More on The Problem with P3P

By Fran Maier

Yesterday I wrote a blog post responding to a new study by researchers at Carnegie Mellon University that found errors in websites’ implementation of P3P compact policy tokens, resulting in cookies remaining unblocked by the Internet Explorer (IE) web browser under its default cookie settings. Below is a more detailed analysis of the shortcomings of the P3P framework and a reflection on the challenges it has encountered that have prevented its widespread adoption over the last decade. It think it’s telling that the Carnegie Mellon study lacks statistics on what percentage of web visitors today actually use and/or rely on P3P compact privacy policies to make their web-surfing decisions. If the lifespan of P3P’s own working group is any indication then it would seem an irrelevant standard for consumers since they suspended work on P3P in 2007.

Consumers today rely on a website’s standard privacy policy and its built-in privacy settings when making online privacy decisions – this is why TRUSTe focuses its privacy certification efforts on these domains. Moreover, this is one of the reasons we see such a low adoption rate of P3P in the wild: consumers simply don’t value the framework.

In the previous blog post on P3P I alluded to issues of prohibitive complexity’ and a ‘misguided implementation strategy’ – let’s take a closer look at these problems:

Prohibitive Complexity

Ari Schwartz of the Center for Democracy and Technology notes in a 2009 paper that P3P’s early development was akin to an “out-of-control construction on a kitchen that at first only needs a small new appliance (a toaster) but ends up with a plan for new cabinets, floors and lighting“.

Even when the P3P working group stripped these superfluous additions the remaining framework was still prohibitively complex. A 2010 CNET article pointedly observes that the final P3P specification “tops out at a novel-length weight of 49,000 words, while the complete text of Lewis Carroll’s Alice in Wonderland is only 29,000.” If you think your standard web privacy policy is excessively long feel free to read the full P3P specification here. By comparison, TRUSTe’s Web Privacy Seal Program requirements (which we are in the process of revising) come in at under 4,300 words.

A Misguided Implementation Strategy

This compliance burden resulted in entities selectively adopting P3P specifications, if at all. When a lack of mainstream P3P adoption resulted, some developers created a way to remove a perceived consumer annoyance in IE browsers. While we do not condone this behavior, we believe that consumer-facing privacy controls should be implemented only where they will be used -their privacy protection is only as strong as their relevance. P3P irrelevance resulting from barriers to implementation and disregard by consumers encouraged non-compliance.

Looking Toward the Future

As I mentioned earlier, TRUSTe is in the process of updating our program requirements and we will continue to require consistency across a website’s privacy notices. Our core focus continues to be on a website’s standard text privacy policies and the data practices on the site, which we verify through a combination of manual inspection by our privacy experts and automated scanning. For further comment on our certification processes you can read a comment I left in response to post on PogoWasRight.org.

Where P3P has come up short we are eager to innovate and participate in discussions and collaborative efforts to improve the consumer privacy interface in browsers as we feel this is critical to the future success of the Internet and the protection of consumer privacy. Toward that end we look forward to working with groups like the CUPS lab at Carnegie Mellon and the Mozilla community (who have embarked on a promising project to develop standard icons to alert web users to website privacy practices, a project TRUSTe has directly supported). When it comes to the mobile web TRUSTe has been hard at work developing a product that translates the essence of privacy notice and choice to the mobile platform, optimizing privacy notices for mobile screens through short notice, icons and intuitive consumer interfaces.

At TRUSTe we’ve debated what privacy enhancing technology we should support to achieve a more automated system ensuring website privacy transparency and simplified user choice. We’ve reached an informal consensus that machine-readable XML policies are a relevant standard to support in the future, a position that I anticipate discussing further in a future blog post, so stay tuned.