The Electronic Privacy Information Center (EPIC) calls the Platform for Privacy Preferences Project (P3P) “Pretty Poor Privacy.” Perhaps that kind of skepticism is one of the reasons the protocol is catching on slowly. According to a recent poll of TechRepublic members, just eight percent have implemented P3P. Through 2003, about one-third say they’ll be in the process of P3P implementation.

In many ways, it’s not surprising that P3P isn’t on tech leaders’ radar screens. Although the XML-based protocol has been in development for several years, it’s been “official” only since mid-April, when the World Wide Web Consortium (W3C) issued the specs for P3P 1.0. For many enterprises, the emphasis today is on building tools to manage information within the company, and P3P simply isn’t part of that mission yet. Another factor may be criticism that P3P—which essentially converts existing privacy documents into a form readable by browsers—doesn’t go far enough in ensuring privacy for site visitors.

Ruchika Agrawal, a computer science graduate student at Stanford University, maintains a Web site that gathers P3P viewpoints. Agrawal said legal and policy arguments range from the view that P3P is a first step toward empowering users to protect online privacy without government intervention, to P3P as an excuse to avert privacy legislation.

Whatever the current viewpoints, P3P does have support from some heavy hitters, including IBM, AOL, Hewlett-Packard, Ernst & Young, and Microsoft. And that means that IT leaders may have to deal with P3P whether they’d like to or not.

Big companies take the lead
Sagi Leizerov, Ph.D., a privacy expert with Ernst & Young LLP, cites a May 2002 survey by the Progress and Freedom Foundation (PFF) that indicates that 35 percent of the most popular Web sites have implemented P3P to some extent. However, an Ernst & Young survey of a larger sample of sites found that just five percent had implemented P3P as of early 2002.

“The major force for implementation is Microsoft Internet Explorer 6.0, which, in a nutshell, applies more pressure on Web sites using multiple domain names, rather than smaller sites with only one domain name,” said Leizerov. He predicts that several trends will prompt increasing adoption. New browsers will read full P3P policies (IE 6.0 reads only cookie headers), putting pressure on smaller Web sites to adopt the protocol, he added.

Privacy advocates want better guarantees
Although P3P makes privacy policies easier for consumers to understand, some critics believe the standard is a distraction from more serious aspects of the privacy debate. Chris Hoofnagle, legislative counsel with the privacy-advocate group EPIC, said one unstated goal of P3P is to placate calls for government regulation of Internet privacy.

“We know as a fact that Microsoft is using P3P as a tool to stop federal privacy legislation. They’ll deny it, but I’ve been to meetings where I’ve seen it happen,” he said. (In response to TechRepublic’s request for information on Microsoft’s policy toward privacy legislation, spokesman Rick Miller said that the company added P3P capability in IE 6.0 because customers had said they were concerned about privacy, and Microsoft believes that P3P is a good technological solution. “Though not a panacea, P3P is a good step which the industry can support and which Web sites should continue to get behind. Potential legislation was simply not a factor in our decision to implement P3P,” Miller wrote.)

A second goal, according to Hoofnagle, is to limit the concept of the right to privacy to only two elements: notice and choice. European privacy law goes further by requiring that the purpose for data collection be specified. The idea in Europe is that you shouldn’t collect data where it’s unnecessary, but Hoofnagle said P3P actually facilitates data sharing.

“You can say, ‘Well, you can always set your settings,’ but it comes from the perspective that data sharing is okay.” EPIC argues that data sharing should only take place when necessary, and then should fulfill the framework of fair information practices.

Another criticism is that simply stating a policy does nothing to guarantee actual practices. Unscrupulous Web sites could present falsified compact headers that provide high promises of privacy, but then actually collect more information than stated, said Hoofnagle. “People are already falsifying keywords and other aspects of their Web sites, so I think that’s a logical extension.”

It’s up to consumers
Despite the debate over the larger privacy issues, it seems clear that the companies who favor P3P want to get it into the consumer’s hands. For example, Microsoft will require merchants accepting its .NET Passport—which allows users to access participating sites with a single password—to support P3P.

AT&T, another big P3P supporter, offers Privacy Bird as a user-friendly way to help consumers understand the level of privacy offered by sites. The software gets its name from a bird icon that appears green, yellow, or red (see Figure A) to indicate how well a site’s privacy policy matches the level selected by the user. A beta version of the software, which is free for download, works with Internet Explorer versions 5.01, 5.5, and 6.0.

Figure A
AT&T’s Privacy Bird alerts Web surfers to potential threats.

If P3P catches on the way backers hope, it could mean trouble for sites that don’t adopt the standard. Hoofnagle thinks it’s possible that future browser versions could make some sites appear privacy-invasive. He pointed out that the EPIC Web site doesn’t track users at all, but collects aggregate statistics of which pages are visited, then purges its logs.

“We’re not going to have P3P on our Web site and, as a result, our Web page may appear privacy-invasive, when in reality we have one of the most privacy-protective systems in place,” he said.

Leizerov believes that, ultimately, consumers will come to demand P3P.

“Privacy online has long been a consumer concern, but many consumers find human language privacy policies too complicated, legalistic, and long to read. P3P is an instrument that many consumers will be happy to adopt to ease such concerns.”

In IE 6.0, for example, consumers can simply choose View, Privacy Report, Summary to read straightforward statements about what a particular site may do with their information, as shown in Figure B. Radio buttons in the dialog box let them select a different level of privacy for that site.

Figure B
Internet Explorer 6.0 displays the privacy policy for