Next month, AOL Time Warner will host a meeting of the W3C -- a major Web standards group with authority over the privacy technology -- to debate what sorts of revisions may be required. The protocol, which establishes how Web sites and Web browsers can use pre-established parameters to negotiate the use of cookies, privacy policies and other information-gathering techniques, came under the W3C's auspices in 1997. The W3C released its P3P recommendation six months ago, and since then both Microsoft and AOL Time Warner have introduced some P3P features into their browsers, Internet Explorer and Netscape. But discussions on 12 and 13 November in Dulles, Virginia, might well turn to wider issues than new bells and whistles for P3P. The more crucial question facing working group members attending the W3C's Workshop on the Future of P3P may be when or whether P3P will ever see widespread demand and adoption. According to an ongoing survey being conducted by Ernst & Young, the percentage of top 500 Web domains -- as determined by Comscore/Media Metrix -- that use P3P has stagnated in recent months. (By counting domains rather than individual sites, the researchers are looking at all sites within yahoo.com, for example, as opposed to treating mail.yahoo.com and news.yahoo.com separately.) In September, 25 percent of the top 100 Web sites had some sort of P3P functionality, defined either as having a P3P reference file in an accessible location, or including a link to a P3P policy within the site's HTTP header. For the top 500 sites, that percentage dropped to 17 percent. Those results are virtually unchanged from August, with only four Web domains within the top 500 becoming P3P-enabled, according to Ernst & Young. Only one of those was in the top 100. Broken down by industry, the "shopping" category did best with a 28 percent adoption rate. At the other end of the spectrum, not a single government site in the top 500 used P3P, the study showed. Financial services sites, under increasing regulatory pressure to protect the data of their clients, turned in a below-average adoption rate of 11 percent. That indicates the degree of confusion over how P3P and the growing canon of privacy law intersect, study authors said. "The financial services sector is still in a low adoption rate," said Brian Tretick, principal with Ernst & Young. "That's because there's a lot of concern over how it applies in a regulatory environment." Effective privacy disclosure
Some companies working on Web privacy are looking to the financial services industry for examples of how not to attack the problem. Last year, the Gramm-Leach-Bliley Financial Services Modernization Act in the US required that financial institutions disclose to customers how they use private information. The result was a flurry of dense, legally phrased documents that many doubt reached their audience. "The banks spent millions to tell people what they do with all personal information and give people the opportunity to opt out," said David Steer, representative of Truste, a San Francisco online privacy not-for-profit organisation. "And in the end, people just threw them away." Partly as a result of the Gramm-Leach-Bliley Act, banks and financial services companies are among those that have organised with Truste, and with law firm Hunton & Williams' Center for Information Policy Leadership, to devise a new method of privacy disclosure. The new scheme is a nontechnological effort to post the highlights of a privacy statement in a format modelled on the "Nutrition Facts" label the US Food and Drug Administration requires on most food packaging. "The symbols and labels initiative started because privacy policies were becoming way too long for consumers to read," Steer said. "Web sites need a policy that does two things: it has to be a contract and it has to explain in clear English (the) policies that become only more complex over time. So this 'nutrition label' of privacy is a way of calling out the bits of information that consumers really care about." Another scheme to help Web surfers come to quick conclusions about a site's privacy policy is AT&T's privacy bird, a P3P-based indicator that rates a site's privacy policies as red or green depending on the surfer's preferences. Inspiring changes
While the Gramm-Leach-Bliley mailings may have been the catalyst for one new method for publicising a privacy policy, another federal law that is months away from going into effect may inspire a new flock of P3P adherents. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) was written to ensure that workers don't lose their health insurance when they lose or change jobs, but also to protect the privacy of health records. HIPPA could spur significant growth in P3P adoption, Steer said. "You're seeing laws that really put a lot of the burden on companies to beef up their privacy practices," Steer said. "Health care companies are now scrambling to find a solution (to HIPPA) and they're saying if we're going to spend millions of dollars on privacy, then let's do it right. We will see more P3P adoption but it won't be a rush, it will be a trickle of sites that become P3P compliant. But then, at the end of the day, we're going to have to go out there and teach people how to use it." And that, according to lawyers familiar with the technology, will be no small task. "You can't change your Web site without going through and changing your P3P," said Eric Goldman, assistant professor at Marquette University Law School in Milwaukee and former chief counsel for Epinions. "It's really time consuming and costly to re-architect your site...to maintain your site as P3P-complaint regardless of changes you make. And so I think the underlying assumption of P3P was companies will be happy to do this because so many users will demand it, but until users demand it companies will not go through and make all the changes required to be in compliance." Ultimately, neither education nor the law may wind up having as much effect on P3P as the march of technology. P3P saw a significant boost in adoption after Microsoft installed basic P3P functionality in Internet Explorer 6. AOL Time Warner soon followed with P3P features in Netscape 7. The IE 6 implementation "had a pretty big impact on Web site adoption," said the W3C's Cranor. "That sent signals to Web developers that P3P is real, because it was built into a widely deployed product." Microsoft's implementation, which blocked some third-party Web site cookies if they were not P3P-compliant, sent a signal with some teeth in it. "By default, some of these cookies were now going to be blocked," Cranor said. "And that was a wake-up call to Web sites who discovered that their cookies were being blocked and they had no idea why. That was their first introduction to P3P."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
