From text standards to modem speeds to encryption methods, protocols form the common ground for communications over the Net. But a newly released protocol from the World Wide Web Consortium seeks to establish terms for a decidedly less technical -- and much more social -- communications agreement: the use of personal information.
This week the Web standards body released the first public draft of the Platform for Privacy Preferences, or P3P -- a protocol meant to provide an automatic, common Web language for the acceptable use of personal information.
"The concepts are fairly stable," said Joseph Reagle, the Consortium's P3P project manager. "It's time to put it out before the public, and ask people to start implementing it."
When (and if) that happens, a P3P-compatible browser would automatically detect a Web site's privacy policy and release or not release the user's personal information accordingly. If the business's practices do not satisfy preferences in the user's browser software, the P3P protocol tries to negotiate alternative terms or, as a last resort, notifies the user, who then decides how to proceed.
"P3P is a tool that can help promote privacy goals," said Deidre Mulligan, staff counsel for the Center for Democracy and Technology. "You need to have good practices and this will enable the consumer to make decisions based on practices that are available to them."
To do its work, the protocol contains a kind of privacy vocabulary. This vocabulary is the heart of P3P, determining -- as directed by the user -- what information to release or withhold. To do this, the protocol defines various categories of information. A Physical Contact Information category, for example, contains phone number and address data, while another handles payment information, such as credit card or bank account data. The Navigation and Click-stream Data category is the conduit for tracing one's surfing habits, the trail a user leaves while browsing the Web site.
For businesses, P3P's categories organize a company's information gathering purposes: whether the data is to be used for user customization of the site or the site's own research, or whether it's for distribution to other organizations, such as direct marketers.
But this mechanized language for such a sensitive issue has taken some early criticism. For starters, some are concerned about the classification scheme and its ability to add new categories in the future.
"[The draft] provides a set vocabulary, with no description of how new terms to the vocabulary might be introduced," said a Web expert familiar with P3P, who declined to identify himself.
"Given the group's desire to get this thing out the door in a very short time frame ... I can understand the desire to limit themselves to a set of terms over which they could get agreement. But this set doesn't cut it, and there is no clear way to get other things into a later set."
The same critic also feels some of the vocabulary's categorizations are too general. "Category 7, for example, includes all demographic and socioeconomic data, which is ridiculously broad."
The P3P draft answers these concerns with a call for changes down the road: "Much of the work done on this schema was conducted under significant time pressure," it reads. "Accordingly, there is interest from members of the working group to have some of these issues revisited in the future by the W3C or other entities as appropriate."
Sticky Issue of Adoption
Beyond technical criticism of the protocol's design, many observers focus on whether P3P will even be deployed in the majority of Web browsers and server software, a factor crucial to its success.
Roger Clarke, an Australian information technology consultant who served as panelist on P3P at the recent WWW7 conference in Australia, said one of the key issues to successful adoption is whether or not developers -- most notably the browser vendors -- will see a profitable market for P3P-compliant products.
For the moment, he sees some early signs suggesting they will. "Hopeful, even positive" signs, he said via email.
"I think the jury's still out as to how many software companies are going to program this in and how easy it's going to be for consumers to program their preferences," said Susan Scott, executive director of TRUSTe, the nonprofit organizer of an existing online privacy program.
Scott's organization has been campaigning for a year to put its branded "trustmark" on the homepages of participating commerce sites, a seal of approval indicating that the site has disclosed its privacy practices in a TRUSTe-defined policy statement.
But "that is the key question," she said, "how universally adopted P3P will become." For Scott, the answer will depend in part on online retailers perceiving privacy disclosure as a means of helping their businesses by getting more and better information from consumers.
TRUSTe's own membership list may tell part of that story. So far, only 75 sites have become TRUSTe-labeled sites, suggesting that privacy assurances are a low priority right now for online business.
"I don't think it's a burning platform for corporate America," said Stacey Bressler, vice president of business development for CommerceNet, an industry consortium for businesses involved in electronic commerce. "They've told us that it's not."
Asked about the privacy practices of the online bookstore Amazon.com (not a TRUSTe participant), an Amazon representative simply referred the question to the privacy section of the site's customer "bill of rights." It consisted of a simple statement that Amazon would not sell its customers' information.
Still, Scott counters that TRUSTe is actually making important headway. Half of the Web's top 20 sites have signed on to the TRUSTe program, she said, from America Online's site to Yahoo to IBM -- bringing high-profile credibility to the TRUSTe mark. "With these sites joining, it's going to have a snowball effect."
Even if P3P can be adopted where TRUSTe has lagged, Clarke raises the question of whether most users will believe sites' privacy policies anyway. "That one worries me," he said, "because a lot of Web newbies aren't netizens. And there's plenty of reasons for netizens to be pretty cynical about US-style, unsupervised, and sanctionless self-regulation."
Nobody but Americans, he told WWW7 attendees back in March, are naive enough to believe that any industry can self-regulate. In the absence of "a combination of incentives and disincentives," Clarke said, Web sites are unlikely to comply with their privacy statements.
"In short, I see more difficulties in the economics and politics than in the design of the standard."
Nonetheless, for what it can accomplish, Clarke considers P3P a "well-conceived, well-executed, and above all balanced" initiative.
Those are some of the reasons the Consortium's Reagle hopes P3P gets a fair shot. "The task of designing a social technology is not an easy one," he said. "The priority is, let's not be stupid. Let's not shoot ourselves in the foot. It's not a perfect solution, it's a best effort. Let's not preclude options unnecessarily."
