Pretty Poor Privacy:
An Assessment of P3P and Internet Privacy
Electronic Privacy Information Center
This report examines whether P3P is an effective solution to growing public concerns about online privacy. The report surveys earlier experience with "cookie" technology and notes similarities. The report finds that P3P fails to comply with baseline standards for privacy protection. It is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy. P3P also fails to address many of the privacy problems specifically associated with the Internet. The report further finds that earlier versions of P3P were withdrawn because the developers recognized that the proposed negotiation process was too burdensome for users and that the automatic transfer of personal information would be widely opposed. It is anticipated that this version of P3P will also be significantly overhauled once it is reviewed. The report concludes that there is little evidence to support the industry claim that P3P will improve user privacy citing the widely accepted Fair Information Practices.
The report recommends the adoption of privacy standards built on Fair Information Practices and genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. Simple, predictable rules for the collection and use of personal information will also support consumer trust and confidence. P3P, on the other hand, is likely to undermine public confidence in Internet privacy.
Table of Contents
- Understanding Privacy
- Current Internet Privacy Risks
- Cookies -- The Precursor to P3P
- What is P3P and How Does it Work?
- Relating Cookies to P3P
- Failure to Establish Privacy Standards
- Exclusion of Non-Compliant Sites
- Absence of Enforcement
- Prognosis for Adoption
- Impact on Privacy if P3P is Deployed
- P3P Fails to Satisfy Jurisdictions with Strong Privacy Standards
- Better Alternatives Exist
- Conclusions and Recommendations
To assess a proposed technical standard for privacy protection for the Internet, it is necessary to understand the nature of privacy protection and the legal and ethical norms associated with privacy protection.
Privacy protection is widely understood as the right of individuals to control the collection, use and dissemination of their personal information that is held by others. This central principle has been adopted in U.S. law, privacy laws outside of the United States and many international agreements, including the U.S. government, the 1980 OECD (Organization for Economic Cooperation and Development) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines and privacy laws are based on a set of Fair Information Practices that describe the obligations of organizations that collect personally identifiable information and the rights of individuals who give up their personal information.
Central to the concept of privacy and the aim of Fair Information Practices are the goals of transparency and fairness. Transparency means that when organizations collect information about individuals they should make known to the individual the information that is collected and how it used. Fairness means that information is used only for the purpose for which it is collected. If the organization wishes to use personal information for additional purposes, it is obligated to obtain the explicit permission of the individual involved. Together the principles of transparency and fairness help establish trust and confidence in commercial relations where personal information is acquired. It is widely understood that for these principles to be effective they need to apply on a widespread basis, with few if any exceptions.
Privacy protection is also understood as the ethical obligations associated with the collection and use of personal information. Doctors, lawyers, accountants, and professionals all understand the obligation to hold in trust personal information that is obtained in the provision of a service.
Central to the legal and ethical norms for privacy protection is the recognition that individuals should not be required to negotiate or choose among Fair Information Practices. Such negotiations would invariably disadvantage those who could not purchase sufficient privacy and would lead to a gradual decline in the level of protection available to the general public. Privacy protection exists where Fair Information Practices are enforced.
Current Internet Privacy Risks
To assess a proposed technical standard for privacy protection for the Internet, it is necessary also to understand the privacy problems that are unique to the Internet.
Today the Internet faces a wide range of privacy problems. The Internet Protocol (IP) used to transmit web pages creates a privacy risk that is not imposed by web browsers but in the transmission of web pages through the IP. When a browser requests a page from a server, the browser's IP address is transmitted as the return address to which the requested page is to be sent: a kind of digital caller ID. Various services are available today to disguise one's IP address. These are true privacy-enhancing technologies, because they remove identifying information.
An example of a privacy-impacting feature is the "referrer" header that identifies the URL of the page that caused the current page to be requested. This can happen in two ways. The first is where the user clicks on a link; this allows sites to see where their visitors are coming from. The second is if a graphic is included in a page; the most important case for privacy is where a banner ad is served on a page returned by a search engine. The companies that serve banner ads use this feature to target advertising: search for "station wagon" for example, and you may get an ad for Volvo. This feature might be acceptable as providing transient information only, were it not for another feature that allows long and potentially revealing records of search queries to be assembled. That feature goes under the innocent-sounding name of "cookies."
