Technical standards and privacy

  Open Letter 9/13 to P3P Developers

Open Letter to:

Lorrie Faith Cranor, AT&T; Labs
www-p3p-public-comments@w3.org

September 13, 1999

Dear Lorrie and P3P developers

This letter explains why I believe that P3P is unlikely to ever serve the privacy interests of online consumers in the US or elsewhere. On the contrary, it has come to be used by some as an excuse to delay the progress of genuine enforceable privacy rights in the US. I ask you to consider abandoning the project.

My intent in this letter is not to disparage the enormous effort that you and many others have put into the development of the P3P specification. Nor do I wish to impugn your motives in doing so, nor to say that the effort was wasted or unfruitful. I believe technology has an important role to play in protecting privacy, and much remains to be learned on how to best achieve this. (See for example the attached letter to RosettaNet on one opportunity.)

The P3P project has raised some interesting and useful questions, such how to exchange summaries of information practices in "a decentralized and global medium," as you explain in your paper at http://www.w3.org/TR/NOTE-P3P-CACM/ and also http://www.w3.org/People/Reagle/papers/tprc97/tprc-f2m3.html. But there is currently a widespread expectation that P3P will before long solve the privacy problem that makes Jane Doe of Main St hesitate to buy online from a major US cataloger. I don't believe it will; on the contrary I believe that the solution to that problem lies elsewhere and is being delayed by the unrealistic expectations that have accreted around the P3P project. Unjustly, it has been marketers and lobbyists, not the P3P researchers, who have portrayed P3P as the golden pot of consumer privacy just waiting at the end of the technology rainbow. For example, the DMA's comments of July 6, 1998 before the Department of Commerce claimed that technology was playing a leading role in self-regulatory efforts, citing P3P as bringing on a future where "it will be the individual user, rather than industry or government, who will determine the uses of information." The DMA also claimed at that time that P3P "will be soon available." By contrast, the academic papers on P3P have clearly stated its limitations.

But the sad reality is that more than two years -- a decade in "Internet time" -- has passed since a P3P prototype was demonstrated before the Federal Trade Commission as the great white hope of Internet privacy. The FTC recently sent to Congress a contorted report in which the Commissioners recommended (with dissent) against passing any privacy laws, while encouraging the further development of P3P. Lobbyists continue to describe P3P as the privacy technology of the future, and perhaps they secretly hope that it always will be. Before the P3P developers put even more effort into a project that has little chance of helping privacy, I ask you to review the purpose that P3P is actually serving.

This letter explains why I consider the P3P concept (as promoted by proponents of self-regulation) fundamentally flawed due to the mistaken premises on which they are based. These issues are not terribly new or difficult to understand, but they continue to be ignored. (See for example the EU's opinion at http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm or other opinions at http://www.ntia.doc.gov/reports/privacy/selfreg5.htm and http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html for example.)

To see the absurdity of the current state of American privacy and P3P's part in it, imagine switching the interest concerned from privacy to copyright, a very similar right concerning the restriction of dataflows. Suppose that in response to the music industry's alarm about unauthorized distribution of songs over the Internet, a consumer group proposed a technology called the "Platform for Piracy Promises". Each consumer would configure his own "piracy policy" in his browser, stating the circumstances under which he promises to copy, modify, transmit or broadcast certain different kinds of recordings, such as poetry, country music, and heavy metal containing profane lyrics. A rich language will be developed to express information about the various uses, owners and types of content. When the consumer visits the site of a recording company to download MP3 tracks, his browser would automatically "negotiate" with the company's server to determine whether the consumer's piracy policy "matches" recording company's "preferences" for use of its property. In reality, any sober recording executive presented with this scheme would halt the presentation at the word "preferences" and dismiss the proposal as preposterous. He might point to issues such as enforcement, redress, third parties, complexity, and lack of uniformity. The executive probably wouldn't even bother to point out that the scheme would take years to become prevalent. Clearly what is needed first is a law, and the industry obtained one last year: the Digital Millennium Copyright Act. If asked whether this scheme might help "in a decentralized global medium," the executive would reply that he would want laws and treaties and lot more protection than the say-so of a random foreigner before he releases his precious data. (And indeed this is happening: look at the World Intellectual Property Organization Treaty and the Secure Digital Music Initiative.) He is unlikely to be convinced to wait a few years to see if the Platform for Piracy Promises might somehow work out, and even less likely to hand over his assets in the meantime.

