Subj: Online Privacy: Perspectives of Computer Professionals for Social Responsibility From: Karen Coyle, CPSR, 510-987-0567, kcoyle@ix.netcom.com To: Internet Caucus Advisory Committee Excerpt from "Some Frequently Asked Questions About Data Privacy and P3P" See full text at: http://www.cpsr.org/program/privacy/privacy.html P3P WHAT IS P3P? P3P is the “Platform for Privacy Preferences,” a new Internet protocol being developed by the World Wide Web Consortium (W3C). Protocols are the rules around which Internet software is developed. This means that the P3P functions will be implemented as part of the functioning of the World Wide Web, and most likely it will be intergrated into Web browsers like Netscape and Internet Explorer. P3P defines a standard way that the privacy practices of Web sites can be defined and that a consumer’s personal data can be requested. WHAT ARE “PRIVACY PREFERENCES”? IS THIS THE SAME AS “PRIVACY PROTECTION”? No, privacy and privacy preferences are very different concepts. Most people consider privacy to mean that others, especially strangers, do not have access to information about you. In the privacy preferences model, your personal data is not inherently private since modern transactions often consist of an exchange of personal information for goods and services. Engaging in that exchange is an exercise of ones’ privacy preferences. So if you sign up for an online information service, such as a daily newspaper, you might be exchanging information about who you are (your email address and some demographic information) and your reading habits for the access to those newspaper articles. WHAT IS THE PROBLEM P3P IS DESIGNED TO SOLVE? An article by the main developers of P3P states: “Many online privacy concerns arise because it is difficult for users to obtain information about actual Web site information practices.... Thus, there is often a one-way mirror effect: Web sites ask users to provide personal information, but users have little knowledge about how their information will be used.” P3P is not designed to eliminate or reduce the exchange of personal data, but to give the Internet user a way to exercise some discretion over the exchange of that data based on the stated data gathering and use policies of that Web site. Will P3P give me more privacy when I use the Net? No. P3P will allow you to exercise personal data preferences. It does not make your Internet use more private than it is today, although you may be better informed about what data is being collected and why. ARE PRIVACY PRACTICES REALLY THE PROBLEM? It is known that consumer concerns about the safety of using the Internet are a barrier to the development of electronic commerce. When polled, many Internet users indicate that they do not purchase items over the Internet because of privacy and security fears. If successful, P3P would help users overcome these fears and therefore increase the number of consumers who use the Internet for purchases. Privacy practices is only one factor in the consumer/retailer relationship, however. Consumers develop trust relationships with companies, whether they are home-town stores, national chains, or catalog retailers based on the company’s reputation and the customer’s previous experience, not with their privacy practices. Many people do mail-order shopping even though they know that the companies they are dealing with sell their address to other mail-order companies. P3P seems to be designed for situations in which that trust relationship does not yet exist. However, what isn’t clear is whether knowing how the data will be used will resolve this conflict. HOW WILL P3P WORK? The first implementations of P3P have not yet been released publicly, so we don’t have details about how it will look to Net users. We do know that P3P will probably be incorporated into Internet browsers like Netscape and Internet Explorer, and perhaps will be used in other Internet software. The P3P protocol does state that the software must install with the maximum “privacy” as the default. Users will provide their personal information (name, address, etc.), probably in a form, and will indicate their “privacy preferences.” When the user surfs to a Web site that uses P3P, the data request of the Web site will be compared to the user’s preferences. If they match, the requested data will either be transmitted to the Web site or the user will be asked to fill a form with the information. WHAT PROBLEMS DOESN’T P3P SOLVE? P3P actually covers only a very specific part of the online interaction: the transmittal of privacy practices to a user, and the comparison of these to the user’s preferences. P3P does not increase the security of Internet transactions. It does not make it safe to send credit card numbers over the Net. It doesn’t protect consumers from Internet eaves- dropping that gleans passwords and consumer data as it travels over the network. Security must be provided by other software such as the Web browser. It does not provide any enforcement of the privacy practices that are promised by the Web sites, nor does it give individuals any information about the trustworthiness of the site they are visiting. It does not address whether information gathered on the Net will be combined with information gathered elsewhere to create a more detailed profile of the user. It does not reduce the amount of personal data that is gathered from Internet users and it is not intended to do so. LINKS P3P The W3C http://www.w3.org The P3P Page http://www.w3.org/P3P/ PRIVACY INFORMATION CPSR’s Privacy Page http://www.cpsr.org/program/privacy/privacy.html CPSR’s SSN FAQ http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html The Privacy Rights Clearinghouse http://www.privacyrights.org/ The Electronic Privacy Information Center (EPIC) http://www.epic.org U.S. Federal Trade Commission’s privacy page http://www.ftc.gov The Global Internet Liberty Campaign’s Privacy and Human Rights http://www.privacyinternational.org/survey/ ------------------------ This document prepared and maintained by Karen Coyle, with generous help from Andy Oram, Rick Barry, Harry Hochheiser and Marc Rotenberg. Send comments to kcoyle@cpsr.org .