Concerns about online data collection have prompted legislators and regulators to take a critical look at online data privacy [1] and motivated technical solutions to online privacy problems. Over the past two years, several organizations have launched efforts to develop "user empowerment" approaches to online privacy [2]. These efforts include TRUSTe [3], and W3C's Platform for Privacy Preferences Project (P3P) [4]. P3P is intended to allow Web sites to express their privacy practices and users to exercise preferences over those practices. If a relationship is developed, subsequent interactions and any resulting data exchanges are governed by an agreement between the site and the user. After configuring privacy preferences, individuals should be able to seamlessly browse the Internet; their browsing software negotiates with Web sites and provides access to sites only when a mutually acceptable agreement can be reached. P3P efforts focus on how to exchange privacy statements in a flexible and seamless manner. However, the platform may be used in conjunction with other systems, such as TRUSTe, that provide assurances that privacy statements are accurate [5].
The P3P working groups have tried to develop a platform that will address the needs of both Web sites and users. The P3P Harmonized Vocabulary Working Group has worked to develop a vocabulary that incorporates notions about privacy from a variety of legal frameworks and cultural norms. The vocabulary allows Web sites to describe the type of data they collect, the purposes for which they will use data, and other aspects of their information practices. The P3P Protocols and Data Transport Working group has tried to develop a specification that is flexible enough to accommodate a wide range of present and future online applications. The first version of the P3P specification is expected within the next few months, and several companies have announced that they will incorporate P3P into their products.
The success of P3P will depend in part on the willingness of Web sites to adopt P3P and the eagerness of individuals to use it. It will also depend on its ability to support both government-regulatory and self-regulatory privacy regimes. This panel session will begin with brief presentations on data privacy issues and an overview of the P3P design. Panelists will present their perspectives on P3P through a lively discussion among themselves and with the audience.
What does P3P mean for Web sites, software developers, and end users? What will it take for P3P to become widely adopted? Is P3P too complicated to be usable? To what extent will P3P address online privacy problems? How does P3P support various legal requirements and self-regulatory guidelines? Join us for a lively discussion on these and other questions.
Position statement: For the web to become privacy-friendly, a number of conditions have to be fulfilled. Standards must be established and publicized. Those standards must be sufficiently simple that they can be readily understood and efficiently implemented. They must be sophisticated enough to address complex needs. They must be flexible enough to be applied in different legal, lingual and cultural contexts. There must be a combination of political motive and economic incentive to impel developers to develop compliant products, and pioneers and early adopters to apply them. The P3P team scores highly for effort and intent, but as the standard reaches the harsh light of day, there is a risk it will melt away.
Josef Dietl is the World Wide Web Consortium's electronic commerce specialist and part-time policy contact in Europe. He holds a Master in Physics from the Technical University of Munich and has spent his time since then working to integrate the new media with the global society. After having co-founded a group to that effect in Munich, he moved on to CompuServe Central Europe. There he gathered live experience in electronic commerce and its legal obstacles. His work there with PICS laid the foundation for his transition to the World Wide Web Consortium. E-mail: jdietl@w3.org; http://www.w3.org/People/JDietl/
Position statement: On the one hand, advertising and other forms of third-party-payments, are predicted to be one of the most important sources of revenue for web publishing. Personalization is a key success factor for Web objects, and the capability to build a strong, bi-directional relationship with the reader is the big competitive advantage of Web publishing over print and broadcast. On the other hand, the use and potential abuse of this information rightly raises red flags in people's minds. The mechanisms provided by P3P allow services to display their privacy practices, effectively making P3P statements a selection criterion in the competition for users' attention. In other words: P3P provides services with a carrot for responsible handling of users data. The size of this carrot is determined by the users.
