Standards Group Updates Privacy Proposal

W3C wants you to get a snapshot of a site's policies before you give any data.

Carol Sliwa, Computerworld

• Email
• RSS
• 0 Comments

The newly released working draft of the W3C's Platform for Privacy Preferences Project, which offers Web sites a way to communicate their privacy policies in a standard machine-readable format, calls for online users to receive a snapshot of a site's privacy policy before they send any data to the site. They also would receive a warning if any health care information will be requested.

The earlier P3P specification made it difficult for users to receive a site's privacy policy before they transmitted data, and it failed to separate health care information, a sensitive issue for many people, says Lorrie Cranor, chair of the P3P working group and a senior technical staff member at AT&T Labs.

Legal Concerns

But despite the W3C working group's three-and-a-half-year effort to appease businesses, privacy advocates, technologists, and governmental officials, the P3P proposal continues to draw some skeptical comments from interested parties who question whether the proposal can adequately address the privacy concerns.

One conference attendee describes P3P as a "highly formalized expression of a very informal agreement," similar to a handshake, and questions whether an agreement would hold up in a court of law.

P3P Activity Lead Rigo Wenning, a lawyer, says digital signatures could serve as evidence that Web users had read and agreed to the privacy policy before transmitting any personal data. Legislation that would give digital signatures equal legal weight to written ones is expected to be approved by Congress this year.

Web sites that adopt the P3P specification also could face governmental action or be sued for engaging in deceptive practices, Wenning adds.

The Next Step

The first proof-of-concept P3P Interoperability Event, scheduled for June 21 in New York, is expected to draw 20 to 25 companies. Cranor says plans call for Microsoft and one other vendor to unveil tools that can help Web sites implement P3P.

Cranor predicts that P3P will reach W3C recommendation status, the final step in the approval process, this fall and that increasing numbers of Web sites will adopt the specification due to heightened pressure from the U.S. government for companies to self-regulate themselves on the issue of online privacy.

Lingering Doubts

But privacy advocate Jason Catlett, president of Junkbusters, counters that if the P3P specification "is used as an excuse not to require legally guaranteed privacy rights, it [will have] done everybody a disservice."

Catlett also questions the implementation of the standard. In order for P3P to work, code must be added to a Web browser, a proxy server, a plug-in, a Java applet, or some other piece of software that will let users indicate their privacy preferences.

Both Microsoft and Netscape Communications have committed to implementing P3P in their browsers, but Catlett says he's worried that their default settings may not offer enough protection. "If the average user's privacy is left up to Microsoft's and Netscape's choice of defaults, then God help them all," he says.W3C wants you to get a snapshot of a sites policies before you give any data.

For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

• Email
• Print
• RSS