The Platform for Privacy Preferences (P3P) was created in 2002 as a tool to protect users’ privacy as they navigate the Internet. The voluntary platform was adopted by Internet Explorer, the only browser to make meaningful use of it, but since its inception, has faced a number of challenges to its intended success.
Its failures were recently highlighted in the published research of Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory. Cranor, who was on the steering group to determine the specs for P3P before its release, says her
found that a large number of Web sites were using a common loophole to
Internet Explorer’s ability to block cookies, despite users’ privacy settings otherwise.
Many of the Web sites Cranor studied contained errors in codes called compact policies (CPs), allowing the cookies to go through. CPs are three- to four-digit codes written for the P3P standard that communicate easily to a browser each Web site’s privacy policy on cookies. Browsers other than Internet Explorer (IE), including Safari, Chrome and Firefox, never adopted the standard; therefore, they do not communicate with individual cookies via CPs but rather offer broader choices to users such as to allow all cookies, only third-party cookies or none.
For all of its good intentions, the P3P platform hasn’t lived up to its potential, according to Cranor’s study; one-third of the 33,000 sites studied were evading IE cookie blocking by using CPs that did not accurately represent their practices. Some of those cases were due to common mistakes in code scripts. But, some were using prototypical CPs that have been recommended as “workarounds” for IE cookie blocking, suggesting that the privacy policy a user is essentially promised when the browser and the site communicate may be misleading. Cranor says some of these instances are simply due to the fact that the Web site owner or operator doesn’t fully understand how CPs work. But some, she says, were found to be intentionally misleading.
Those involved in the P3P planning stages say that despite its shortcomings, the platform is still relevant. It could still function as a useful tool if the problems that have plagued its early success are resolved. Some say the solution is industry regulation, while others maintain the platform should remain voluntary. Cranor’s report says that “Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies.”
Ari Schwartz of the National Institute of Science and Technology chaired the outreach subcommittee that formed in 1998 to work on P3P’s specs. He says the group’s focus was to get a policy built into Web browsers that would make automated decisions, knowing that privacy policies would be complex.
Jules Polonetsky, CIPP, of the Future of Privacy Forum says P3P faced major problems from the beginning. One such problem was that not all of the P3P standard was adopted but only the part that dealt with how cookies would be handled. That meant that the only professionals paying attention to the P3P platform from its inception were those who realized their cookies were no longer being sent online. When that happened, a Web master generally stepped in and looked at the problem as a technical one: the written code wasn’t working, so an alternative code was used to allow the cookie to go through. This was done without a full appreciation that in fixing only the code, the Web master had essentially just written a new privacy policy for the company.
“In reality, that code is a dramatically important privacy statement that legal departments should be writing,” Polonetsky says.
Second, privacy policies are so detailed with disclaimers and disclosures that they are very difficult to fit to a specification such as P3P, making it nearly impossible to write a highly accurate statement, he says. Cranor agrees that policies are lacking because of the existing difficulty in trying to write a CP that is both completely transparent and also adheres to this coding system.
“One of the ways companies are getting around this is that they have a policy that is basically empty, because if you don’t say anything, then you don’t say something unsatisfactory,” Cranor says, adding that this results in incomplete policies that allow the cookie through but ignore user preferences.
Schwartz says companies have been noncompliant with P3P since its beginnings. Many of those companies were consulted quickly and made subsequent changes to their policies. But, the study proved that there is much more work to be done.
“I think you still have a lot of people who don’t understand it, which is different than it not being used,” Schwartz said. “But if you say you are doing something in a P3P policy, and you are not doing that, especially if you say you are protecting consumers, and you’re not doing that, that can raise some considerable consumer protection issues.”
Cranor says the nature of a CP is to oversimplify everything a privacy policy would state, making it difficult even for companies who are using data correctly to accurately express their practices without the cookie being blocked.
“If you have a company that collects PII and non-PII and uses the non-PII for profiling and not the PII, there’s basically no way to say that, because it all gets lumped into the same bucket,” Cranor says.
Polonetsky agrees that it can be very difficult to accurately express a privacy policy in a CP.
“It’s difficult to do anything less than rolling up the sum of all your practices and making the most extensive statement,” he says. “That gets some companies nervous about saying, ‘I do all these things, except in my privacy policy, I have more reservations about what I really think I do.’”
In fact, there aren’t many privacy professionals who could write a P3P statement today if you asked them to, according to Polonetsky.
“Today, the skill set isn’t even there for many who do privacy work to drill through a somewhat technical spec to understand cookie structures at their company and describe it in an unfamiliar terminology.”
But, it would serve them well to learn how to do so, he said, adding that in the meantime, the pitter patter of class-action lawyers’ feet can be heard as they scramble to determine whether causes of action for deceptive policies would be justifiable.
“If cases like that are brought, I think it’s going to be a big driver of reaction,” he says.
Cranor says that the Federal Trade Commission would be justified to take action, though there has been no such enforcement to date.
Both Cranor and Polonetsky say that for P3P to be successful, browsers need to play a stronger role in its effectiveness, and other browsers should join IE in implementing P3P, using it as a competitive marketing tool.
“We need all browser vendors and search engine vendors to take advantage of this privacy code and build users useful tools as consumers,” Cranor says. “And we need Web sites to adopt it. But, Web sites don’t have the incentive to adopt it because there aren’t good tools to make use of it, so it’s sort of a chicken and an egg problem. Everyone is pointing fingers and saying, ‘I’m not going to do it because they’re not doing it.’”
In the meantime, small steps would go a long way, Polonetsky says.
“If cookies were actually blocked when policies were wrong, people would work harder to get it right,” he says, adding that each new advancement needs to be balanced “to move the ball forward without breaking users’ experience.”
“If the industry is serious about self-regulation and clear communication with consumers, we have to all agree we’re going to do this,” Cranor says.