BOLD:
Berkman Online
Lectures & Discussions
| • | Welcome |
| • | Registration |
| • | Discussion |
| • | Resources |
PRIVACY IN CYBERSPACE
Privacy Enhancing Technologies
P3P and Other Self Regulatory Approaches
P3P stands for “Platform Privacy Preferences Project.” It is a standard developed by the World Wide Web Consortium (“W3C”), an organization created in October 1994 to develop common protocols to promote the evolution of the World Wide Web. The W3C describes P3P as follows:
The Platform for Privacy Preferences Project (P3P), developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site’s privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can “read” this snapshot automatically and compare it to the consumer’s own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.
Whether P3P effectively protects online privacy is disputed. Several questions run through these debates: can privacy policies effectively be expressed in a standardized, “multiple-choice” fashion? Can--and should--decisions concerning individual privacy be reduced to automated machine transactions? Is P3P as an inherently self-regulatory regime bound to fail? Will self-regulation be used to delay important legislative protections?
EPIC has been one of the most vocal critics of P3P, and has released several reports including Why is P3P not a PET? and Pretty Poor Privacy (a pun on Pretty Good Privacy, or PGP, a commonly used encryption system). Marc Rotenberg, the Executive Director of EPIC, also wrote an influential article entitled What Larry Doesn’t Get: Fair Information Practices and the Architecture of Privacy in response to Larry Lessig’s favorable treatment of P3P in Code and Other Laws of Cyberspace (which itself concluded with a chapter entitled What Declan Doesn’t Get).
The Center for Democracy and Technology, on the other hand, released a report favorable to P3P, P3P and Privacy: An Update for the Privacy Community. CDT believes that P3P “is not a panacea for privacy,” but “does represent an important opportunity to make progress in building greater privacy protections in the Web experience of the average user.” Digital librarian Karen Coyle’s original article criticizing P3P claims that:
P3P is the software equivalent of Mr. Potato Head. It is an engineer’s vision of how humans decide who to trust and what to tell about themselves. It has a set of data elements and neatly interlocking parts, and it has nothing at all to do with how people establish trust.Coyle has also written a reply to the CDT article, mentioned above.
Related self-regulatory approaches to privacy protection include TRUSTe, an industry consortium that sets certain minimum standards of data collection and privacy practices for its members to follow. See The TRUSTe Program: How It Protects Your Privacy for more information. See also the Network Advertising Initiative and read the basic principles promulgated by this consortium of five major online advertising companies.
Related Readings
- What Larry Doesn’t Get: Fair Information Practices and the Architecture of Privacy, by Marc Rotenberg of the Electronic Privacy Information Center. In this essay, Rotenberg criticizes Lessig’s “code” approach to protecting privacy with the proposed P3P standard.
Please send inquiries to bold@cyber.law.harvard.edu
Welcome | Registration | Discussion | Resources |
The Berkman Center for Internet & Society