Presentation is loading. Please wait.

Presentation is loading. Please wait.

Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards Workshop on technical standards and privacy by design A. Michael Froomkin.

Similar presentations

Presentation on theme: "Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards Workshop on technical standards and privacy by design A. Michael Froomkin."— Presentation transcript:

1 Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards Workshop on technical standards and privacy by design A. Michael Froomkin Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law University of Miami August 21, 2012

2 The Problem P3P Was Designed to Solve Privacy principle: Users should control use of personal information about them held by others – or at least negotiate rules about it But in fact: Your browser says a lot about you Users share data with web sites Web privacy policies are Under-specified Unclear, complex, non-standard Unread 2

3 The Platform for Privacy Preferences (P3P) A standards-based approach Server offers machine-readable policy Web client retrieves privacy policy Can be set to take action based on preset user preferences User can import preferences from third parties P3P enabled search engines could search for content with privacy settings Exclude or downgrade or flag privacy-unfriendly sites Similar triage could happen at browser level 3

4 How P3P Works Standard definitions of data practices Expressed in standardized vocabulary User agent requests P3P policy reference file May be on-site or in other location User agent compares policy to user’s preferences, acts accordingly E.g. ‘privacy bird’ displays happy or angry Sites are hidden, or popup warnings display User can query differences from preferences 4

5 P3P Policy Contents Source: Lorrie F. Cranor, Praveen Guduru, and Manjula Arjula, "User Interfaces for Privacy Agents," ACM Transactions on Computer-Human Interaction (TOCHI) 13, no. 2 (June 2006): 135. 5

6 Advantages of P3P User empowerment No centralized content control Some centralized semantic definitions Extensible (XML) No censorship (except by user choice) P3P spec developed by W3C consensus process Relies on voluntary implementation User demand for privacy could drive adoption US FTC liked the idea (“PICTS for privacy”) 6

7 Al Gore Liked It 7 "I welcome this important new tool for privacy protection … It will empower individuals to maintain control over their personal information while using the World Wide Web." -- US Vice President Al Gore (1998) (Larry Lessig liked it too.)

8 OECD Guidelines Checklist √ P3P did address Issue of data collection directly from the user (web surfer) Limitations on data use by web site can be specified, e.g. Original purpose Authority of Law Consent Emergency Disclosure / openness of data usage 8

9 OECD Guidelines Checklist X P3P didn’t address Practices relating to data collection from third parties Data storage and retention Data quality Anything beyond honor or external legal control for data mis-use or disclosure User’s ability to access data about her 9

10 Critiques (1) Formless – doesn’t set any minimum privacy protection Sets no default Policy must be set by user somehow Doesn’t require Fair Information Practices (see checklist) Too complex Will exclude good sites that don’t use P3P Procrustean policies – what about outliers? 10

11 Critiques (2) Original spec allowed for negotiation between site and user, but this was removed from final, which became a take-it-or-leave-it proposition Generalizes existing cookie problems – invisible stuff happens, user is lost or must make endless exhausting individual decisions No internal enforcement mechanism, but… Markets External laws & regulations against fraud, lies, unfair competitive practices 11

12 Critiques (3) P3P analysis happens after the browser connection Hence massive data is already sent IP# MAC# (IPv6) Browser fingerprint Referrer source Even if P3P were widely adopted, it fails Providers likely to set protections low, making high- privacy browsing as difficult as no-cookie browsing Privacy-loving users would self-exclude from much of the web 12

13 Was P3P the Best Tool? Other purely client-side tools such as cookie- blockers, and anonymizers might be surer, but what was on offer then were only more narrow solutions Top-down regulation was not likely, and certainly not likely across jurisdictions Prospect of 3 rd party rulesets would make life easy for users XML was cool 13

14 Take-Up Was Low Less than 12 percent of the more than 3,000 websites TRUSTe certifies had an IE- compliant P3P compact policy in 2011. 2010 Carnegie Mellon study of 33,139 websites with P3P compact policies (CPs) found “errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites” errors at Microsoft’s and! 14

15 Why P3P Failed “The trouble with P3P was that consumers, lacking education or intuition about the risks of disseminating their personal data, had no incentive to spend this time on bargaining and even more importantly, the market had little or no incentive to pay or negotiate for data that they had previously collected for free. The model though, simply did not succeed. Although P3P was incorporated into Internet Explorer [6.0+] and other browsers, it has been largely ignored by the public and the market. No meaningful marketplace of choices among more or less privacy friendly websites evolved for the consumer.” -- Lilian Edwards, Coding Privacy, 84 Chi.-Kent L. Rev. 861, 864 (2010) 15

16 In Other Words P3P failed due to lack of incentives Consumer behavior Time involved Privacy myopia Web site operators Do not want overhead Do not want to pay to collect info Info-brokers Don’t want the grief or the costs Plus, it felt complicated (And, blockages inexplicable to some users) 16

17 What We Learn from P3P’s Elegant Failure Economics matter enormously Parties need an incentive to install tools/use standards End-users have privacy myopia Privacy Bird wasn’t cute enough – or too beta Site operators believe they can monetize info Incentive cuts against adoption in many cases Defaults matter E.g. ‘Do not track’ by default is more effective Ease-of-use matters "The act of designing a social technology is not an easy one" -- Joseph Reagle, P3P project manager 17

18 Abandoned Specs Considered Dangerous No one swatting the bugs Spec allows sites to use a trick to put a cookie despite IE user’s policy Taken advantage of by 21/100 most visited sites including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu. E.g. “underspecified” policy in headers with no proposed uses listed; IE 6-8 interprets that as a policy to make no use. Spec looks only at proposed uses – so if there seem to be none due to malice or typos… 18

19 User-Unfriendliness At Work? Proper P3P Compact Policy (CP) statement: P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI“ ‘SAMo’ == ‘We [the site] share information with Legal entities following our practices,’ ‘TAI’ == ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ What Google sent: P3P: CP="This is not a P3P policy! See ?hl=en&answer=151657 for more info." 19

20 But Don’t Forget the Attractive Aspects of P3P Worth emulating User-empowering No censorship Nor could it easily become a censorship tool Extensible Not centralized Invited third parties to draft and disseminate policies Worth debating Regulatory / voluntary Ties to legal regimes Not really clear if this was tested by P3P Failed to address transnational issues (what law?) 20


Download ppt "Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards Workshop on technical standards and privacy by design A. Michael Froomkin."

Similar presentations

Ads by Google