Microsoft's Cookie Monster

Its IE 6 browser, bundled with Windows XP, forces Web sites to reveal the information they collect. That's a victory for privacy

By Jane Black

Whatever you think of Microsoft, there's no escaping the company's sheer power. For years, the Internet and high-tech industries have been haggling over the best solution to protect the privacy of Web visitors. Now the Colossus of Redmond has forced the issue, simply by releasing the latest version of its Web browser, Internet Explorer 6.0. IE 6, which comes bundled in Microsoft's new Windows XP operating system, includes a privacy-enabling technology called P3P, or Platform for Privacy Preferences.

Already, according to PricewaterhouseCoopers, 12% of U.S. Internet surfers are using IE 6, which has been available for downloading only since the end of August. That reality has sent Web companies across the globe scrambling to review privacy policies and make their sites P3P-compliant.

Whether P3P is the best way to safeguard Web privacy is still a matter of debate. But with Gates & Co. backing the standard, it's clearly one approach that is moving forward quickly. P3P is a specification that enables a user's Web browser to automatically understand a Web site's privacy practices -- because it requires companies to embed their policies into the code of a Web site. The IE 6 browser then reads the policy -- and automatically approves or flags sites (with an on-screen warning to the Web surfer) based on the preferences set by users.

Microsoft's brand of P3P focuses exclusively on cookies -- tiny pieces of code left on a user's hard drive that track or save data about Web surfers' habits or preferences. So, if an e-commerce site's policy says that it shares demographic information stored in the cookie, the browser could warn the user what's going on. This saves you the trouble of sifting through individual privacy policy themselves. It short, P3P answers the public's call to make privacy simpler to manage.


  For Web companies, this creates a big challenge. So far, only about 25% of the top 100 Web sites are P3P-compliant, according to PricewaterhouseCoopers. By contrast, nearly 100% of third-party advertisers have codified their privacy policies so that IE 6 can understand them. They've moved so fast because Microsoft's version of a privacy standard takes aim at the very foundation of their business -- cookies that track users' behavior and help create sophisticated reports that inform advertisers of how often ads are being viewed. The default, or "medium," setting in IE 6 blocks all cookies of this type if they are not codified for P3P.

DoubleClick, the largest Internet advertising technology company, found itself implementing P3P in a hurry. Chief Privacy Office Jules Polonetsky says he and his team of engineers began preparing for IE 6 early in 2001. That effort, which required the company to inventory and codify all the ways its cookies can be used, took "hundreds" of hours. Adopting P3P also forced DoubleClick to delineate its policies for data storage and sharing.

"Many Web companies hadn't really thought some of these issues through. Implementing P3P has been the opportunity to put privacy policies and procedures in place, and to make sure that the Web site is in alignment with company policy," says Michael Beresik, national director of Pricewaterhouse Cooper's privacy practice.


  P3P has also has forced companies across the board to rationalize the often-significant gaps between what a site's privacy policy says and how the site actually works. "A lot of companies have delegated Web-site management to the IT division and privacy policy to the legal department. P3P means that everyone has to be on the same page," says Larry Ponemon, CEO of the Privacy Council, a consultancy that helps corporations develop and manage customer privacy.

The Privacy Council, along with DoubleClick, has begun holding P3P education conferences. The three-hour sessions explain what it takes to comply with Microsoft's P3P settings and how to minimize the risk of a privacy violation. "We're seeing an incredible mix of people becoming part of the conversation -- CTOs, general counsels, and engineers," says Polonetsky. "Before they all worked separately. The right hand didn't always know what the left hand was doing."

P3P, of course, is still a work in progress. IE 6 doesn't distinguish between sites that adopt the standard but don't meet a user's P3P-based privacy preferences and those that don't use P3P at all -- even though they may have their own privacy standards in place. An IE 6 Web surfer gets the same warning notice no matter how rigorous the non-P3P privacy policy might be. And that could undemine the standard's utility, because a user doesn't know exactly why IE 6 is flagging the site.


  Outspoken privacy advocates have also come out against the standard. The Electronic Privacy Information Center says cookie management is just one small part of protecting privacy. In a report issued last year, "P3P: Pretty Poor Privacy," EPIC warned that P3P "is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy." Instead, EPIC would prefer privacy tools that minimize and/or eliminate the collection of personal data.

That would seriously stunt the growth of online businesses. Instead of mandating what should be collected, P3P should act like a nutrition label -- tell consumers what's "inside" a Web site and let them choose whether or not to use it, says Microsoft Chief Privacy Officer Richard Purcell. "Despite all the challenges and bellyaching, I think P3P is great. It's not the be all-end all, but it's a starting point," says the Privacy Council's Ponemon. Anything that improves privacy is a step in the right direction.

Black covers privacy in her twice-monthly Privacy Matters column only at BW Online

Before it's here, it's on the Bloomberg Terminal.