Sagi Leizerov, Ph.D., a privacy expert with Ernst & Young LLP, cites a May 2002 survey by the Progress and Freedom Foundation (PFF) that indicates that 35 percent of the most popular Web sites have implemented P3P to some extent. However, an Ernst & Young survey of a larger sample of sites found that just five percent had implemented P3P as of early 2002. "The major force for implementation is Microsoft Internet Explorer 6.0, which, in a nutshell, applies more pressure on Web sites using multiple domain names, rather than smaller sites with only one domain name," said Leizerov. He predicts that several trends will prompt increasing adoption. New browsers will read full P3P policies (IE 6.0 reads only cookie headers), putting pressure on smaller Web sites to adopt the protocol, he added. Privacy advocates want better guarantees
Although P3P makes privacy policies easier for consumers to understand, some critics believe the standard is a distraction from more serious aspects of the privacy debate. Chris Hoofnagle, legislative counsel with the privacy-advocate group EPIC, said one unstated goal of P3P is to placate calls for government regulation of Internet privacy. "We know as a fact that Microsoft is using P3P as a tool to stop federal privacy legislation. They'll deny it, but I've been to meetings where I've seen it happen," he said. (In response to TechRepublic's request for information on Microsoft's policy toward privacy legislation, spokesman Rick Miller said that the company added P3P capability in IE 6.0 because customers had said they were concerned about privacy, and Microsoft believes that P3P is a good technological solution. "Though not a panacea, P3P is a good step which the industry can support and which Web sites should continue to get behind. Potential legislation was simply not a factor in our decision to implement P3P," Miller wrote.) A second goal, according to Hoofnagle, is to limit the concept of the right to privacy to only two elements: notice and choice. European privacy law goes further by requiring that the purpose for data collection be specified. The idea in Europe is that you shouldn't collect data where it's unnecessary, but Hoofnagle said P3P actually facilitates data sharing. "You can say, 'Well, you can always set your settings,' but it comes from the perspective that data sharing is okay." EPIC argues that data sharing should only take place when necessary, and then should fulfill the framework of fair information practices. Another criticism is that simply stating a policy does nothing to guarantee actual practices. Unscrupulous Web sites could present falsified compact headers that provide high promises of privacy, but then actually collect more information than stated, said Hoofnagle. "People are already falsifying keywords and other aspects of their Web sites, so I think that's a logical extension." It's up to consumers
Despite the debate over the larger privacy issues, it seems clear that the companies who favor P3P want to get it into the consumer's hands. For example, Microsoft will require merchants accepting its .NET Passport -- which allows users to access participating sites with a single password -- to support P3P. AT&T, another big P3P supporter, offers Privacy Bird as a user-friendly way to help consumers understand the level of privacy offered by sites. The software gets its name from a bird icon that appears green, yellow, or red (see Figure A) to indicate how well a site's privacy policy matches the level selected by the user. A beta version of the software, which is free for download, works with Internet Explorer versions 5.01, 5.5, and 6.0.
| Figure A |
 |
| AT&T's Privacy Bird alerts Web surfers to potential threats. |
| Figure B |
 |
| Internet Explorer 6.0 displays the privacy policy for Microsoft.com. |
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
