U.S. industry, government endorse P3P privacy

The Platform for Privacy Preferences (P3P) specification may not be a panacea for the online privacy dilemma, but panelists at a conference in Washington Tuesday said it will go a long way to help consumers better understand Web sites’ privacy policies.

P3P, which last month was officially endorsed by the World Wide Web Consortium, is a technology specification that, when adopted by Web sites and consumer client software, can compare a site’s privacy policy with a user’s preferences to determine if the site measures up to the visitor’s privacy standards. The technology saves Web site visitors from having to read lengthy, and often confusing, privacy policies by having software match the user’s preferences to the stated policy.

Web site privacy notices have become buried in legal jargon because they serve two purposes at once – to act as a contract that defines the uses and limitations on information collected, and as a disclosure statement that describes the site’s privacy policy, said J. Howard Beales, director of the U.S. Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, who spoke at the conference. While a disclosure statement should be clear and precise, a legal contract easily becomes bogged down in details, hence the often unreadable privacy policies that sites end up posting, he said.

“One possible solution is P3P… it lets your computer do the reading,” Beales said, adding that the FTC’s Web site uses the specification.

Users set their privacy preferences in client software that implements P3P, such as Microsoft Corp.’s Internet Explorer browser or AT&T Corp.’s Privacy Bird program. When they visit Web sites that also use P3P, the software automatically checks users’ preferences against the Web site’s policy, then informs users if the site matches their settings, explained Martin Presler-Marshall, a software developer with IBM Corp. and co-developer of P3P who also spoke on Tuesday.

Privacy preferences can include limiting the type of information a site can gather from a user, specifying whether the site can share collected data with other companies and requiring a site to divulge how the data is used, he said.

While lauding P3P’s ability to decode Web site policies, another conference speaker said the specification solves but one piece of the privacy puzzle.

“There is no such thing as a silver bullet in the privacy world,” said Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), an Internet civil liberties public interest group. “It’s not sufficient alone. Companies’ main concern should be focused on what consumers are looking for.” Some baseline legislation that outlines consumers’ privacy rights is needed, he added.

Information privacy legislation has become a hot topic in Washington, D.C., over the last month, as two congressmen introduced bills that aim to tackle the issue.

Last month, Senator Fritz Hollings, a Democrat from South Carolina and chairman of the Senate Commerce, Science, and Transportation Committee, introduced the Online Personal Privacy Act (S-2201). This measure, which deals strictly with companies’ online business practices, would force Web sites to get visitors’ permission before collecting or using “sensitive” data – information such as religious and political affiliation, financial and health information, and Social Security number. Under the bill, individuals could take private action against online companies if their rights were violated.

Critics claim Hollings’ bill would go too far in restricting online companies’ ability to collect information they need to market and sell their goods and unfairly hobbles Web sites without placing restrictions on offline operations. The bill is expected to be voted on by Hollings’ committee this week or next.

This bill will cause “significant danger to the Internet, in our view,” said Joe Rubin, director of congressional affairs with the U.S. Chamber of Commerce, which hosted Tuesday’s conference.

A few weeks after Hollings announced his legislation, Representative Cliff Stearns, a Republican from Florida and chairman of the House subcommittee on Commerce, Trade and Consumer Protection, introduced the Consumer Privacy Protection Act of 2002 (HR-4678).

This bill states that both online and offline companies must protect consumers’ personal information, but does not require users’ permission before collecting data. However, companies would need to alert users of their policies for using, sharing, and selling collected data, and would have to let users “opt out” of having the data collected. It would not grant individuals the right to private action if their privacy was violated.

CDT’s Schwartz said Stearns’ bill wouldn’t offer consumers enough protection because it doesn’t specifically deal with sensitive information. But another conference speaker who supports Stearns’ bill maintained that Congress should be setting minimum privacy standards, not maximum ones.

“P3P is wholly consistent with what (Stearns’) bill is trying to do,” said Representative Jim Moran, a Democrat from Virginia who cosponsored Stearns’ proposal. “I don’t think we should set a ceiling, but I do think it’s time we set a floor. P3P is really a floor.”