Daniel Jaye is the Chief Technology Officer of Engage Technologies, where he is responsible for delivering interactive database marketing products and information. Dan has focused on delivering relationship marketing solutions using VLDB parallel database technologies for the past 9 years. Prior to co-founding Engage Technologies in 1995, Dan was Director of High-Performance Computing at Fidelity Investments, where he managed Fidelity's retail marketing data warehouse and applications and led projects responsible for enterprise-wide retail customer management and re-engineering the sales process. Dan has also managed the delivery of customer database-driven applications and products at Epsilon and Andersen Consulting. Dan holds a B.A in astronomy, astrophysics and physics from Harvard College. E-mail: DJaye@engagetech.com; http://www.engagetech.com/frames/aboutus.htm
Position statement: If content is going to be subsidized by marketing, then it must be effective for the advertiser, hence the need for targeting technologies. Creating a privacy infrastructure that provides consumers with far greater protection and control than in the "physical world" while at the same time meeting the needs of web marketers is critical. Engage is in the business of balancing these two needs and feels that technology can help reconcile them and that, in fact, they are not contradictory. P3P is the best attempt so far at creating that privacy infrastructure.
Steven Lucas brings over 15 years of experience in the information technology industry to MatchLogic, Inc. As Chief Scientist, Dr. Lucas is responsible for leading MatchLogic’s efforts in legislative and standards development. Dr. Lucas has taken a number of leadership roles within the industry's leading organizations. This includes being the Editor of the P3P Protocols and Data Transport Working Group and the Chair of the Syntax and Encoding Group of P3P within the W3C. Dr. Lucas was also selected as a member of the Board of Directors for TRUSTe, a leading organization to establish trust and confidence on the Internet. Before joining MatchLogic, Dr. Lucas was the Chief Technologist and Senior Principal Consultant for dbINTELLECT Technologies. Previous to working with dbINTELLECT, Dr. Lucas held positions with Neodata Services as the Chief Technology Officer, EDS as a Consultant Systems Engineer, and Bell Labs as a Member of Technical Staff. Dr. Lucas received his Ph.D. from Stanford University. E-mail: slucas@matchlogic.com; http://www.matchlogic.com/
Position statement: The U.S. and European governments have been very vocal about the need for the industry to support the capability of the consumer to control the privacy and use of their personal data. If the private-sector efforts don't show results soon regarding privacy self-regulation, then the government will have little choice but to impose regulation. Government agencies are approaching a July 1 deadline for reporting to the White House on the progress of industry efforts for self-regulation on a variety of Internet issues. In October of this year the European Union will be in effect requiring that certain privacy guarantees are in place. This initiative could have a major impact on Ecommerce. If the Europeans aren't convinced that online privacy protections in the United States are adequate, European companies will impose restrictions on exchanging certain kinds of personal data from U.S. firms. It is clear that we must show that we have technology enablers to support privacy policies. P3P is the one of the most promising of the tools that will empower consumers and address the U.S. and European governments' concerns about privacy protection. Privacy protection, which is a key element of trust, is essential for the Web and especially Ecommerce, to flourish.
Greg Taylor is an IT Manager with biotechnology company AGEN Biomedical Ltd in Brisbane, Australia. He holds degrees in Science and Economics from the University of Queensland. He is on the board of the online civil liberties group Electronic Frontiers Australia (EFA) where he chairs its cryptography and privacy committees. Within EFA he has worked on a number of projects and campaigns aimed at influencing Australian government policies on censorship, privacy and cryptography as politicians and bureaucrats attempt to come to grips with the the many legal and social issues arising from the rapid proliferation of the global communications network. E-mail: gtaylor@gil.com.au; http://www.gil.com.au/~gtaylor/
Position Statement: We are confronted almost daily by new examples of privacy intrusion by government and commercial interests. Issues such as spam, caller identification and telemarketing have made people far more aware of privacy issues, especially the extent to which personal information is used for commercial purposes. A technical solution such as P3P certainly has noble objectives in dealing with online privacy issues. However, even if widely accepted as a standard, it runs a number of risks that may result in failure to deliver the benefits it promises.