SAN FRANCISCO (05/03/2000) - It has been an interesting ride in the online world lately. Tech stocks have taken a beating, and the government is maintaining a watchful eye on Internet companies' collection of sales tax as well as on their handling of private information.
We now live in a society that blames the media, including Web sites, for exploiting its own ignorance. People don't understand the technology around them but still expect information suppliers to protect them. Because of that, Webmasters must stay on top of privacy issues and support them in the proper way.
P3P, which is nearing completion as a working draft at the W3C, is one of the most important recent advancements that will affect Webmasters. P3P defines a method of referencing and creating a privacy statement for a content owner.
Once implemented and supported by browsers, P3P would allow a user to preset the times they want to send data to and from a server. It could literally allow users to send information, including basic requests, only to servers that are owned by companies that don't resell their information.
TRUSTe was one of the first organizations to recognize the need for privacy statements on the Web. Sites displaying TRUSTe's trustmark seal have presented their own privacy policies to TRUSTe for approval. According to TRUSTe's site, in order to be approved your statement must include:
The personal information is being gathered by your site.
The names of the individuals or groups collecting the information.
The ways in which information will be used.
The names of the individuals or groups with whom information will be shared.
The choices available to users regarding collection, use, and distribution of their information. You must offer users an opportunity to opt-out of internal secondary uses, as well as third-party distribution for secondary uses.
The security procedures in place to protect users' collected information from loss, misuse, or alteration. If your site collects, uses, or distributes personally identifiable information such as credit card or social security numbers, accepted transmission protocols (e.g. encryption) must be in place.
The ways in which users can update or correct inaccuracies in their pertinent information. Appropriate measures should be taken to ensure that personal information collected online is accurate, complete, and timely, and that easy-to-use mechanisms are in place for users to verify that inaccuracies have been corrected.
Once verified against the governing rules of TRUSTe, a Webmaster can post a seal of approval on a site. Although TRUSTe doesn't review what the data is actually used for, it does outline a starting point for having a privacy approval process for Web content. This is a label, especially for ecommerce sites, to actively seek approval.
The NAI was formed at about the same time advertising network DoubleClick announced that it would only associate offline data with personally identifiable information such as your name or address. The NAI is still very young, but to its credit it has already made appearances in front of the Department of Commerce and the Federal Trade Commission.
Organizations such as the NAI will help to ensure that political bodies are educated on the technology, and that online marketing continues to pay the costs of running a free Internet.
This organization is somewhat of an online privacy portal. In addition to fostering an online environment that respects consumer privacy, it also acts as a vast resource of privacy information that spans different industries. That site (see the Resources below for a link) is a good place to read up on privacy in general. As time moves on and online companies hire privacy experts, I'm sure it will become more widely used by the companies we work for.
The HTTP Trust Mechanism for State Management is an expired Internet Draft (ID) that was submitted to the Internet Engineering Task Force (IETF) back in March of 1998. The ID outlines a method for allowing sites to create a privacy rating reference in the HTTP header. Such a method is implemented using the PICS specification (Platform for Internet Content Selection), which makes it a little different from P3P.
The Trust Mechanism would allow third parties (such as TRUSTe) to create a site ratings system. Sites could then include the ratings for their pages as part of the HTTP header returned to browsers. The browsers would then implement security features to warn, or even prevent, users from accessing information that doesn't conform to their settings.
This is a huge benefit for the world of ad serving, whereas a site might have one rating and an ad network serving ads on it (such as DoubleClick) might have another. The Trust Mechanism could prevent you from coming off as the bad guy and place the focus on ad technologies that don't profile users anonymously.
Although the ID is an expired draft, it wouldn't surprise me if it surfaced again. In fact, even the preview release of Netscape 6, the latest browser from Netscape, has additional functionality when it comes to cookies and security, so clients are already considering the support for those kinds of systems.
Privacy concerns are here to stay, and it's in our best interests to understand what is happening, both from a political as well as from a technical perspective. I highly recommend that each of you do some reading because if it hasn't already, the day will soon come when you'll have to prove that your users' information is safe in your hands.