Cookies -- The Precursor to P3P
Before cookies, HTTP was a "stateless protocol": nothing linked your request for one page on a site to subsequent requests. Netscape decided to extend the protocol to allow sites to tag your browser with information that would be available to the site when you returned. As a result, the ability of Internet users to freely navigate the Internet was diminished.
Subsequent public outcry and growing awareness of cookies has led browser manufacturers over a period of several years to slowly give users some measure of control over cookies, assuming the user is aware of them and knowledgeable enough to exercise the choices that have been provided. Still, these measures are confusing and impractical and falls far short of what privacy advocates have asked for.
In Netscape's original patent application, engineers did not intend cookies to be privacy-invasive; they anticipated that the contents of shopping carts would be kept on the shopper's PC for the duration of the visit. But since 1996 they have been almost universally used in one way: to assign a unique visitor number to the PC, and to keep all relevant information on the server side indefinitely.
A third party can also set cookies when accessing a web site. Third party banner advertisers such as DoubleClick typically do this. This permits a history of browsing behavior to be assembled, and linked to other information. These so-called third-party cookies practice are clearly privacy-invasive, and since 1997 privacy advocates have asked browser manufacturers to remove them.
In the same year a document before the Internet Engineering Task Force, RFC 2109 proposed the same change. These requests have met with resistance and inaction because by making that simple change of disallowing third-party cookies, the privacy damage being done by Internet advertisers could have been avoided. The browser makers decided the privacy of surfers was not as important as that the data-gather opportunities of their companies and their commercial partners. Rather than fix the problems with cookies, which Microsoft and Netscape could have done long ago, the companies that develop browser software are now promoting P3P which will raises even more privacy problems than cookies.
What is P3P and How Does it Work?
P3P is a protocol that requires Internet users to reveal their privacy preferences before they are allowed to access information on the Internet.
The Platform for Privacy Preferences (P3P) is a protocol developed by the World Wide Web Consortium (W3C), with funding from many private sector organizations that have opposed privacy legislation. P3P presumes no single privacy standard, such as the OECD Privacy Guidelines, which would provide a simple, predictable, uniform environment for online transactions. Instead, P3P proposes the development of an elaborate range of privacy "choices" that require individual Internet users to make selections about the collection and use of personal data, even for online activities that would not normally require the disclosure of personal information, such as simply visiting a web site.
P3P attempts to accomplishes these goals by creating a complicated and confusing language for web sites to describe their privacy policies in a machine readable format. Major elements of the protocol allow policies to describe the contact information of the legal entity making a privacy statement, whether users will have access to information collected about them, numerous categories of data being collected (physical contact information, online contact information, unique identifiers, purchase information, etc.), the purpose(s) for collection (web site administration, research and development, profiling, etc.), and what organizations will have access to collected data (primary service provider only, delivery services, unrelated third parties, etc.).
According to W3C, P3P also allows for the creation of user agents that can be configured to reflect the privacy preferences of individual end users. Once configured, a user agent would compare its preferences with the machine readable privacy statements made by various web sites. If a web site's policy matches a user's privacy preferences, access to the site will be granted. If there is a conflict, a pop-up window describing the discrepancy might notify the user, or access to the site may be blocked.
A sample P3P transaction might look something like the following. Joe Surfer configures his P3P enabled web browser to say that he does not want to disclose his home address unless he is purchasing a product that will be delivered to his home. When Joe then connects to a popular news site that requires the disclosure of his home address before he can view content on the web site, Joe's P3P-enabled browser will block access to the site. If other popular news services also require home addresses, Joes P3P-enabled browser will prevent Joe from receiving news over the Internet. Or he will have to give up his choice to keep his home address private.
It is reported that in earlier versions of the protocol, P3P also had "negotiation" and "data transfer" modules. The negotiation module would require an end user and a web site to haggle over the terms of access by negotiating an acceptable privacy agreement. Negotiation was dropped due to concerns about the complexity of the process. The data transfer module would have allowed for the automatic exchange of personal information after an acceptable privacy agreement was reached between a user agent and a web site. This idea was dropped due to polling data that revealed widespread public opposition to the automatic transfer of personal information.
Relating Cookies to P3P
The history of cookies illustrates several problems with industry-developed Internet standards, without privacy laws, that are likely to reappear with P3P.
Cookies by default are set as a silent tracking device rather than asking the user by default whether they wish to be tracked by a particular company. Similarly, we anticipate that P3P browsers will set a low standard of privacy before the user is "alerted."
