsky adds. "Few people even know about the technology. Fewer people know how to program their remotes for clipper-chip filtering. [In contrast], having P3P functionality in IE 6 forces sites to follow the spec. Coupled with education, this will ensure P3P's success."

Another barrier is criticism from privacy advocacy groups such as the Electronic Privacy Information Center (EPIC). In published reports, EPIC claims that P3P fails to comply with baseline standards for consumer privacy. It also says that P3P is a complex and confusing specification that will be almost impossible for users to implement.

Cranor says the specification was never intended to set privacy standards. "Our mission is self-regulatory," she says. "It is up to legislative approaches to set regulations. We simply encourage sites to post privacy policies so that users can decide which ones they prefer, and we can let the market decide what the best practices are."

As for the complexity of the standard, it was never intended to be implemented in its raw form, says Cranor. Rather, companies such as IBM, Microsoft, and AT&T (for which Cranor works as her day job) are creating tools that enable sites to more easily comply with the specification and enable users to more easily configure their privacy preferences in their browsers. AT&T's solution--Privacy Bird--is a browser plug-in that checks sites' privacy policies, compares them to user preferences, and notifies users about discrepancies. The free program is in beta as this story goes to press, but is expected to be fully released later this spring.

Martin Presler-Marshall, program manager for privacy technologies at IBM, has led the development of IBM's Policy Editor, a free download. "You could sit down with a privacy policy, a copy of the spec, and a text editor, and write the policies from scratch in XML," he says. "I've done it, but I wouldn't recommend it for the average site manager. What our policy editor does is separate the content of the policies from the nitty-gritties of the syntax, making it easier to create P3P-enabled policies."

The Policy Editor runs under versions of Windows and Linux with Java 2 enabled.

Polonetsky says that though P3P is not perfect, it will have a positive impact on privacy policies throughout the industry. "This is a good practical solution to the privacy problem," he says. "The idealists don't want to concede to their vision of perfection. Ironically, they may do more damage to privacy by not compromising with practical solutions."

Cranor echoes those sentiments. "Sure, there is room for improvement, most notably in the data security area," she says. "But it is a necessary first step to improving privacy practices throughout the industry."

P3P horizons

Given its central role in future Web services developments, Microsoft's long-term commitment to P3P speaks volumes about the specification's importance to future technology. Purcell says Microsoft has been active in the P3P working group from the beginning, but it was not until the specification embraced XML (two and a half years ago) that the company saw the specification as central to the progress of privacy-enabling technology.

"In the last two years, we've made the decision to adopt P3P," Purcell says. "Before we made the commitment, we wanted to make sure that P3P could be adopted in a real-world setting. We've been very keen on XML for some time; so the intersection of the W3C's decision to implement the specification in XML was critical to our commitment."

Part and parcel of that commitment was the company's decision to P3P-enable Internet Explorer 6, which was released in August 2001 and also was the browser integrated into Windows XP. "There are approximately 100 million installations of IE 6 in use [at the time of writing]," Purcell says. "Sixty percent of all traffic to Microsoft.com Web sites comes from IE 6 users."

But IE 6 implementation is only the start of Microsoft's long-term strategy. Purcell says Microsoft is prepared to release a P3P statement generator after the specification is finalized around the time this article hits newsstands. And the statement generator is indicative of the role P3P will play in much of Microsoft's future technology.

Purcell says the new emphasis on trustworthy computing puts a premium on privacy not only in the products Microsoft releases henceforth, but in the services it provides through Microsoft.com and MSN. "The four tenets of trustworthy computing are availability, integrity, privacy, and reputation," Purcell says. "Central to all of these tenets is security. You can't have privacy without security. I've been given expected deliverables in every quarter in the next two years related to making our [Microsoft.com] systems more trustworthy."

As chief privacy officer, all of Purcell's deliverables relate to privacy-enabling technologies processes, procedures, and training. Of course, Microsoft's vision is only one perspective among many regarding the future of privacy technology. These perspectives run the gamut of information technology, from local-area networks of PCs to wireless Internet access. Regardless of the perspective or platform, P3P enjoys widespread support in industry. Part of that support is based on the specification's flexibility.

"As we see e-commerce move from the desktop to the palmtop, P3P is the only way sites can provide notice of privacy policies to users," the Internet Education Foundation's Freed says. "Imagine trying to read one of those long and tedious policies on a Palm handheld. If it is hard on a PC, it is impossible for a palmtop."

Human-readable privacy policies

Designate a privacy manager with appropriate authority and management support. Make a checklist of the personal information data management practices in the company. Identify the sources of consumer personal data. Identify individuals with personal data access. Identify partners and others with whom the data is shared. Determine how long data is stored. Evaluate personal data security. Determine the processes and controls that ensure policy follow through. Evaluate long-term business plans that include personal data use. Develop an internal privacy policy and develop consensus and support throughout the company. Develop a public privacy policy for posting on the Web site and other published media. Establish a vendor policy that clarifies data management rules between the company, suppliers and other third parties. Train your employees, contractors, and other agents about the new privacy policies. Consider third-party review and regular audits of the policy and its implementation. Publish the privacy policy and establish a means of accepting and evaluating feedback from customers. Continually evaluate and refine data management practices and policies.

P3P implementation guide

ComputerUser has obtained a working draft of the Internet Education Foundation's P3P Implementation Guide. The guide helps Web site owners and administrators to implement P3P-enabled privacy policies. Following is a five-step plan, which should serve as a starting point for privacy officers and webmasters to develop P3P-enabled policies (paraphrased with permission).

Describe data collected on the site using P3P base data schema or data categories.

The P3P specification provides an XML template for all the user data your site collects. P3P gives site owners a great deal of flexibility as to the level of detail of the data description. The level of detail will ultimately affect how users interact with the data collected.

Categorize the purposes for which your organization collects and uses user data.

There is a variety of things you could do with the data you collect. Do you sell aggregate data? Do you use user demographics to sell ads? Do you sell specific user data to telemarketers? Etc. Compiling all the ways in which you use data and putting them into P3P "purpose" templates enables users to see how their data are used.

Categorize recipients of data you collect.

Chances are your user data doesn't just sit in a database at your location. In order for it to be commercially useful, you need to share it with organizations such as DoubleClick or other partners of your site. P3P recipient "categories" help users know where their data goes.

Clarify opt-in or opt-out options available to your Web site visitors.

Whether you allow users to merely opt-in to promotional opportunities or force them to opt out of them is a crucial feature of any P3P policy.

Clarify dispute resolution, data retention, and access policies.

How will you resolve conflicts with users or partners regarding use and sharing of personal information? Where and how is this data stored and secured? Who has legitimate access to this data? P3P allows these policies to become machine readable.
 
 
Archives by Date
 
 
 
 
 
Copyright © 2008 ComputerUser Inc.
About us | Terms of use | Privacy Policy | Legal | Trademark/Copyright | Awards | Advertise | Writer guidelines | Sitemap | Contact | FAQ's | Feedback  | Link to us

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services