Open Letter to:
Lorrie Faith Cranor, AT&T; Labs
www-p3p-public-comments@w3.org
September 13, 1999
Dear Lorrie and P3P developers
This letter explains why I believe that P3P is unlikely to
ever serve the privacy interests of online consumers in the US or elsewhere.
On the contrary, it has come to be used by some as an excuse to delay
the progress of genuine enforceable privacy rights in the US.
I ask you to consider abandoning the project.
My intent in this letter is not to disparage the enormous effort that you and many others have put into the development of the P3P specification. Nor do I wish to impugn your motives in doing so, nor to say that the effort was wasted or unfruitful. I believe technology has an important role to play in protecting privacy, and much remains to be learned on how to best achieve this. (See for example the attached letter to RosettaNet on one opportunity.)
The P3P project has raised some interesting and useful questions, such how to exchange summaries of information practices in "a decentralized and global medium," as you explain in your paper at http://www.w3.org/TR/NOTE-P3P-CACM/ and also http://www.w3.org/People/Reagle/papers/tprc97/tprc-f2m3.html. But there is currently a widespread expectation that P3P will before long solve the privacy problem that makes Jane Doe of Main St hesitate to buy online from a major US cataloger. I don't believe it will; on the contrary I believe that the solution to that problem lies elsewhere and is being delayed by the unrealistic expectations that have accreted around the P3P project. Unjustly, it has been marketers and lobbyists, not the P3P researchers, who have portrayed P3P as the golden pot of consumer privacy just waiting at the end of the technology rainbow. For example, the DMA's comments of July 6, 1998 before the Department of Commerce claimed that technology was playing a leading role in self-regulatory efforts, citing P3P as bringing on a future where "it will be the individual user, rather than industry or government, who will determine the uses of information." The DMA also claimed at that time that P3P "will be soon available." By contrast, the academic papers on P3P have clearly stated its limitations.
But the sad reality is that more than two years -- a decade in "Internet time" -- has passed since a P3P prototype was demonstrated before the Federal Trade Commission as the great white hope of Internet privacy. The FTC recently sent to Congress a contorted report in which the Commissioners recommended (with dissent) against passing any privacy laws, while encouraging the further development of P3P. Lobbyists continue to describe P3P as the privacy technology of the future, and perhaps they secretly hope that it always will be. Before the P3P developers put even more effort into a project that has little chance of helping privacy, I ask you to review the purpose that P3P is actually serving.
This letter explains why I consider the P3P concept (as promoted by proponents of self-regulation) fundamentally flawed due to the mistaken premises on which they are based. These issues are not terribly new or difficult to understand, but they continue to be ignored. (See for example the EU's opinion at http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm or other opinions at http://www.ntia.doc.gov/reports/privacy/selfreg5.htm and http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html for example.)
To see the absurdity of the current state of American privacy and P3P's part in it, imagine switching the interest concerned from privacy to copyright, a very similar right concerning the restriction of dataflows. Suppose that in response to the music industry's alarm about unauthorized distribution of songs over the Internet, a consumer group proposed a technology called the "Platform for Piracy Promises". Each consumer would configure his own "piracy policy" in his browser, stating the circumstances under which he promises to copy, modify, transmit or broadcast certain different kinds of recordings, such as poetry, country music, and heavy metal containing profane lyrics. A rich language will be developed to express information about the various uses, owners and types of content. When the consumer visits the site of a recording company to download MP3 tracks, his browser would automatically "negotiate" with the company's server to determine whether the consumer's piracy policy "matches" recording company's "preferences" for use of its property. In reality, any sober recording executive presented with this scheme would halt the presentation at the word "preferences" and dismiss the proposal as preposterous. He might point to issues such as enforcement, redress, third parties, complexity, and lack of uniformity. The executive probably wouldn't even bother to point out that the scheme would take years to become prevalent. Clearly what is needed first is a law, and the industry obtained one last year: the Digital Millennium Copyright Act. If asked whether this scheme might help "in a decentralized global medium," the executive would reply that he would want laws and treaties and lot more protection than the say-so of a random foreigner before he releases his precious data. (And indeed this is happening: look at the World Intellectual Property Organization Treaty and the Secure Digital Music Initiative.) He is unlikely to be convinced to wait a few years to see if the Platform for Piracy Promises might somehow work out, and even less likely to hand over his assets in the meantime.
