Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'P3P Critique'

Platform for Privacy Preferences: A Critique

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Revision of 2 July 1998

© Xamax Consultancy Pty Ltd, 1998

These notes were originally prepared to accompany a panel presentation at WWW7 in Brisbane in April 1998. The were re-published in Privacy Law & Policyt Reporter 5, 3 (August 1998) at 46-48

Available under an AEShareNet Free for Education licence

This is the second of a family of three papers. The first is an Overview (1998), and the third is a Re-visit (2001)

This document is at http://www.rogerclarke.com/DV/P3PCrit.html


Abstract

P3P is a brave attempt to establish a technological basis whereby trust can be developed between pairs of consumers and marketers. A number of causes for concern exist, whose resolution depends in part on the web-community, but in part on law-makers.


Contents

Introduction

Positives

Negatives

The Coverage of Privacy Needs

The Coverage of Legal and Cultural Diversity

The Drivers for Implementation

The Mechanisms for Ensuring Compliance

Conclusions

Resources


Introduction

The World Wide Web's Platform for Privacy Preferences (W3C P3P) initiative is an important contribution to the protection of privacy on the Internet.

This critique is accompanied by an overview of P3P. Unless you are already familiar with P3P, you need to read that overview before reading this document.

This critique is written by a long-term (25-year) privacy advocate and information technology industry professional, consultant and academic, who has been Internet-active since 1989 and web-active since 1993.

I'm an enthusiast about privacy-enhancing technologies and privacy-sensitive protocols and services, but a sceptic about them as a complete solution to privacy needs. Despite the way in which the supra-jurisdictional nature of the Internet will undermine national sovereignty over the next, say, 50 years, I still see an important role for statute law and privacy watchdog agencies as part of a complete framework for privacy protection.


Positives

Briefly, I am very positive about a number of aspects of P3P. I list them, rather than discussing them:


Negatives

The body of this document addresses aspects that I'm concerned about. They are:

I stress that these concerns will come as no surprise to the team that developed P3P. My impression is that they have done whatever they could to address them. The P3P documents address them at various points.


The Coverage of Privacy Needs

Privacy is a complex beast, and P3P addresses only a small proportion of the complete set of needs.

Working from the framework provided by the OECD Guidelines, P3P is primarily concerned with practices relating to:

The other OECD Principles, which are largely unaddressed by P3P, relate to:

The OECD Guidelines are a 1980s codification of the 1970s 'data protection' or 'fair information practices' notion, which derives from Alan Westin's 1967 work.

The fair information practices approach has been demonstrably inadequate as a means of protecting personal privacy. It has had the effect of legitimising existing privacy-invasive practices, it has failed to prevent unreasonably invasive new schemes and new features of existing schemes, and it has failed dismally to adapt to the rapid advances in information technology.

Examples of fundamental requirements that the OECD's 1980 model fails to embody, and which are not in any way addressed by P3P, include:

In short, the fair information practices paradigm is in urgent need of replacement or at least substantial augmentation.

It can be very reasonably argued that a web-protocol could not extend much further than P3P already goes. Indeed, P3P is part of a family of protocols which addresses some of these 'beyond OECD' issues in constructive ways. For example, communications security, pseudonymity and even anonymity can be supported.

Nonetheless, the effectiveness of P3P will be undermined where the legal and institutional contexts within which P3P is applied falls short of the public's needs.


The Coverage of Legal and Cultural Diversity

The team that developed P3P was dominated by Americans (because they were the most active contributers, and the most used to virtual committee work of the kind that is the norm within W3C).

On the other hand, strenuous attempts were made to gain participation from other countries. The attempts were partially successful, with contributions from Continental Europe and East Asia. The reason that I could produce this critique and the accompanying overview in parallel with the public release was that I was invited to be a member of the team, and (limited by the constraints of time-zone differences and time-availability) provided a small amount of input to the development process.

In addition, the team that produced the P3P specification sought to take into account privacy-protective instruments, such as European privacy laws, and the EU Directive (which comes into force in October 1998, and has been a focus of international discussion in recent months).

Because of the efforts made, the vocabulary that provides the ability for web-site providers to construct their practices statements appears to be rich enough to cater for mainstream assertions related to use and disclosure, subject access and openness.

