The Platform for Privacy Preferences P3P Implementation and Deployment Update

1. The Platform for Privacy Preferences (P3P) Implementation and Deployment Update Lorrie Faith CranorAT&T Labs-Researchhttp://lorrie.cranor.org/ May 2003

2. 2 Platform for Privacy Preferences Project (P3P) Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/ Final P3P1.0 Recommendation issued 16 April 2002 Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format Can be deployed using existing web servers Enables the development of tools (built into browsers or separate applications) that Summarize privacy policies Compare policies with user preferences Alert and advise users

3. 3 Basic components P3P provides a standard XML format that web sites use to encode their privacy policies Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set A separate specification called APPEL provides a language for encoding user privacy preferences (optional)

4. 4 What’s in a P3P policy? Name and contact information for site The kind of access provided [6 choices] Mechanisms for resolving privacy disputes The kinds of data collected [17 categories + dozens of specific elements] How collected data is used [12 purposes], and whether individuals can opt-in or opt-out of any of these uses Whether/when data may be shared [6 choices] and whether there is opt-in or opt-out Data retention policy [5 choices]

5. 5 P3P user agents P3P User Agents: Software that reads P3P policies for users P3P user agents built into Microsoft Internet Explorer 6 and Netscape Navigator 7 web browsers Browsers take P3P compact policies into account when making cookie-blocking decisions IE6 default setting causes third-party cookies without P3P compact policies to be blocked Browsers include feature that displays English translation of P3P policy AT&T Privacy Bird is a P3P user agent add-on for IE5/6 Available as free download from http://privacybird.com/ Uses colored bird icon and sounds to indicate whether site’s policy matches a user’s privacy preferences Also includes English translation of P3P policy P3P user agents do not provide identical English translations Web sites have expressed concern about this W3C P3P working group developing guidelines to improve consistency

6. 6 Chirping bird is privacy indicator

7. 7 Click on the bird for more info

8. 8 Privacy policy summary - mismatch

9. 9 Privacy Bird user study August 2002 email survey to Privacy Bird users who opted-in to participating in surveys (331 responses)* Overall positive feedback, but concern that not enough sites are P3P-enabled 88% of respondents indicated some change in online behavior as a result of using Privacy Bird Fill out fewer online forms: 37% Take advantage of opt-outs: 37% Stopped visiting some web sites: 29% Comparing privacy policies at similar sites and frequenting sites with better policies: 18% Respondents expressed desire to be able to compare privacy policies at web sites offering similar products before making purchases * See L. Cranor, M. Arjula, and P. Guduru. Use of a P3P User Agent by Early Adopters. Proceedings of the ACM Workshop on Privacy in the Electronic Society, November 21, 2002, Washington, DC. http://lorrie.cranor.org/pubs/wpes02/

10. 10 P3P user agent study Preliminary results of AT&T Labs-Research study in which experienced IE users used IE6 and Privacy Bird to answer questions about web site privacy policies Same users also answered questions by reading site privacy policies without using P3P user agents Users reported that it was easier to find information using P3P user agents than by reading privacy policies Users found information faster and more accurately with Privacy Bird than by reading privacy policies or using IE6 Some problems users experienced with IE6 are due to fields that user agent omits from P3P translation* - for example, does not indicate whether opt-in or opt-out are available Identified areas for improvement in both P3P user agents Our results will help inform P3P working group’s efforts to develop guidelines for P3P user agents * See L. Cranor and J. Reidenberg. Can user agents accurately represent privacy notices?. TPRC 2002 (September 2002). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=328860

11. 11 What are users looking for? Many studies have shown that users don’t want to read long privacy policies, yet they are interested in some of the information contained in privacy policies Different users are looking for different things, but many common elements What information will be collected about me? How will it be used? Will it be shared with other companies? Will it be used to send me unsolicited marketing? How can I opt-out? (but many users not aware this is possible) P3P user agents are making it easier for users to find this information, but there is room for improvement P3P-enabled search engines and comparison shopping services could make it easier for users to compare sites based on how they answer these questions

12. 12 Web site adoption of P3P AT&T Labs study surveyed 5,856 Web sites on May 6 2003 and found 538 with P3P policies* Adoption rates highest among most popular web sites ~30% of top 100 sites have adopted P3P Web site adoption increasing slowly, but steadily Adoption rates for government web sites very low - but we expect that to change when new regulations take effect Adoption rates for children’s web sites low, but show some interesting trends worth further investigation Large number of P3P policies contain technical errors Most errors due to use of old versions of P3P specification or minor technical issues 7% of P3P-enabled sites have severe errors such as missing required components Not uncommon for web standards to be implemented incorrectly, but errors may be more problematic with P3P Software, W3C P3P validation service, online resources, and books available to help sites get it right (many resources available for free) * See http://www.research.att.com/projects/p3p/

13. 13 Web site data practices* Most sites collect PII, but few collect most sensitive information such as SSN and health info Most sites use data for email and/or postal mail marketing and pseudonymous profiling Telemarketing and identified profiling is less common 72% of sites offer choices about marketing 49% of sites share data with parties other than agents using data for purpose it was provided, but 46% of these offer choice We suspect percentage offering choice is actually higher but sites using old version of P3P spec can’t disclose this 92% sites that collect identified data provide some access provisions 34% of sites offer privacy-related dispute resolution options involving an independent organization (such as a privacy seal) 63% of sites do not have data retention policy for all data * Based on findings of P3P-enabled web site study, see http://www.research.att.com/projects/p3p/

14. 14 Summary and conclusions In first year since P3P 1.0 released adoption has been steady, but wider adoption still needed and sites need to do a better job of implementing P3P correctly Is there a need for auditing P3P policies? If so,who should do it? A variety of P3P software tools are readily available for end users Improvements needed in making P3P user agents behave more consistently and making it easier for users to find the information they are looking for P3P WG drafting UA guidelines. Is certification of UAs needed? Users are already finding P3P user agents useful P3P makes automated “web sweeps” possible Tools to make it easier for users to compare privacy policies across sites would be helpful (for example, P3P-enabled search engines)