Yet this is the equivalent of what is currently being asked of the American consumer. P3P has little more hope of protecting privacy as the Platform for Piracy Promises has of protecting copyright. As a technologist I'm fascinated by the ideas raised by P3P, but as a privacy advocate I have to take the same hard-nosed attitude as an executive with a responsibility to shareholders. P3P is not going to protect privacy, and the public shouldn't continue to be told it will.
Here are some of the principal flaws in the concept of P3P.
I have not considered the extrinsic hurdles faced by P3P, such as the questions of patent infringement and the technical difficulty of implementing the specification. These could probably be overcome given time. But the intrinsic problems above appear impossible to overcome.
The history of P3P is saddening, and so are the lost opportunities where similar technology similarly deployed might have helped with many other problems, such as international issues in consumer protection other than privacy. But here, unlike privacy, business groups are calling for consistent global regulations.
To summarize,
I believe that P3P is unlikely ever to be adopted to
an effective degree, and will not improve the privacy that Americans
have in their own country.
If your goal is to protect privacy, please
consider devoting your resources to technologies that enhance anonymity
or that support access by consumers to the data held about them by
organizations.
The only reason remaining for companies to keep P3P alive is as
an excuse to use in their lobbying against enforceable
privacy rights for the American consumer: a
Pretext for Privacy Procrastination.
Sincerely
Jason Catlett
Junkbusters Corp.
Copy to:
Ulf Brühann, DG XV, European Commission
Ann Cavoukian, Information and Privacy Commission, Ontario
Lorrie Faith Cranor, AT&T; Labs
Peter Hustinx, Netherlands Data Protection Commission
David Medine, Federal Trade Commission
Larry Irving, U.S. Dept of Commerce
Peter Swire, Office of Management and Budget
In response to a request for a response by P3P developers, Netscape and Microsoft posted the following statements. Catlett called them vague and non-commital.
Microsoft has been actively involved in the P3P process, has contributed substantially to the P3P syntax, and continues to consider the P3P specification for incorporation in Microsoft products. Microsoft has released enabling technologies for P3P in the past (notably the Profile Assistant in IE4.0 ), and continues to look for a whole solution that benefits a broad base of consumers before it implements yet another a technology. (1999/10/6) [AP on Microsoft's announcement April 2000]
Netscape has always regarded consumer privacy protection to be of utmost importance to the long-term success of the Internet, and welcomes and supports open, industry-wide, standards-based efforts such as P3P to address the issue. Netscape helped pioneer P3P and continues to contribute to its development. Through Mozilla.org, we have made our source code available to web developers, and this allows anyone to add a P3P implementation to our codebase. (1999/10/8)
For more on P3P, see our page on the CFP 2000 conference.
In response to coverage by Wired News on the open letter below RosettaNet's CEO denied that the standard includes personal information. RosettaNet later issued a statement these reports were untrue: "There is no individual consumer or corporate buyer name and information mandated at any place or any time by RosettaNet standards." Junkbusters has asked for clarification.
Wired News earlier claimed confirmation that the standard required names, addresses and telephone numbers, which Junkbusters considers personally identifying information. RosettaNet claims that this was misinformation. RosettaNet had earlier clarified that the standard is intended for business purchases rather than consumers, but this would not remove the core privacy concern. People at work are still people; and people at work buy and use consumer products; and workplace privacy is very important, If the actions of people at work are tracked by other companies, that can compromise both privacy and a corporate confidentiality. Also, standards have a habit of being appropriated for other standards, so it's important to address the wider consumer issue here.
For more news coverage, see our news page.
Mr Fadi Chehadé
Chief Executive Officer
RosettaNet
September 10, 1999
Dear Sir
I write to ask you to design into RosettaNet specific support for
the protection of personal data.
While RosettaNet has aimed at providing substantial cost-savings to companies, little or no effort appears to have been expended on the individual privacy. In particular, I am concerned that the proposed standard would mandate the provision of the names and addresses of an end-purchaser to all companies in the supply chain of the product. A consumer who buys a product from a retailer should not automatically be added to the marketing databases of every distributor and manufacturer involved in assembling the product. As more consumer products contain contain unique identifiers, and more homes become Internet-enabled, it is essential for the privacy of consumers that the manufacturer not associate a name and address with the identifier, because this would enable the tracking of an individual's behavior.
