PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
It would be comforting to believe that technology will solve the social problems that technology itself engenders. But when it comes to the erosion of privacy on the Net, even the most optimistic techies admit that there are no silver bullets. Many people are now pinning their hopes on a set of technical specifications known as the Platform for Privacy Preference Project, or P3P, which has been in development for several years at the World Wide Web Consortium (W3C) headquartered at the Massachusetts Institute of Technology in Cambridge, Mass. (http://www.w3.org/P3P/).
Lorrie Cranor, a researcher at AT&T Labs in Florham Park, N.J., who chairs the P3P working group at the W3C, says there is no easy way to guarantee privacy without also potentially jeopardizing it more (see BW 3/20/00, Cover Story, "Privacy on the Net"). To learn more about P3P's promise -- and limitations -- Business Week Senior Writer Neil Gross spoke recently with Cranor. Here are edited excerpts of their conversation:
Q: What is P3P?
A: It is a set of standards under development at the World Wide Web Consortium that will allow Web sites to take privacy statements and translate them into a machine-readable format. The idea is that Web browsers and other software tools could fetch the privacy policies, read them on behalf of the user, and provide the user
with good information about the policies.
Q: What kinds of information would one expect to see?
A: [When I arrive at site] my browser might display certain symbols that provide a snapshot of the policies there. Or it could store my privacy preferences and know, for example, that I do not want to be profiled. The P3P software would compare the policies with my preferences and tell me if there as a match. I don't necessarily want to stop at every Web site and pore over the privacy statement. So my P3P tool would let me know if there is anything strange in the policy that I should take a closer look at.
Q: How soon is all this going to be ready?
A: We have [a] draft out now, and we are soliciting comments on it. We hope to move it through the W3C recommendation process this summer. I have heard that some companies are already starting to implement it.
Q: How far will the software go in ensuring privacy? It won't try to do everything, will it?
A: The software will provide people with easy notice about what privacy practices different Web sites have. It does not ensure that they actually do what they say. The software can't address that directly, but it can work with privacy seal programs. As part of my preferences, I could say that I trust sites more if they display seals from BBBOnLine. And my browser would check for that.
Q: What do you think about the insistence of many privacy advocates that Web sites provide surfers access to the online profiles they construct?
A: There are good things and bad things. If the profiles only exist in code, or in a set of weightings, then that would have to be translated into plain English, which may not be easy. The information you seek may also be scattered among multiple databases, which is a challenge.
On the one hand, if you have data in a database, it's there so that you can access it. At the same time, if personal data is separated among 20 different databases and you force the company to make them accessible at a central point [so that surfers can see their profiles], that could require tying the databases together, which might be more privacy-invasive [than leaving them separate
and inaccessible].
Q: Web businesses make all of this seem very difficult and costly. It can be hard to sort fact from fiction when it comes to this question of letting visitors at a site view individual profiles...
A: Yes, it's hard. The profiles aren't always explicit. The Web site may not have my name, so I can't call them up and say "I'm Lorrie. What do you know about me?" But if they have placed a "cookie" [a small file that Web sites often leave on a Web surfer's computer to be able to track that person's use of the site] and always recognize me as #123, then in theory I should be able to identify myself as #123. There could be a mechanism, something that says "click here to see what's in your profile." It would be pegged to your cookie file or to your computer's Internet protocol address, or whatever they happen to use. I think that's feasible. But is it free of costs? No.
Q: Does your organization take a particular position in the privacy debates?
A: The W3C as a whole avoids taking policy positions. But I am also on the [Federal Trade Commission] advisory committee on online access and security [which does take some positions]. We are preparing a report on some of these subjects, which will be published in May and will be available on the FTC site. But it's difficult. There won't be one unified recommendation.
Edited by THANE PETERSON
[an error occurred while processing this directive]
Copyright 2000, Bloomberg L.P.
Printer-Friendly Version
