Privacy Law and Policy Reporter
This paper is a revised version of notes prepared to accompany a panel presentation at WWW7 in Brisbane in April 1998. A copy is available at http://www.anu.edu.au/people/Roger.Clarke/DV/P3PCrit.html — General Editor.
The World Wide Web’s Platform for Privacy Preferences (W3C P3P) initiative is an important contribution to the protection of privacy on the Internet. This critique is accompanied by an Overview of P3P. Unless you are already familiar with P3P, you need to read that overview first ((1998) 5PLPR 35).
I’m an enthusiast about privacy-enhancing technologies and privacy-sensitive protocols and services, but a sceptic about them as a complete solution to privacy needs. Despite the way in which the supra-jurisdictional nature of the Internet will undermine national sovereignty over the next, say, 50 years, I still see an important role for statute law and privacy watchdog agencies as part of a complete framework for privacy protection.
I am very positive about a number of aspects of P3P. Briefly:
This paper addresses aspects that I’m concerned about: the coverage of privacy needs; the coverage of legal and cultural diversity; the drivers for implementation; and the mechanisms for ensuring compliance.
These concerns will come as no surprise to the team that developed P3P. My impression is that they have done whatever they could to address them. The P3P documents address them at various points.
Privacy is a complex beast, and P3P addresses only a small proportion of the complete set of needs. Working from the framework provided by the OECD Guidelines, P3P is primarily concerned with practices relating to:
The other OECD Principles, which are largely unaddressed by P3P, relate to: practices relating to data collection from third parties; data storage and retention; data quality; controls, against the data’s purpose, over actual use and disclosure; subject access to data held by the web-site operator; and accountability, and sanctions for non-compliance.
The OECD Guidelines are a 1980s codification of the 1970s ‘data protection’ or ‘fair information practices’ notion, which derives from Alan Westin’s 1967 work. The fair information practices approach has been demonstrably inadequate as a means of protecting personal privacy. It has had the effect of legitimising existing privacy-invasive practices, it has failed to prevent unreasonably invasive new schemes and new features of existing schemes, and it has failed dismally to adapt to the rapid advances in information technology.
Examples of fundamental requirements that the OECD’s 1980 model fails to embody, and which are not in any way addressed by P3P, include:
In short, the fair information practices paradigm is in urgent need of replacement or at least substantial augmentation.
It can be very reasonably argued that a web-protocol could not extend much further than P3P already goes. Indeed, P3P is part of a family of protocols which addresses some of these ‘beyond OECD’ issues in constructive ways. For example, communications security, pseudonymity and even anonymity can be supported.
Nonetheless, the effectiveness of P3P will be undermined where the legal and institutional contexts within which P3P is applied falls short of the public’s needs.
The team that developed P3P was dominated by Americans, because they were the most active contributers, and the most used to virtual committee work of the kind that is the norm within W3C.
On the other hand, strenuous attempts were made to gain participation from other countries. The attempts were partially successful, with contributions from Continental Europe and East Asia. The reason that I could produce this critique and the accompanying overview in parallel with the public release was that I was invited to be a member of the team, and (limited by the constraints of time-zone differences and time-availability) provided a small amount of input to the development process.
In addition, the team that produced the P3P specification sought to take into account privacy-protective instruments, such as European privacy laws, and the EU Directive (which comes into force in October 1998, and has been a focus of international discussion in recent months).
Because of the efforts made, the vocabulary that provides the ability for web-site providers to construct their practices statements appears to be rich enough to cater for mainstream assertions related to use and disclosure, subject access and openness.
That may, however, fall far short of the full set of needs. One reason is because of the partial manner in which P3P addresses the OECD framework. Another is because of the serious inadequacy of the OECD framework itself. But legal, institutional and cultural diversity cut far deeper than such sets of principles. The Francophone world is often philosophically and linguistically at odds with the rest of Europe, and translations of EU undertakings are often constructively vague. The concept of privacy translates very oddly into East Asian languages, into the large Slavic world, and into Muslim cultures, let alone into the myriad African settings.
The jury will be out for some time on whether P3P can support the expression of statements by web-site providers, and preferences of web-users, within cultures that do not share mainstream ‘western’ values.
For P3P to have its intended impact, developers need to achieve compliance in new versions of their web-browsers, and to retro-fit the feature into existing versions. Pioneer and early adopter web-site managers, and web-users, need to acquire and apply P3P-compliant software, and to express their practices and their preferences.
For this to occur, there need to be political motivations, and economic incentives and disincentives, sufficient to energise Internet technology providers, web-site providers and web-users. In short, P3P has been invented; but for it to become an innovation, an adoption process has to occur.
P3P creates the possibility for users to bring pressure to bear on web-site providers to express acceptable practices. Whether they will actually do it depends heavily on the credibility of the complete architecture and process. The concerns expressed above about P3P’s coverage are one cause for scepticism. Doubts about whether web-site providers will actually deliver against their practice statements are another reason why the initiative might be stillborn.
What if the privacy practices statements placed on web-site providers’ pages are over-statements, fibs, or downright lies?
User empowerment is not by itself sufficient, because there is an enormous power imbalance between corporations and individuals. That may be changing, as the Internet supports electronic communities, and facilitates consumer action in ways never before available; but there is no guarantee that any dramatic change in the balance of power is imminent.
A further concern is that P3P may be limited to a request-response model controlled by the marketer. It is unclear, for example, whether a consumer is in a position to offer their data for sale to goods and services providers. It is also unclear whether it will be practicable for intermediating user-agents to select and prioritise alternative suppliers based in part on their privacy practices statements.
Much is made of the ability of industry association codes to create frameworks within which compliance can be assured. But industry association activities are undermined by mavericks, who are non-members of the associations, who flout the code, and who thereby render the codes unenforceable on the associations’ members. Pure self-regulation has been demonstrated time and time again not to work. Industry-sponsored, corporation-style protectors like TRUSTe are going to excite only limited confidence amongst consumers, unless there’s something more behind them.
Instances of non-performance may be actionable through contract law, or through trade practices laws. But these are slow and expensive, and in some cases are not directly accessible by consumers but must be actioned by government agencies. Moreover, the sanctions available are in many cases quite trivial, and hence the legal controls are ineffectual.
A further concern is that P3P may fail to bring about a sufficient linkage between web-site providers’ statements and the legal framework within which they are made. The ‘assurance statement’ (see Appendix 5 below) enables, but does not (and, in practice, could not) force the expression of highly desirable clauses such as ‘our undertaking is subject to the X-law within the Y-jurisdiction’ and ‘our undertaking is subject to our contract with Z-guarantor whose audit reports are available at <URL>.
There is an urgent need for self-regulatory codes to be given legislative stiffening, such that associations’ initiatives have teeth, mavericks are subject to sanctions, and good corporate citizens feel justified in participating in the relevant code, because their costs in doing so are balanced by the mavericks’ costs in trying to escape their responsibilities.
Note that this is not a denial of the importance of user empowerment, nor of industry association codes, nor of initiatives like TRUSTe, nor of protocols like P3P. It is an assertion that effective protection is dependent on a multi-partite, tiered framework, in which layers of technology, organisational practices and law combine to ensure reasonable behaviour.
P3P is one important element among many. Unless other elements of the framework come into existence, the credibility and effectiveness of P3P will be undermined.
The success or failure of P3P will be partly determined by the effectiveness of its design, and its ease of implementation and integration within mainstream web-browser and web-site management products. Key questions are:
Environmental factors are, however, even more important determinants of its success or failure. Key questions are:
Media coverage includes:
Roger Clarke, Principal, XamaX Consultancy Pty Ltd.