Recently the Computing Technology Industry Association (CompTIA) expressed its disappointment with the standard, in part because of the personal data it would require businesses to exchange about their consumers (reported by the Associated Press on 9/3: http://www.techserver.com/noframes/story/0,2294,89190-140947-982075-0,00.html).
The CompTIA has a strong general point here: if the barter of marketing information about consumers were standardized and automated without regard to privacy, the Internet could be used by businesses as a gigantic real-time commercial gossip machine, creating a corporate-sponsored surveillance society beyond the nightmares of George Orwell.
Privacy advocates regard the transmission of personal information as acceptable if and only if its handling follows the internationally-recognized standards for fair information practices issued by the Organization for Economic Cooperation and Development in 1980. These guidelines stipulate eight principles; two key examples of these are that the consent of the person concerned should be obtained beforehand, and that the person should be given access on demand to the information concerning him or her.
Industry standards provide an opportunity to greatly facilitate compliance with these principles and with the data protection laws of various countries based upon them. Unfortunately RosettaNet does not yet appear to have considered this opportunity. Membership appears to be almost entirely corporate, with a few goverment members who appear to be in the role of standards institutes rather than data protection. Most privacy organizations would not be able to pay the fee $10,000 required for membership.
You may be familiar with two other XML related technical standards proposals ostensibly concerned with privacy: the Platform for Privacy Preferences (P3P) and the now moribund Open Profiling Standard (OPS). In case you might have been assuming that privacy could be left out of RosettaNet and assumed to already being taken care of, please allow us the opportunity of explaining why these standards are not adequate, and where RosettaNet might succeed where these have failed.
I consider the P3P and OPS proposals fundamentally flawed because of the mistaken premises on which they are based. Details of those flaws are set out in a separate letter (to follow).
I believe that technologists should take as their point of departure the strong privacy rights that are being mandated by an increasing number of legislatures, and develop technology that will efficiently and effectively serve people exercising those rights.
This is where the RosettaNet standard may be able to help privacy. Although conceived as facilitating data flows from business to business, it could be adapted for data flow from a business to the consumer concerned. It could help consumers access the demographic and psychographic profiles that businesses maintain about them, and to answer questions such as: "What is this variable saying about me?" "How is this specific information used?" "Who has it been given to?" It could help tag data elements with specific information about the purpose for which it was collected, and the extent of the consent granted by the individual. It could help consumers see whether and when personal data is scheduled for destruction after its specified use will have passed. The standard could include an email address for an individual who wishes to be informed each time any company makes a disclosure of his or her personal information to another entity. The notification email might include details on how to review the contents of the disclosure, how to amend it, the reasons for it, and details of the permission under which the disclosure was made. These are just a few initial thoughts on the possibilities; there are surely many opportunities for standards such as RosettaNet to improve the fairness of businesses' information practice, if only the time were taken to consider them.
We thank you for your
consideration and look forward to your response.
Sincerely
Jason Catlett
Junkbusters Corp.
Copy to:
Aleli Alcala, Computing Technology Industry Association
Ulf Brühann, DG XV, European Commission
Ann Cavoukian, Information and Privacy Commission, Ontario
Lorrie Faith Cranor, AT&T; Labs
Peter Hustinx, Netherlands Data Protection Commission
David Medine, Federal Trade Commission
Larry Irving, U.S. Dept of Commerce
Nicole Shelley, Computing Technology Industry Association
Peter Swire, Office of Management and Budget
ECML ``provides a simple set of guidelines for web merchants that will enable digital wallets from multiple vendors to automate the exchange of information between users and merchants. The end-result is that more consumers will find shopping on the web to be easy and compelling.''
Home · Next · Site Map · Legal · Privacy · Cookies · Banner Ads · Telemarketing · Mail · Spam · ActionCopyright © 1996-2000 Junkbusters ® Corporation. Copying and distribution permitted under the GNU General Public License. 2000/09/13 http://www.junkbusters.com/ht/en/standards.html
webmaster@junkbusters.com