Studies have found that web users find changing the default cookie settings to be burdensome and confusing. This is partly due to the many different versions of browsers that have been released over the years. (See for example http://www.junkbusters.com/cookies.html for a sampling of the various instructions for changing cookie settings.) On most browsers multiple clicks are need to get to relevant setting, and even if people who are aware of the need to change the default find it difficult to determine the appropriate action and understand the extent of its effects. P3P promises to be vastly more complex.
Many browsers also require the user to say "no" to each cookie when a users asks to be informed when cookies are placed, which can be very burdensome when several attempts are made per page. Useful features provided by third-party cookie management software is still not standard equipment: the ability to nominate certain sites that are permitted to set cookies, and have all others silently rejected.
Failure to Establish Privacy Standards
Technical methods to implement Fair Information Practices seek to give individuals greater control over the collection and use of personal information and to enable access to information. But P3P does not take this approach. It fails to establish privacy standards.
P3P builds on the notice and choice privacy approach. This is a weak model for privacy protection because it fails to ensure the observance of Fair Information Practices. This is also not the approach that the United States has typically taken to ensure privacy protection in other sectors with rapidly changing technology. The privacy of cable subscriber records is protected because of a provision in the Cable Act. The privacy of video rental records is protected by the Video Privacy Protection. The privacy of telephone calling records is protected by a series of laws and regulations.
Many in industry believe that the P3P standard will help solve the privacy problem because it will facilitate choice about privacy practices. But the real choice offered is not how to protect privacy, but how much privacy to give up. The FTC Chairman, in a report released in May 2000, made the point very well that the reason we need privacy laws today is that consumers are too often asked to give up their privacy for some benefit.
Strong technical measures are needed that give people greater control over the collection and use of personal information, and that limit where possible the collection and use of personal data.
Exclusion of Non-Compliant Sites
P3P will effectively exclude good web sites that lack P3P code even though the privacy practices of these sites may far exceed sites those that are "P3P compliant."
P3P is developed from a self-regulatory aspect giving web sites the option of whether to incorporate the P3P protocol on their web site. When a web site collects too much data they probably will not incorporate the P3P protocol. If few sites support P3P, consumers will have little incentive to use the technology, thus creating a sort of chicken and egg problem. "If not enough sites support the standard, consumers are not likely to deal with the daunting configuration, yet if not enough consumers demand it, marketers are unlikely to bother implementing it (Bruner, 1998)." Citigroup, who helped author the original P3P specification, presented this situation for data marketers in their white paper on P3P.
Absence of Enforcement
P3P lacks any means to enforce privacy policies.
Even where there is agreement about the privacy terms for a particular transaction, P3P provides no means to ensure enforcement of the stated privacy policies and the P3P developers do not seem particularly concerned about this problem. According to the most recent P3P specification:Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide assistance in that regard, but that is up to specific implementers and outside the scope of this specification. (Cranor et al, 2000)
Thus in jurisdictions where there are no privacy rights established in law, Internet users will have to rely on the non-enforceable policies represented in the P3P protocol.
Prognosis for Adoption
After more than three years in development, P3P still faces a number of serious challenges that will likely preclude its widespread adoption.
There is no user base and no user demand. Companies have been reluctant to adopt the complicated protocol structure, and governments has shown little indication that it will address public concerns about privacy protection.
Experience with cookies sheds light on another possible P3P user agent-side problem. Those consumers, who have taken the time to configure their browsers to notify when receiving, or reject cookies, have found that web surfing becomes nearly impossible.
The same situation will likely apply to P3P user agents. Concerned users will configure their P3P user agents to reflect high privacy protections. However, when these users attempt to access the majority of commercial web sites, endless pop-up windows warning them that a site wishes to go beyond their specified privacy preferences will result. Users who have configured their agents to block sites that do not meet their preferences may well find that there are few web sites left to surf. Consumers will likely respond to this frustrating situation by begrudgingly reverting to low P3P privacy protective configurations, thus maintaining industry's present privacy invasive status quo.
The incredible complexity of P3P, combined with the way that popular browsers are likely to implement the protocol could also undermine well-established privacy standards particularly where legislation is in place. P3P may actually strengthen the monopoly position over personal information that U.S. data marketers now enjoy.
Impact on Privacy if P3P is Deployed
Given the bleak prospects for adoption, P3P will likely serve to delay other efforts to establish privacy standards.