Yet this is the equivalent of what is currently being asked of the American consumer. P3P has little more hope of protecting privacy as the Platform for Piracy Promises has of protecting copyright. As a technologist I'm fascinated by the ideas raised by P3P, but as a privacy advocate I have to take the same hard-nosed attitude as an executive with a responsibility to shareholders. P3P is not going to protect privacy, and the public shouldn't continue to be told it will.

Here are some of the principal flaws in the concept of P3P.

1. The concept presumes that privacy is a preference that some technologically advanced minority might be granted an opportunity to avoid having violated on occasions where those people have taken a specific action designated by the companies who wish to exploit personal information. Rather, privacy is a fundamental human right that should be universally expected.
2. The concept presumes consumers have an extremely diverse range of "privacy preferences" that should be catered to with a correspondingly wide range of options, like flavors of soft drinks. Rather, the core of consumers' desires for privacy are simple and easily stated, but unpalatable for marketers: consumers don't want their personal information sold, shared, or reused for secondary purposes. The fact that some are willing to grant specific consent for certain uses doesn't mean that they wish to make an open offer of their privacy. A bewildering range of options tends to to distract consumers and policymakers from the sad fact that what should be standard equipment is hard to find or entirely absent.
3. The concept's premise promotes the view that personal information is a secondary currency or commodity to be bartered rather than a necessary detail for performing some part of the transaction, such as delivering the ordered goods by mail. Rather than the fake-privacy doctrine of "notice and choice," which in practice means burdening the consumer with understanding complex details and attempting to opt-out of some of them, real privacy consists of limiting the use of information to what is needed, always with the explicit consent and understanding of the consumer.
4. There is a presumption that access should be focused on a company's policy instead of access by individual consumers to information held by the company about them. Rather, a consumer should be able to assume that the company's policy is to treat her data fairly; what she then needs is to be given access to all her specific data so that she can check that it is being correctly handled in practice. She should be able to check that her understanding of what information the company should have about her corresponds with what is actually held, and amend it if not. Granted, P3P does offer a way for a site to say whether it grants access, but stops there. Standards such as the now-moribund Open Profiling Standard can be quickly recognized as marketing mechanisms rather than privacy standards by the fact that the flow of personal information is unidirectional: from the consumer to the company.
5. The political environment surrounding the development of P3P promotes the erroneous belief that Internet privacy is something terribly complex and remote from "offline" privacy, and that technology will eventually solve the problem if given time, making legal rights and enforcement mechanisms unnecessary. Rather, the core privacy issues are identical online and offline; online consumers are more aware of the risks, so companies have been forced to give it more attention. Further, no amount of technology can ever make up for the lack of enforceable privacy rights held by the American citizen.
6. Perhaps the most implausible premise is the view that a high level of privacy will eventually be achieved if software makers and ecommerce sites agree on a standard that (after an even longer time, as software is upgraded) might be adopted by a sufficiently large percentage of consumers, thus expressing through the market and technology an economic demand for privacy. Believing this process will succeed in protecting privacy is as naive as hoping that environmental protection would be well served by having Exxon and GM draw up standards for emission control, and by the auto industry providing consumers the opportunity to vote on these standards by checking boxes on postcards made available to them at gas stations and automobile showrooms. Rather, technologists should take as their point of departure the strong privacy rights that are being mandated by an increasing number of legislatures, and develop technology that will efficiently and effectively serve people exercising those rights.
7. There is an unspoken assumption that as soon as a highly technical language is provided for codifying privacy policies, then marketers will offer good policies in this language. Rather, a simple argument will prove that P3P will never provide the majority with any real privacy protection or even useful guidance. Under the banner of "policy-neutral language," P3P is simply deferring the difficult decision of what the minimum acceptable standard should be. As a thought-experiment, suppose that some time in the 21st century, the P3P language is finalized and the software ready. A decision will have to be made on the defaults, designating the minimum expectation that surfers should have before the browser raises alerts on visiting a substandard site. (For P3P to have any widespread effect, it would have to be pre-installed in both major browsers, and there would have to be some such default below which an alarm is raised.) This entails a large number of questions to which no consensus answer is ever likely to be found. Should the consumer be alerted if a site's policy:
   
