Introduction to P3P
Why Web Sites Adopt P3P
Since Microsoft released their P3P-enabled IE6 web browser in 2001, an increasing number of web sites have adopted P3P. A December 2001 survey by the Progress and Freedom Foundation found that 23% of the most popular web sites and 5% of a random sample of the top 5,625 domains that collect personally identifiable data were P3P-enabled.4 The authors of the report concluded: "This seems to be a fairly rapid rate of adoption, given the newness of the product and the fact that relatively few consumers have installed IE6."
By April 2002, about a third of the top 100 web sites had adopted P3P. Early adopters of P3P come from a variety of sectors and include:
- News and information sites, such as CNET and About.com
- Search engines, such as Yahoo!and Lycos
- Advertising networks, such as DoubleClick and Avenue A
- Telecommunications companies, such as AT&T
- Financial institutions, such as Fidelity
- Computer hardware and software vendors, such as IBM, Dell, Microsoft, and McAfee
- Retail stores, such as Fortunoff and Ritz Camera
- Government agencies, such as the U.S. Federal Trade Commission, the U.S. Department of Commerce, and the U.S.Postal Service
- Nonprofit organizations, such as the Center for Democracy and Technology
- Academic institutions, such as Vanderbilt University eLab
Many early adopters P3P-enabled their web sites to show their support for the P3P effort and demonstrate their corporate leadership on privacy issues. They were motivated both by a desire to show customers that they respect their privacy and by a desire to demonstrate to regulators that the industry is taking voluntary steps to address consumer privacy concerns. While P3P addresses only a narrow set of privacy issues, it complements other efforts to improve privacy protections, including laws, technology tools, and privacy seal programs.
Some companies have started using privacy as a way of distinguishing their brand—they include privacy messages in their advertising and feature privacy-related aspects of their products. By adopting P3P, they further strengthen the message that they respect consumer privacy. In addition, by adopting P3P, they enable consumers to quickly locate and get a brief summary of their privacy policies, and to take advantage of any opportunities to remove themselves from marketing and mailing lists.
Some companies have adopted P3P in anticipation that it may soon become a standard that consumers look for at the web sites they visit. If consumers become accustomed to being able to request a privacy report from their web browser or to seeing a happy privacy-bird icon, they may grow suspicious of sites that are not P3P-enabled. In the future, P3P-enabled search engines may make it easy for consumers to identify P3P-enabled web sites.
Some companies have already found that their web sites do not function correctly when viewed using the latest web browsers if their sites are not P3P-enabled. By default, IE6 looks for P3P compact policies associated with third-party cookies (discussed in Chapter 2) on web sites. Third-party cookies are automatically blocked when they don't have compact policies. Thus, targeted advertising, page counters, and other features that rely on third-party cookies may not work unless companies P3P-enable their sites.
Finally, many web sites have adopted P3P because the individuals who run them value their personal privacy and want the companies they work for to take steps to give individuals more control over their personal information.
1 Privacy Leadership Initiative, "Privacy Notices Research Final Results" (conducted by Harris Interactive, December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf.
2 Cookies are bits of text that web sites can send in their HTTP headers and ask web browsers to send back to them on subsequent visits to the same web site. They help enable features such as electronic shopping carts and logging into a web site without a password.Cookies are discussed in more detail in Chapter 2.
3 HTTP is short for HyperText Transfer Protocol (http://www.ietf.org/rfc/rfc2616.txt). For in-depth information on how HTTP and related protocols work, see Balachander Krishnamurthy and Jenifer Rexford, Web Protocols and Practice:HTTP/1.1, Networking Protocols, Caching, and Traffic Measurement (Boston: Addison Wesley, 2001).
4 William F. Adkinson, Jr., Jeffrey A. Eisenach, and Thomas M. Lenard, "Privacy Online: A Report on the Information Practices and Policies of Commercial Websites" (Progress & Freedom Foundation, March 2002), http://www.pff.org/publications/privacyonlinefinalael.pdf. The web sites surveyed for this report were determined based on October 2001 Nielson/NetRatings data.
About the Author
Dr. Lorrie Faith Cranor is a principal technical staff member in the Secure Systems Research Department at AT&T Labs-Research Shannon Laboratory in Florham Park, New Jersey. She is chair of the Platform for Privacy Preferences Project (P3P) Specification Working Group at the World Wide Web Consortium. Her research has focused on a variety of areas where technology and policy issues interact, including online privacy, electronic voting, and spam.
Source of this material
|This is Chapter 1: Introduction to P3P from the book Web Privacy with P3P (ISBN: 0-596-00371-4) written by Lorrie Cranor, published by O'Reilly & Associates. |
To access the full Table of Contents for the book
Page 3 of 3