Stay on top of privacy concerns in the online world

We now live in a society that blames the media, including Web sites, for exploiting its own ignorance. People don't understand the technology but still expect information suppliers to protect them. Because of that, Webmasters must stay on top of privacy issues and support them.

The Platform for Privacy Preferences Project (P3P), which is nearing completion as a working draft at the World Wide Web Consortium (W3C), is one of the most important recent advancements that will affect Webmasters. P3P defines a method of referencing and creating a privacy statement for a content owner. Once implemented and supported by browsers, P3P would let a user preset the times they want to send data to and from a server. It could literally let users send data, including basic requests, only to servers that are owned by companies that don't resell their information.

The idea is to use the final recommendation's information for defining privacy policy statements, which is accomplished with an XML document. Once that is done, Webmasters can reference their various policies by embedding the appropriate within HTML. The browser, or any other P3P-enabled client, would then verify that policy against a user's personal settings.

TRUSTe was one of the first firms to recognise the need for privacy statements on the Web. Sites displaying TRUSTe's trustmark seal have presented their own privacy policies to TRUSTe for approval. TRUSTe's site says in order to be approved your statement must include:

The personal information being gathered by your site.

The names of the individuals or groups collecting the information.

The ways in which data is used.

The names of the individuals or groups with whom information will be shared.

The choices available to users regarding collection, use, and distribution of their data. You must offer users the chance to opt-out of internal secondary uses, as well as third-party distribution for secondary uses.

The security procedures in place to protect users' information from loss, misuse, or alteration. If your site collects, uses, or distributes personally identifiable data such as credit card numbers, accepted transmission protocols (such as encryption) must be in place.

The ways in which users can update or correct inaccuracies in their pertinent information. Appropriate measures should be taken to ensure that information collected online is accurate and complete, and that simple mechanisms are in place for users to verify that inaccuracies have been corrected.

Once verified against the governing rules of TRUSTe, a Webmaster can post a seal of approval on a site. Although TRUSTe doesn't review what the data is actually used for, it does outline a starting point for having a privacy approval process for Web content.

The Network Associates' CyberCop Security Vulnerability Center (NAI) was formed at about the same time advertising network DoubleClick announced that it would only associate offline data with personally identifiable information such as your name or address. The NAI is still young, but to its credit it has already made appearances in front of the US Department of Commerce and the Federal Trade Commission.

Groups such as the NAI ensure that political bodies are educated on the technology, and that online marketing continues to pay the costs of running a free Internet. This group is somewhat of an online privacy portal. In addition to fostering an online environment that respects consumer privacy, it also acts as a vast resource of privacy information that spans different industries.

The HTTP Trust Mechanism for State Management is an expired Internet Draft (ID) that was submitted to the Internet Engineering Task Force (IETF) back in March 1998. The ID outlines a method for letting sites create a privacy rating reference in the HTTP header. Such a method is implemented using the PICS specification (Platform for Internet Content Selection), which makes it a little different from P3P.

The Trust Mechanism would let third parties (such as TRUSTe) create a site ratings system. Sites could then include the ratings for their pages as part of the HTTP header returned to browsers.

The browsers would then implement security features to warn, or even prevent, users from accessing data that doesn't conform to their settings.

This is a huge benefit for the world of ad serving, whereas a site might have one rating and an ad network serving ads on it (such as DoubleClick) might have another.

The Trust Mechanism could prevent you from coming off as the bad guy and place the focus on ad technologies that don't profile users anonymously. Although the ID is an expired draft, it wouldn't surprise me if it surfaced again.

In fact, even the preview release of Netscape 6, the latest browser from Netscape, has functionality when it comes to cookies and security, so clients are already considering the support for those kinds of systems.

Privacy concerns are here to stay, and it's in our best interests to understand what is happening, from a political and technical side.

I highly recommend that you do some reading because if it hasn't already, the day will soon come when you'll have to prove that your users' data is safe in your hands.