   1. says it might sell names if the consumer doesn't separately opt out?
   2. doesn't provide access to the data held by the company about the person?
   3. applies its web site privacy policy only to information gathered on the web?
   and a hundred other questions like these. It will take at least until the 22nd century for marketers to agree to defaults that are anywhere near the levels that consumers or privacy experts would want. And who would be making the decision on whether this technology and its defaults goes into browsers? Microsoft and AOL/Netscape control more than 90% of the market. Do these companies have a history of choosing privacy-friendly defaults, such as those for cookies? No. Do these companies have a history of placing the privacy of consumers above the commercial interest of themselves and their marketing partners? No. Would they install defaults that alarm prospective purchasers unless stated privacy standards are higher than what they currently offer? Very unlikely. If you disagree, why not issue a public challenge to AOL, Microsoft and other sponsors of P3P and the Direct Marketing Association to propose default settings that they consider would be acceptable. If you receive no satisfactory response, take this as an admission that your project has been used as a pawn in a cynical campaign against privacy. If you receive a sensible response, present it to consumers and consumer advocates and ask whether they consider them acceptable. This exercise is unlikely to succeed in gaining a consensus, and you might as well find out whether it can before going to the mighty effort of finalizing the specification and implementing it.

I have not considered the extrinsic hurdles faced by P3P, such as the questions of patent infringement and the technical difficulty of implementing the specification. These could probably be overcome given time. But the intrinsic problems above appear impossible to overcome.

The history of P3P is saddening, and so are the lost opportunities where similar technology similarly deployed might have helped with many other problems, such as international issues in consumer protection other than privacy. But here, unlike privacy, business groups are calling for consistent global regulations.

To summarize, I believe that P3P is unlikely ever to be adopted to an effective degree, and will not improve the privacy that Americans have in their own country. If your goal is to protect privacy, please consider devoting your resources to technologies that enhance anonymity or that support access by consumers to the data held about them by organizations. The only reason remaining for companies to keep P3P alive is as an excuse to use in their lobbying against enforceable privacy rights for the American consumer: a Pretext for Privacy Procrastination.

Sincerely

Jason Catlett
Junkbusters Corp.

Copy to:
Ulf Brühann, DG XV, European Commission
Ann Cavoukian, Information and Privacy Commission, Ontario
Lorrie Faith Cranor, AT&T; Labs
Peter Hustinx, Netherlands Data Protection Commission
David Medine, Federal Trade Commission
Larry Irving, U.S. Dept of Commerce
Peter Swire, Office of Management and Budget

  Statements from Microsoft and Netscape

In response to a request for a response by P3P developers, Netscape and Microsoft posted the following statements. Catlett called them vague and non-commital.

Microsoft has been actively involved in the P3P process, has contributed substantially to the P3P syntax, and continues to consider the P3P specification for incorporation in Microsoft products. Microsoft has released enabling technologies for P3P in the past (notably the Profile Assistant in IE4.0 ), and continues to look for a whole solution that benefits a broad base of consumers before it implements yet another a technology. (1999/10/6) [AP on Microsoft's announcement April 2000]

Netscape has always regarded consumer privacy protection to be of utmost importance to the long-term success of the Internet, and welcomes and supports open, industry-wide, standards-based efforts such as P3P to address the issue. Netscape helped pioneer P3P and continues to contribute to its development. Through Mozilla.org, we have made our source code available to web developers, and this allows anyone to add a P3P implementation to our codebase. (1999/10/8)

  More on P3P

For more on P3P, see our page on the CFP 2000 conference.

  Background and postscript on RosettaNet

In response to coverage by Wired News on the open letter below RosettaNet's CEO denied that the standard includes personal information. RosettaNet later issued a statement these reports were untrue: "There is no individual consumer or corporate buyer name and information mandated at any place or any time by RosettaNet standards." Junkbusters has asked for clarification.

Wired News earlier claimed confirmation that the standard required names, addresses and telephone numbers, which Junkbusters considers personally identifying information. RosettaNet claims that this was misinformation. RosettaNet had earlier clarified that the standard is intended for business purchases rather than consumers, but this would not remove the core privacy concern. People at work are still people; and people at work buy and use consumer products; and workplace privacy is very important, If the actions of people at work are tracked by other companies, that can compromise both privacy and a corporate confidentiality. Also, standards have a habit of being appropriated for other standards, so it's important to address the wider consumer issue here.

For more news coverage, see our news page.

  Open Letter 9/10 to RosettaNet

Mr Fadi Chehadé
Chief Executive Officer
RosettaNet

September 10, 1999

Dear Sir

I write to ask you to design into RosettaNet specific support for the protection of personal data.

