AMSTERDAM (05/17/2000) - With a key proof-of-concept event looming in June, the leaders of a World Wide Web Consortium (W3C) working group yesterday outlined changes that have been made to an Internet privacy proposal they expect to finalize later this year.
The newly released working draft of the W3C's Platform for Privacy Preferences Project (P3P) - which offers Web sites a way to communicate their privacy policies in a standard machine-readable format - calls for online users to receive a snapshot of a site's privacy policy before they send any data to the site. They also would receive a warning if any health care information will be requested.
The prior P3P specification made it difficult for users to receive a site's privacy policy before they transmitted data and it failed to separate out health care information, which is a sensitive issue for many people, said Lorrie Cranor, chair of the P3P working group and a senior technical staff member at AT&T Labs in Florham Park, New Jersey.
The new P3P working draft, which was made available last Wednesday, also chronicles changes that should help speed the exchange of data between client and server, Cranor added. She and other W3C project leaders issued a status report on the privacy specification at this week's Ninth International World Wide Web Conference here.
But despite the W3C working group's three-and-a-half-year effort to appease businesses, privacy advocates, technologists and governmental officials, the P3P proposal continued to draw some skeptical comments from interested parties who question whether the proposal can adequately address the privacy concerns.
One conference attendee described P3P as a "highly formalized expression of a very informal agreement," similar to a handshake, and questioned whether an agreement would hold up in a court of law.
"This sure looks to me like you're going to be working on this 10 years from now, too, with those legal issues in particular," said another attendee, David Brownell of Palo Alto, California. Brownell said there "do need to be teeth in these policies" for the privacy specification to work.
P3P Activity Lead Rigo Wenning, who is a lawyer, said digital signatures could serve as evidence that Web users had read and agreed to the privacy policy before transmitting any personal data. Legislation that would give digital signatures equal legal weight to written ones is expected to be approved by the U.S. Congress this year (see story).
Web sites that adopt the P3P specification also could face governmental action or be sued for engaging in deceptive practices, Wenning added.
"We're sort of viewing this (specification) as a step better than what we currently have," Cranor said, noting that the W3C brought in many lawyers to help craft the latest version of the P3P proposal.
The first proof-of-concept P3P Interoperability Event, which is scheduled to be held June 21 in New York, is expected to draw 20 to 25 companies. Cranor said plans call for Microsoft Corp. and one other vendor to unveil tools that can help Web sites implement P3P.
A "handful" of companies are slated to show off client-side applications that use the specification, she said, and several more will demonstrate their online privacy policies in the P3P format. A second interoperability event is planned for the fall.
Cranor predicted that P3P will reach W3C recommendation status, the final step in the approval process, this fall and that increasing numbers of Web sites will adopt the specification due to heightened pressure from the U.S. government for companies to self-regulate themselves on the issue of online privacy.
But privacy advocate Jason Catlett, president of Junkbusters Corp. in Green Brook, New Jersey, countered that if the P3P specification "is used as an excuse not to require legally guaranteed privacy rights, it (will have) done everybody a disservice."
"What we need is a requirement that companies treat personal information fairly, (plus) an enforcement mechanism against companies that violate those standards," Catlett said yesterday in a phone interview from New York.
Catlett also questioned the implementation of the standard. In order for P3P to work, code must be added to a Web browser, a proxy server, a plug-in, a Java applet or some other piece of software that will let users indicate their privacy preferences.
Both Microsoft and Netscape Communications Corp. have committed to implementing P3P in their browsers, but Catlett said he's worried that their default settings may not offer enough protection. "If the average user's privacy is left up to Microsoft's and Netscape's choice of defaults, then God help them all," he said.
To get P3P out and deployed, the W3C working group had to scale back several features in the new working draft, Cranor said. But she added that project members are hoping to include more features in future versions of P3P, including the following:
Letting Web sites offer a choice of privacy policies. For instance, a user who wants a customized experience on a particular site could opt to provide the necessary data.
Permitting users to suggest alternative privacy policies if they don't like the one they find on a particular Web site.