Microsoft and Netscape/AOL are likely to implement P3P in a way that sets very low privacy preference defaults. This is true because these companies are paid through advertisements and data collecting, so it in their best interest to have the lowest privacy preference as defaults. If this is the case, user agents may actually facilitate the collection of even more information than is now typical. The perverse effect of possible P3P implementations which seeks to extract privacy rather than protect it, is that those people who most value their privacy will be shut out of the web.
Critiques of P3P also call into question its much-hyped role as a self-regulatory "solution" to the online privacy problem. Rather than a Privacy Enhancing Technique (PET), P3P may well prove to be a Privacy Intrusive Technique (PIT) (Rotenberg, 2000).
P3P Fails to Satisfy Jurisdictions with Strong Privacy Standards
P3P has not impressed those jurisdictions that have considered its use to implement legal rules for privacy.
The European Union, which does have baseline, legally enforceable privacy rights in the form of the EU Data Directive, has explicitly rejected P3P as part of its privacy protection framework. In a strongly worded January 1998 opinion statement, the European Commission identified numerous problems with the protocol. First it argued that P3P "has not been developed with reference to the highest known standards of data protection and privacy, but has instead sought to formalize lower common standards." Next it pointed out the information asymmetry problem, noting that:A technical platform for privacy protection will not in itself be sufficient to protect privacy on the web. It must be applied within the context of a framework of enforceable data protection rules, which provide a minimum and non-negotiable level of privacy protection for all individuals. Use of P3P in the absence of such a framework risks shifting the onus primarily onto the individual user to protect himself, a development which would undermine the internationally established principle that it is the "data controller" who is responsible for complying with data protection principles.
Finally, there was concern that P3P might create confusion about the obligations of EU-based companies, and the privacy rights of EU consumers:There is a risk that P3P, once implemented in the next generation of browsing software, could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data) if the individual user consents to this as part of the online negotiation. In fact those businesses, organizations and individuals established within the EU and providing services over the Internet will in any case be required to follow the rules established in the data protection directive 95/46/EC (as implemented in national law) as regards any personal data that they collect and process. P3P might thus cause confusion not only among operators as to their obligations, but also among Internet users as to the nature of their data protection rights. (European Commission, 1998)
For these reasons, the EU has not adopted P3P as a technical mechanism for enforcing its privacy laws.
Better Alternatives Exist
There are much better technical methods for Internet privacy protection than P3P currently available to Internet users.
The P3P developers claim that the P3P protocol is the only widespread standard for privacy protection, but this is nonsense. At present, there is hardly any P3P enabled web sites in the world. Meanwhile, there are many genuine technologies for privacy protection widely available on the Internet. A quick survey of the EPIC Online Guide to Practical Privacy Tools [http://www.epic.org/privacy/tools.html] shows a wide range of services currently available for anonymous surfing, defeating cookies, HTML filters and more.
Those techniques that protect privacy minimize or eliminate the collection of personally identifiable information. There are many tools currently available that provide these privacy solutions and many more are being developed.
Conclusions and Recommendations
P3P fails to comply with baseline standards for privacy protection. It is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy. P3P also fails to address many of the privacy problems specifically associated with the Internet.
Earlier versions of P3P were withdrawn because the developers recognized that the proposed negotiation process was too burdensome for users and that the automatic transfer of personal information would be widely opposed. It is anticipated that this version of P3P will also be significantly overhauled once it is reviewed.
Companies that seek to promote online privacy will not burden web visitors with P3P. Good privacy standards will be built on Fair Information Practices and genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. Simple, predictable rules for the collection and use of personal information will also support consumer trust and confidence. P3P, on the other hand, is likely to undermine public confidence in Internet privacy.
Ackerman, M.S. and Cranor, L.F. (1999, September). Privacy critics: Safeguarding users' personal data. WebTechniques.com. Available: http://www.webtechniques.com/archives/1999/09/ackerman/ .
Bruner, R.E. (1998, 30 June). P3P: Programming privacy. Executive Summary, 1 (7). Available: http://www.exec-summary.com/trends/980630.phtml .
Cerasale, G. and Faley, P. (1998, 6 July). Comments of the Direct Marketing Association on elements of effective self regulation for the protection of privacy and questions related to online privacy. Testimony before the Department of Commerce. Available: http://www.ntia.doc.gov/ntiahome/privacy/mail/disk/DMA.htm .
Clarke, R. (1998). Platform for privacy preferences: A critique. Available: http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html .