That may, however, fall far short of the full set of needs. One reason is because of the partial manner in which P3P addresses the OECD framework. Another is because of the serious inadequacy of the OECD framework itself. But legal, institutional and cultural diversity cut far deeper than such sets of principles. The Francophone world is often philosophically and linguistically at odds with the rest of Europe, and translations of EU undertakings are often constructively vague. The concept of privacy translates very oddly into East Asian languages, into the large Slavic world, and into Muslim cultures, let alone into the myriad African settings.

The jury will be out for some time on whether P3P can support the expression of statements by web-site providers, and preferences of web-users, within cultures that do not share mainstream 'western' values.


The Drivers for Implementation

For P3P to have its intended impact, developers need to achieve compliance in new versions of their web-browsers, and to retro-fit the feature into existing versions. Pioneer and early adopter web-site managers, and web-users, need to acquire and apply P3P-compliant software, and to express their practices and their preferences.

For this to occur, there need to be political motivations, and economic incentives and disincentives, sufficient to energise Internet technology providers, web-site providers and web-users. In short, P3P has been invented; but for it to become an innovation, an adoption process has to occur.

P3P creates the possibility for users to bring pressure to bear on web-site providers to express acceptable practices. Whether they will actually do it depends heavily on the credibility of the complete architecture and process. The concerns expressed above about P3P's coverage are one cause for scepticism. Doubts about whether web-site providers will actually deliver against their practice statements are another reason why the initiative might be still-born.


The Mechanisms for Ensuring Compliance

What if the privacy practices statements placed on web-site providers' pages are over-statements, fibs, or downright lies?

User empowerment is not by itself sufficient, because there is an enormous power imbalance between corporations and individuals. That may be changing, as the Internet supports electronic communities, and facilitates consumer action in ways never before available; but there is no guarantee that any dramatic change in the balance of power is imminent.

A further concern is that P3P may be limited to a request-response model controlled by the marketer. It is unclear, for example, whether a consumer is in a position to offer their data for sale to goods and services providers. It is also unclear whether it will be practicable for intermediating user-agents to select and prioritise alternative suppliers based in part on their privacy practices statements.

Much is made of the ability of industry association codes to create frameworks within which compliance can be assured. But industry association activities are undermined by mavericks, who are non-members of the associations, who flout the code, and who thereby render the codes unenforceable on the associations' members. Pure self-regulation has been demonstrated time and time again not to work. Industry-sponsored, corporation-style protectors like TRUSTe are going to excite only limited confidence amongst consumers, unless there's something more behind them.

Instances of non-performance may be actionable through contract law, or through trade practices laws. But these are slow and expensive, and in some cases are not directly accessible by consumers but must be actioned by government agencies. Moroever, the sanctions available are in many cases quite trivial, and hence the legal controls are ineffectual.

A further concern is that P3P may fail to bring about a sufficient linkage between web-site providers' statements and the legal framework within which they are made. The 'assurance statement' enables, but does not (and, in practice, could not) force the expression of highly desirable clauses such as "our undertaking is subject to the X-law within the Y-jurisdiction" and "our undertaking is subject to our contract with Z-guarantor whose audit reports are available at <URL>".

There is an urgent need for self-regulatory codes to be given legislative stiffening, such that associations' initiatives have teeth, mavericks are subject to sanctions, and good corporate citizens feel justified in participating in the relevant code, because their costs in doing so are balanced by the mavericks' costs in trying to escape their responsibilities.

Note that this is not a denial of the importance of user empowerment, nor of industry assocation codes, nor of initiatives like TRUSTe, nor of protocols like P3P. It is an assertion that effective protection is dependent on a multi-partite, tiered framework, in which layers of technology, organisational practices and law combine to ensure reasonable behaviour. (For more on that matter, see Clarke 1994).

P3P is one important element among many. Unless other elements of the framework come into existence, the credibility and effectiveness of P3P will be undermined.


Conclusions

The success or failure of P3P will be partly determined by the effectiveness of its design, and its ease of implementation and integration within mainstream web-browser and web-site management products. Key questions are:

Environmental factors are, however, even more important determinants of its success or failure. Key questions are:


Resources

W3C's P3P specification and other documents are available at http://www.w3.org/P3P/

This author provides an overview of P3P, entitled 'Platform for Privacy Preferences: An Overview'

Other critiques include:

Media coverage includes:



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 16 April 1998 - Last Amended: 2 July 1998; addition of FfE licence 5 March 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/P3PCrit.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy