1 / 21

Platform for Privacy Preferences (P3P) : Lessons Learnt for Privacy Standards

Platform for Privacy Preferences (P3P) : Lessons Learnt for Privacy Standards. Workshop on technical standards and privacy by design A. Michael Froomkin Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law University of Miami August 21, 2012.

macey-wise
Download Presentation

Platform for Privacy Preferences (P3P) : Lessons Learnt for Privacy Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards Workshop on technical standards and privacy by design A. Michael Froomkin Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law University of Miami August 21, 2012

  2. The Problem P3P Was Designed to Solve • Privacy principle: • Users should control use of personal information about them held by others – or at least negotiate rules about it • But in fact: • Your browser says a lot about you • Users share data with web sites • Web privacy policies are • Under-specified • Unclear, complex, non-standard • Unread

  3. The Platform for Privacy Preferences (P3P) • A standards-based approach • Server offers machine-readable policy • Web client retrieves privacy policy • Can be set to take action based on preset user preferences • User can import preferences from third parties • P3P enabled search engines could search for content with privacy settings • Exclude or downgrade or flag privacy-unfriendly sites • Similar triage could happen at browser level

  4. How P3P Works • Standard definitions of data practices • Expressed in standardized vocabulary • User agent requests P3P policy reference file • May be on-site or in other location • User agent compares policy to user’s preferences, acts accordingly • E.g. ‘privacy bird’ displays happy or angry • Sites are hidden, or popup warnings display • User can query differences from preferences

  5. P3P Policy Contents • Source: Lorrie F. Cranor, Praveen Guduru, and ManjulaArjula, "User Interfaces for Privacy Agents," ACM Transactions on Computer-Human Interaction (TOCHI) 13, no. 2 (June 2006): 135.

  6. Advantages of P3P • User empowerment • No centralized content control • Some centralized semantic definitions • Extensible (XML) • No censorship (except by user choice) • P3P spec developed by W3C consensus process • Relies on voluntary implementation • User demand for privacy could drive adoption • US FTC liked the idea (“PICTS for privacy”)

  7. Al Gore Liked It "I welcome this important new tool for privacy protection … It will empower individuals to maintain control over their personal information while using the World Wide Web." -- US Vice President Al Gore (1998) (Larry Lessig liked it too.)

  8. OECD Guidelines Checklist √ • P3P did address • Issue of data collection directly from the user (web surfer) • Limitations on data use by web site can be specified, e.g. • Original purpose • Authority of Law • Consent • Emergency • Disclosure / openness of data usage

  9. OECD Guidelines Checklist X • P3P didn’t address • Practices relating to data collection from third parties • Data storage and retention • Data quality • Anything beyond honor or external legal control for data mis-use or disclosure • User’s ability to access data about her

  10. Critiques (1) • Formless – doesn’t set any minimum privacy protection • Sets no default • Policy must be set by user somehow • Doesn’t require Fair Information Practices (see checklist) • Too complex • Will exclude good sites that don’t use P3P • Procrustean policies – what about outliers?

  11. Critiques (2) • Original spec allowed for negotiation between site and user, but this was removed from final, which became a take-it-or-leave-it proposition • Generalizes existing cookie problems – invisible stuff happens, user is lost or must make endless exhausting individual decisions • No internal enforcement mechanism, but… • Markets • External laws & regulations against fraud, lies, unfair competitive practices

  12. Critiques (3) • P3P analysis happens after the browser connection • Hence massive data is already sent • IP# • MAC# (IPv6) • Browser fingerprint • Referrer source • Even if P3P were widely adopted, it fails • Providers likely to set protections low, making high-privacy browsing as difficult as no-cookie browsing Privacy-loving users would self-exclude from much of the web

  13. Was P3P the Best Tool? • Other purely client-side tools such as cookie-blockers, and anonymizers might be surer, but what was on offer then were only more narrow solutions • Top-down regulation was not likely, and certainly not likely across jurisdictions • Prospect of 3rd party rulesets would make life easy for users • XML was cool

  14. Take-Up Was Low • Less than 12 percent of the more than 3,000 websites TRUSTe certifies had an IE-compliant P3P compact policy in 2011. • 2010 Carnegie Mellon study of 33,139 websites with P3P compact policies (CPs) found • “errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites” • errors at Microsoft’s live.com and msn.com!

  15. Why P3P Failed “The trouble with P3P was that consumers, lacking education or intuition about the risks of disseminating their personal data, had no incentive to spend this time on bargaining and even more importantly, the market had little or no incentive to pay or negotiate for data that they had previously collected for free. The model though, simply did not succeed. Although P3P was incorporated into Internet Explorer [6.0+] and other browsers, it has been largely ignored by the public and the market. No meaningful marketplace of choices among more or less privacy friendly websites evolved for the consumer.” -- Lilian Edwards, Coding Privacy, 84 Chi.-Kent L. Rev. 861, 864 (2010)

  16. In Other Words • P3P failed due to lack of incentives • Consumer behavior • Time involved • Privacy myopia • Web site operators • Do not want overhead • Do not want to pay to collect info • Info-brokers • Don’t want the grief or the costs • Plus, it felt complicated • (And, blockages inexplicable to some users)

  17. What We Learn from P3P’s Elegant Failure • Economics matter enormously • Parties need an incentive to install tools/use standards • End-users have privacy myopia • Privacy Bird wasn’t cute enough – or too beta • Site operators believe they can monetize info • Incentive cuts against adoption in many cases • Defaults matter • E.g. ‘Do not track’ by default is more effective • Ease-of-use matters • "The act of designing a social technology is not an easy one" -- Joseph Reagle, P3P project manager

  18. Abandoned Specs Considered Dangerous • No one swatting the bugs • Spec allows sites to use a trick to put a cookie despite IE user’s policy • Taken advantage of by 21/100 most visited sites including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu. • E.g. “underspecified” policy in headers with no proposed uses listed; IE 6-8 interprets that as a policy to make no use. • Spec looks only at proposed uses – so if there seem to be none due to malice or typos…

  19. User-Unfriendliness At Work? • Proper P3P Compact Policy (CP) statement: • P3P: CP="ALL IND DSP COR ADM CONo CUR CUSoIVAoIVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI“ • ‘SAMo’ == ‘We [the site] share information with Legal entities following our practices,’ • ‘TAI’ == ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ • What Google sent: • P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

  20. But Don’t Forget the Attractive Aspects of P3P • Worth emulating • User-empowering • No censorship • Nor could it easily become a censorship tool • Extensible • Not centralized • Invited third parties to draft and disseminate policies • Worth debating • Regulatory / voluntary • Ties to legal regimes • Not really clear if this was tested by P3P • Failed to address transnational issues (what law?)

  21. THANK YOU

More Related