While RosettaNet has aimed at providing substantial cost-savings to companies, little or no effort appears to have been expended on the individual privacy. In particular, I am concerned that the proposed standard would mandate the provision of the names and addresses of an end-purchaser to all companies in the supply chain of the product. A consumer who buys a product from a retailer should not automatically be added to the marketing databases of every distributor and manufacturer involved in assembling the product. As more consumer products contain contain unique identifiers, and more homes become Internet-enabled, it is essential for the privacy of consumers that the manufacturer not associate a name and address with the identifier, because this would enable the tracking of an individual's behavior.

Recently the Computing Technology Industry Association (CompTIA) expressed its disappointment with the standard, in part because of the personal data it would require businesses to exchange about their consumers (reported by the Associated Press on 9/3: http://www.techserver.com/noframes/story/0,2294,89190-140947-982075-0,00.html).

The CompTIA has a strong general point here: if the barter of marketing information about consumers were standardized and automated without regard to privacy, the Internet could be used by businesses as a gigantic real-time commercial gossip machine, creating a corporate-sponsored surveillance society beyond the nightmares of George Orwell.

Privacy advocates regard the transmission of personal information as acceptable if and only if its handling follows the internationally-recognized standards for fair information practices issued by the Organization for Economic Cooperation and Development in 1980. These guidelines stipulate eight principles; two key examples of these are that the consent of the person concerned should be obtained beforehand, and that the person should be given access on demand to the information concerning him or her.

Industry standards provide an opportunity to greatly facilitate compliance with these principles and with the data protection laws of various countries based upon them. Unfortunately RosettaNet does not yet appear to have considered this opportunity. Membership appears to be almost entirely corporate, with a few goverment members who appear to be in the role of standards institutes rather than data protection. Most privacy organizations would not be able to pay the fee $10,000 required for membership.

You may be familiar with two other XML related technical standards proposals ostensibly concerned with privacy: the Platform for Privacy Preferences (P3P) and the now moribund Open Profiling Standard (OPS). In case you might have been assuming that privacy could be left out of RosettaNet and assumed to already being taken care of, please allow us the opportunity of explaining why these standards are not adequate, and where RosettaNet might succeed where these have failed.

I consider the P3P and OPS proposals fundamentally flawed because of the mistaken premises on which they are based. Details of those flaws are set out in a separate letter (to follow).

I believe that technologists should take as their point of departure the strong privacy rights that are being mandated by an increasing number of legislatures, and develop technology that will efficiently and effectively serve people exercising those rights.

This is where the RosettaNet standard may be able to help privacy. Although conceived as facilitating data flows from business to business, it could be adapted for data flow from a business to the consumer concerned. It could help consumers access the demographic and psychographic profiles that businesses maintain about them, and to answer questions such as: "What is this variable saying about me?" "How is this specific information used?" "Who has it been given to?" It could help tag data elements with specific information about the purpose for which it was collected, and the extent of the consent granted by the individual. It could help consumers see whether and when personal data is scheduled for destruction after its specified use will have passed. The standard could include an email address for an individual who wishes to be informed each time any company makes a disclosure of his or her personal information to another entity. The notification email might include details on how to review the contents of the disclosure, how to amend it, the reasons for it, and details of the permission under which the disclosure was made. These are just a few initial thoughts on the possibilities; there are surely many opportunities for standards such as RosettaNet to improve the fairness of businesses' information practice, if only the time were taken to consider them.

I call on you to:

1. remove the sales reporting requirement mentioned above;
2. invite to participate in RosettaNet, without a fee, government departments and Non Governmental Organizations concerned with privacy;
3. to state your committment to striving to include in RosettaNet the best possible technical infrastructure to promote fair information practices as defined by the 1980 OECD Guidelines, and in particular to to provide individuals with easy mechanisms for:
   
   1. the notification of the transmission of data about them,
   2. access to that information and assistance in understanding it, and
   3. the opportunity to have the information corrected or destroyed.

We thank you for your consideration and look forward to your response.

Sincerely

Jason Catlett
Junkbusters Corp.


Copy to:
Aleli Alcala, Computing Technology Industry Association
Ulf Brühann, DG XV, European Commission
Ann Cavoukian, Information and Privacy Commission, Ontario
Lorrie Faith Cranor, AT&T; Labs
Peter Hustinx, Netherlands Data Protection Commission
David Medine, Federal Trade Commission
Larry Irving, U.S. Dept of Commerce
Nicole Shelley, Computing Technology Industry Association
Peter Swire, Office of Management and Budget

  ECML (Electronic Commerce Modeling Language)

ECML ``provides a simple set of guidelines for web merchants that will enable digital wallets from multiple vendors to automate the exchange of information between users and merchants. The end-result is that more consumers will find shopping on the web to be easy and compelling.''