Cranor, a principal technical staff member at AT&T Labs-Research, has become virtually synonymous with P3P. She is the chair of the World Wide Web Consortium's (W3C) P3P working group. She designed AT&T's "privacy bird," a software download that turns different colors based on a Web site's P3P settings.
This year, Cranor wrote the book on P3P. Published by O'Reilly & Associates, Cranor's Web Privacy with P3P is currently the only title devoted to the subject, though John Wiley & Sons will publish a similar manual in March.
Cranor and her working group last week brought corporate, educational, standardization and government representatives to America Online's Dulles, Va., campus for a two-day workshop on the future of P3P. In an interview with CNET News.com, Cranor described the workshop and speculated on the future of the W3C's controversial privacy platform.
Q: Critics of P3P say it's just too complex and costly for the average Web site to implement and maintain. Is that a fair criticism? Is the complexity something that future versions of P3P will worsen or alleviate?
A: No, I don't think that's fair. The average Web site is a small Web site with a single Web server. There are now a variety of tools available for creating P3P policies and documentation that tell you how to do it. Someone who doesn't know anything about P3P will need to do some reading first to get up to speed--a lot of the problems Web site developers are having with P3P are because they are trying to just do some hacks to prevent IE 6 from blocking their cookies without understanding what P3P is or how to use it properly.
Why do we need P3P at all? What's a concrete privacy scenario that could convince the average Web surfer that this technology is important?
A few years ago, hardly any Web sites had privacy policies. Now they have policies, but they are very long and full of legal jargon, so hardly anybody reads them. P3P enables a Web browser--or other software--to read these policies automatically and let the user know if there's something that might conflict with their preferences. The browser might also display an English language summary of the site's policy that is a lot shorter and easier to understand than the full policy. And the browser might make cookie-blocking decisions based on the P3P policy. Instead of choosing between accepting all cookies or blocking all cookies, users can instruct their browser to block only the cookies that are going to be used in ways they find objectionable.
In order to create a P3P policy, sites have to answer a series of multiple-choice questions. Many sites have privacy policies that don't actually answer all these questions, so sites are having to make disclosures about some aspects of their privacy policies that they never talked about before. So P3P is increasing the transparency around Web site privacy policies. As a result, some sites are actually improving their privacy practices--rather than tell the world about a policy that might make them look bad; some are actually cleaning up their acts. As more sites become P3P-enabled, I think consumers will also be able to use P3P to comparison shop. Not only will you be able to compare the products and prices offered on various sites, but you will be able to compare their privacy policies as well. This in turn is also likely to lead to better privacy practices.
Some sites are actually improving their privacy practices--rather than tell the world about a policy that might make them look bad, some are actually cleaning up their acts.
The initial discussions that lead to P3P began in 1995, but the work of actually drafting the specification began in 1997. Initially there was a vision of a tool that would allow users to actually negotiate with Web sites over their privacy policies. Later we decided to focus on the less ambitious goal of simply informing users about each site's policy.
Who showed up to last week's conference?
We had about 50 participants from industry, government, academia and nonprofits. From industry, we had representatives from AT&T, AOL, IBM, Microsoft, DoubleClick, Coremetrics, Citigroup, Ericsson, Fidelity and others. We also had representatives from the Center for Democracy and Technology, the Electronic Privacy Information Center, Liberty Alliance, the European Commission, the Federal Trade Commission and the New York Attorney General's office. The Ontario Privacy Commissioner also participated.
The conference asked where P3P was going in the future. What's the answer?
We had a lot of great discussions and many ideas were put forward. Some of the ideas we talked about were long-term goals and some were short-term issues that might be addressed over the next year. We did not make any definite decisions, but we got a sense of everybody's priorities and got volunteers to write up short proposals for work in a number of areas. These will be discussed on our workshop mailing list, and then we will put together a proposed charter for a working group to start doing the work.
What were some of the more out-there suggestions for changing P3P? What were some of the most likely to succeed?
We didn't get too much in the way of "out-there" suggestions, as we deferred most of the discussion about longer-term goals to our next workshop, which will take place in Germany some time next summer.
I think in the short term, the emphasis will be on relatively minor changes to the P3P specification that will make it easier for more sites to P3P-enable quickly and be backwards-compatible with P3P 1.0. We will be looking for ways to improve P3P compact policies, adding a few new terms to "P3P vocabulary" that is used to create P3P policies, making some recommendations on ways that P3P software can display P3P policies in user friendly language, and coordinating with other groups to find ways to leverage P3P in other efforts such as Web services and identity management. A longer-term effort will probably look at ways that we might add a mechanism to P3P that would allow users to consent to a set of data practices described in a P3P policy
I would like to see the adoption rate pick up even more, but I would not characterize P3P as having stalled.
Well first of all, while I did say that adoption was slower than I would have liked, I also said that I was pleased that so many sites have already adopted P3P. You can look at it as the glass being half full or half empty. You can say "six months have passed and only a quarter of the most popular sites have adopted P3P" or you can say "in only six months we are already seeing P3P policies on over a quarter of the most popular sites." Yes, I would like to see the adoption rate pick up even more, but I would not characterize P3P as having "stalled" as your article last month suggested.
In a position
paper you co-authored and submitted to the conference last week, you wrote, "the technological mediation by software agents that is designed to ease the ability of users to understand the privacy practices of Web sites risks adding ambiguity, confusion and legal uncertainty." Can you briefly summarize the solutions you envision for these difficulties?
In the case of P3P, the problem stems from the fact that the P3P specification places few requirements on user agent implementers. We don't want to restrict implementers in ways that will make it difficult or impossible to implement P3P in new situations--for example, on mobile phones. However, I think it makes sense to provide some guidance to implementers about how to translate the complicated privacy concepts in the P3P vocabulary into user friendly language.