Coyle, K. (1999, June). P3P: Pretty poor privacy? A social analysis of the Platform for Privacy Preferences. Available: http://www.kcoyle.net/p3p.html .
Cranor, L., et al. (2000, 10 May). The Platform for Privacy Preferences 1.0. W3C Working Draft. Available: http://www.w3.org/TR/P3P/ .
Einstein, D. (1997, 27 May). New standard offers privacy protection. San Francisco Chronicle, C1.
European Commission. (1998, January). Platform for Privacy Preferences and the Open Profiling Standard. Draft opinion of the Working Party on the Protection of Individuals with regard to the processing of Personal Data. Available: http://www.epic.org/privacy/internet/ec-p3p.html .
Federal Trade Commission. (2000, May). Privacy online: Fair information practices in the electronic marketplace. Report to Congress. Available: http://www.ftc.gov/reports/privacy2000/privacy2000.pdf .
Federal Trade Commission. (1996, 4 June). Testimony: Public Workshop on Consumer Privacy on the Global Information Infrastructure. Available: http://www.ftc.gov/bcp/privacy/wkshp96/pw960604.pdf .
Guglielmo, C. (1999, 26 January). Privacy proposal faces patent challenge. Inter@ctive Week. Available: http://www.zdnet.com/intweek/stories/news/0,4164,2194490,00.html .
Hunter, C.D. (1999). Filtering the future? Unpublished thesis in Communication. Annenberg School for Communication, University of Pennsylvania.
Lee, K. and Speyer, G. (1998). Platform for Privacy Preferences project and Citibank. Citibank White Paper. Available: http://www13.w3.org/P3P/Lee_Speyer.html .
Mulligan, D. et al, (2000, 28 March). P3P and privacy: An update for the privacy community. Available: http://www.cdt.org/privacy/pet/p3pprivacy.shtml .
Netscape Communications Corporation. (1997, 27 May). Netscape, Firefly and Verisign propose Open Profiling Standard (OPS) to enable broad personalization of Internet services. Netscape press release. Available: http://www.netscape.com/flash4/newsref/pr/newsrelease411.html .
Reagle, J. and Cranor, L. (1998). The Platform for Privacy Preferences. World Wide Web Consortium NOTE. Available: http://www.w3.org/TR/1998/NOTE-P3P-CACM/ .
Reagle, J. and Wenning, R. (2000, 18 April). P3P and privacy on the web faq. Available: http://www.w3.org/P3P/P3FAQ.html .
Rotenberg, M. (2000, 7 February). What Larry doesn't get: Fair information practices and the architecture of privacy. Paper presented at the Stanford Law School Symposium on Cyberspace and Privacy. Available: http://stlr.stanford.edu/STLR/Articles/01_STLR_1/index.htm
Rotenberg, M. (1998, 26 March). Testimony before the House Judiciary Committee. Available: http://www.epic.org/privacy/internet/rotenberg-testimony-398.html .
Weitzner, D. J. (2000, 25 May). Testimony before the United States Committee on Commerce, Science, and Transportation. Available: http://www.w3.org/2000/05/25-Senate-Privacy-Testimony.html .
World Wide Web Consortium. (1999a, 21 September). Removing data transfer from P3P. P3P Working Group. Available: http://www.w3.org/P3P/data-transfer.html .
World Wide Web Consortium. (1999b, 28 October). World Wide Web Consortium clears patent hurdle for web privacy. W3C press release. Available: http://www.w3.org/1999/10/28-P3P- IntermindPatentAnalysis-PressRelease.html .
World Wide Web Consortium. (1998a, 19 May). The W3C publishes first working draft of P3P 1.0. W3C press release. Available: http://www.w3.org/Press/1998/P3P .
World Wide Web Consortium. (1998b, 19 May). P3P 1.0 testimonials. W3C press release. Available: http://www.w3.org/Press/1998/P3P-test.html .
World Wide Web Consortium. (1997a, 23 May). W3C Platform for Privacy Preferences (P3) project approved. W3C press release. Available: http://www.w3.org/Privacy/announce/P3Approval.html .
World Wide Web Consortium. (1997b, 11 June). W3C announces the Platform for Privacy Preferences project at FTC workshop. W3C press release. Available: http://www.w3.org/Press/P3 .
World Wide Web Consortium. (1997c, 30 October). World Wide Web Consortium announces completion of P3P project phase one. W3C press release. Available: http://www.w3.org/P3P/press_release.html .