Microsoft's Cookie Monster
By Jane Black
Whatever you think of Microsoft, there's no escaping the company's sheer power. For years, the Internet and high-tech industries have been haggling over the best solution to protect the privacy of Web visitors. Now the Colossus of Redmond has forced the issue, simply by releasing the latest version of its Web browser, Internet Explorer 6.0. IE 6, which comes bundled in Microsoft's new Windows XP operating system, includes a privacy-enabling technology called P3P, or Platform for Privacy Preferences.
Already, according to PricewaterhouseCoopers, 12% of U.S. Internet surfers are using IE 6, which has been available for downloading only since the end of August. That reality has sent Web companies across the globe scrambling to review privacy policies and make their sites P3P-compliant.
Whether P3P is the best way to safeguard Web privacy is still a matter of debate. But with Gates & Co. backing the standard, it's clearly one approach that is moving forward quickly. P3P is a specification that enables a user's Web browser to automatically understand a Web site's privacy practices -- because it requires companies to embed their policies into the code of a Web site. The IE 6 browser then reads the policy -- and automatically approves or flags sites (with an on-screen warning to the Web surfer) based on the preferences set by users.
For Web companies, this creates a big challenge. So far, only about 25% of the top 100 Web sites are P3P-compliant, according to PricewaterhouseCoopers. By contrast, nearly 100% of third-party advertisers have codified their privacy policies so that IE 6 can understand them. They've moved so fast because Microsoft's version of a privacy standard takes aim at the very foundation of their business -- cookies that track users' behavior and help create sophisticated reports that inform advertisers of how often ads are being viewed. The default, or "medium," setting in IE 6 blocks all cookies of this type if they are not codified for P3P.
DoubleClick, the largest Internet advertising technology company, found itself implementing P3P in a hurry. Chief Privacy Office Jules Polonetsky says he and his team of engineers began preparing for IE 6 early in 2001. That effort, which required the company to inventory and codify all the ways its cookies can be used, took "hundreds" of hours. Adopting P3P also forced DoubleClick to delineate its policies for data storage and sharing.
"Many Web companies hadn't really thought some of these issues through. Implementing P3P has been the opportunity to put privacy policies and procedures in place, and to make sure that the Web site is in alignment with company policy," says Michael Beresik, national director of Pricewaterhouse Cooper's privacy practice.
JOINING THE CONVERSATION.
The Privacy Council, along with DoubleClick, has begun holding P3P education conferences. The three-hour sessions explain what it takes to comply with Microsoft's P3P settings and how to minimize the risk of a privacy violation. "We're seeing an incredible mix of people becoming part of the conversation -- CTOs, general counsels, and engineers," says Polonetsky. "Before they all worked separately. The right hand didn't always know what the left hand was doing."
SMALL STEPS COME FIRST.
Outspoken privacy advocates have also come out against the standard. The Electronic Privacy Information Center says cookie management is just one small part of protecting privacy. In a report issued last year, "P3P: Pretty Poor Privacy," EPIC warned that P3P "is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy." Instead, EPIC would prefer privacy tools that minimize and/or eliminate the collection of personal data.
That would seriously stunt the growth of online businesses. Instead of mandating what should be collected, P3P should act like a nutrition label -- tell consumers what's "inside" a Web site and let them choose whether or not to use it, says Microsoft Chief Privacy Officer Richard Purcell. "Despite all the challenges and bellyaching, I think P3P is great. It's not the be all-end all, but it's a starting point," says the Privacy Council's Ponemon. Anything that improves privacy is a step in the right direction.
Black covers privacy in her twice-monthly Privacy Matters column only at BW Online