P3P Takes Steps to Address Concerns

SAN MATEO (07/03/2000) - I recently decided to take an unscientific poll among a group of friends over coffee. We considered online purchasing and privacy concerns. Of our group of 20 java junkies, only two ordered items online -- and these two had no problem with their private information being visible to others.

The other 18 typically used the Web to comparison shop before jumping offline to hit a toll-free number or a local store to make their purchases. These statistics should come as no surprise to companies supporting ecommerce applications. The high number of abandoned shopping carts online mirrors the actions of these typical end-users.

Next, I asked my group of offline purchasers if they would feel more comfortable if their end-user software (for example, Web browser) could pull the privacy policy at a Web site for their perusal and, further, if they had software options that would let them control exactly how much of their information was transmitted to the site. The answer was a resounding "yes" from everyone.

Making privacy policies more accessible and providing greater end-user control over the transmission of private information is the goal of the World Wide Web Consortium's (W3C) Platform for Privacy Preferences Project (P3P). The P3P standard, which has been under development for some time, was recently demonstrated during a first-ever public interoperability test.

Participants showed prototype versions of client software and server-based solutions that are P3P-compliant. Companies such as America Online Inc., AT&T Corp., IBM Corp., Procter & Gamble Co., and Hewlett-Packard Co. have indicated that they expect to implement the P3P standard on all or parts of their Web sites.

At the same time, Congress is examining potential legislation designed to increase privacy options for consumers online. Although the government has indicated that it will back the P3P standard and expects to implement it on a number of government Web sites, there are a number of critics of the P3P standard who feel that it doesn't go far enough.

The W3C has indicated that this version of P3P is not a complete answer to the privacy issue. For example, P3P Version 1.0 does not address privacy during the interorganizational transfer of consumer data following an online transaction.

In fact, those working on the P3P specification removed significant portions of the work before arriving at this version. Their idea was to start with a simple specification that can be implemented rapidly .

The P3P working group plans to implement subsequent versions, which are expected to include some of the work previously defined but dropped in this release, such as supporting multiple P3P policies per site. The group also wants to make changes based on feedback from early implementers.

I agree with the critics that P3P, Version 1.0 is not a complete solution. At the same time, I think the W3C is wise to start with a basic standard and to add to it. P3P is a good first step.

So what is the P3P standard, and how does it work? P3P defines a format for Web sites to create standard, machine-readable privacy policies. The policies can then be downloaded automatically as visitors view the Web site. End-user software that is P3P-compliant will display the policy information and enable options that allow users to set the privacy level they wish to observe.

There are two components that make up the P3P standard -- one server-side and the other within end-user software. On the server, P3P lets companies translate a document-based privacy policy into an XML format that can be automatically retrieved and read by the end-user. The translation can be performed manually or via automated tools. Some small tweaks to the server are necessary to let customers know that you support P3P.

On the end-user side of the equation, P3P-compliant software can take many forms. It may be integrated into the Web browser, a plug-in, or perhaps single-function software, such as a financial application. P3P-equipped end-users can automatically view a company's privacy policy and determine how much or how little information they will allow to be transmitted to the site.

I like this idea because it gives the end-user (such as my online-squeamish coffee buddies) control over their privacy. My guess is that if P3P is widely implemented and one company or another does not compromise the standard, the number of abandoned shopping carts could decrease dramatically.

P3P is just starting to be implemented at some Web sites. And end-user products that support P3P are only beginning to emerge. I expect if all goes well, you'll see it widely implemented by this time next year.

In the meantime, you can obtain more information about P3P by visiting the home page for the standard (www.w3c.org/p3p). In addition, you can view detailed information about the standard (www.w3c.org/tr/p3p) and learn more about where it is headed. Finally, you can see how Web sites use P3P by looking at the W3C's Validator page (big.w3.org/cgi-bin/validate.pl).

With thoughts of P3P, I think it's time to re-fill my cup o' java. What sorts of questions do you ask your friends over coffee? Will you adopt P3P? Write to me at maggie_biggs@infoworld.com.

Maggie Biggs is director of the InfoWorld Test Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about America OnlineAT&TCGIHewlett-Packard AustraliaIBM AustraliaProcter & Gamble AustraliaW3CWorld Wide Web Consortium

Show Comments