For months, the Internet industry has been insisting that the answer to protecting privacy on the Net lies in new technology. In other words, while technology has gotten us into a situation where way too many people can find out intimate personal details about the innocent Web surfer, it may also help deliver us from the threat.
It's time to put that claim to the test. After four years in development by a committee of privacy advocates and companies, P3P--Platform for Privacy Preferences Project--is set to arrive on June 21. The long-awaited software will allow users to define just which bits of personal information they are willing to divulge to a Web site. In turn, the software will alert users if a site is asking for additional data--and what the site plans to do with that information if it is provided.
At demonstrations in New York, no less than Microsoft, IBM, and AT&T will show companies and developers how the software works and try to get them to adopt it. Two other show-and-tells will take place in Europe and the West Coast. If all goes well, P3P software could go on sale this fall.
Problem solved? Not really. Simply notifying people about the information a Web site is ferreting out doesn't get at the real issue: Should sites be allowed to demand such personal data as the price of entry? While the new software will help users avoid sites that are too prying, it does little to set standards that discourage these invasions.
That's because P3P represents a compromise, pushed out the door quickly as the privacy debate heated up and stocks of Net companies began to get punished for the lack of controls. Originally, the Net standards committee wanted to allow people to negotiate with sites so they could refuse overly intrusive requests without having to boycott a site. Not only were consumers going to be given a choice, they were going to gain some power. In the end, the group could only agree on the automatic notification process. While that's undoubtedly progress over the current obligation to read detailed online privacy policies, it still gives the consumer only a simple yes or no. For that reason, P3P's biggest drawback may be its failure to make more people comfortable with doing business on the Web.
And even P3P is not a fait accompli. The arduous task of persuading the Net world to adopt it as a standard remains. Software has to be easily available for consumers to use. Even Microsoft Corp., which worked on the project and is optimistic of broad adoption, is unsure whether P3P will be included in the updated version of its own browser. Just as important, Web sites must be willing to insert code that tells visitors what data will be requested--and into whose hands that data will ultimately land.
DIRTY SECRETS. These could prove major obstacles, simply because many sites make sizable revenues from the sale of this information. Would credit-card companies and magazines be willing to stop selling their customer lists? The situation is not that dissimilar. And even though most everyone on the Web is aware that privacy concerns are likely to hamper e-commerce's growth, resistance to exposing such dirty little secrets to customers is predictable.
What all this shows is that P3P and technology alone cannot ensure real privacy. Only strict industry rules or laws on acceptable Net behavior can do that. On June 14, the Privacy Leadership Initiative--a high-level industry group including IBM, DoubleClick, and the Direct Marketing Assn.--announced plans to launch a consumer education campaign and create baseline privacy principles. While the group supports P3P, clearly it thinks more is required. Even the Federal Trade Commission, a longtime defender of industry self-regulation, recently reversed itself on the need for legislation after its May survey revealed that only 20% of sites had voluntarily implemented adequate standards for protecting privacy. After all, technology isn't responsible for the assault on individual privacy. People using that technology and basing business models on the need for that data, are.