CYBERPUNK: Suspicious Minds
Online privacy is becoming a hot issue these days, with people worrying about what information their computers betray about them. So when a heavyweight standards organization develops a way for Web surfers to monitor the information sliding out of their machines, this can only be regarded as a good thing, right? That depends on whom you ask.
The World Wide Web Consortium was founded in 1994 by Tim Berners-Lee, inventor of the Web, to develop common protocols for the use of his brainchild. Although W3C, as it's known, has no regulatory authority, it generally produces the last word on Web standards. Mostly, the consortium deals with dry specifications on how to code pages. But when it decided to create a framework to help Internet users protect their privacy, it stumbled into a heap of controversy.
For the past three years, W3C has been devising a uniform way for Web sites to detail their privacy practices, allowing browsers to compare sites' policies with their own preferences. The Platform for Privacy Preferences Project, or P3P , is being tested now. If the spec version jumps through all the recommendation reviews, P3P could be built into future browsers. (Microsoft has already committed to implementing it.)
This is quite an improvement on the data collection that occurs now, mainly through "cookies," small messages deposited into your computer when you visit a Web site. Cookies, largely a Netscape invention, are used responsibly by most big sites--to, say, identify visitors who have been to the site before or track them as they wander from page to page within a gigantic site. But they can be used more aggressively--to track individuals as they jump from site to site, building a profile of them through the pages they visit, the better to target them with banner ads. ("Like nymph porn? Click here!") All this invisible tracking riles privacy advocates to no end. And with dot-com companies desperate to make money, you can bet commercial sites will continue to gather as much of this information as possible, to compile user profiles and use them to lure advertisers.
So one would figure P3P, which gives the end user a measure of control over this situation, to be a step forward. But on June 21, two of the most prominent online-privacy advocates, the Electronic Privacy Information Center (EPIC) and Junkbusters, jointly issued a stinging critique of P3P ("Pretty Poor Privacy: An Assessment of P3P and Internet Privacy").
I caught up with head Junkbuster Jason Catlett as he was traveling through Colorado by car. Catlett has been following P3P since 1997--"the early days, when it still largely was vapor," he tells me via cell phone. "Though even then, it was being touted as a silver bullet that would solve all online privacy woes."
Many of the P3P researchers fully understand the limitations of their work, Catlett says. But he contends that companies such as W3C member Microsoft tout P3P less out of a concern for user privacy than as a way to stave off congressional legislation that might hinder their ability to collect information about Web surfers.
The EPIC/Junkbusters report cites other shortcomings: Companies whose business is collecting data have no incentive to adhere to P3P. Users who set high privacy-protection standards will be bombarded with the pop-up windows, creating a kind of reverse incentive to set more liberal preferences, thus "maintaining industry's present privacy-invasive status quo." There's no enforcement mechanism to deal with sites that say one thing and do another. "The real choice offered [by P3P]," the privacy groups state, "is not how to protect privacy, but how much privacy to give up."
Joab Jackson can be reached at email@example.com.