Rupert Neethling In cyberspace privacy equals security. If websites publicly refrain from peeking secretly into their visitors’ computers – or playing hard and fast with their visitors’ personal data – then surfers are more likely to be reassured and thus more willing to supply their data (including their credit-card details) without feeling that they are taking an undue risk. The importance of this basic concept still seems to be overlooked on some websites where trust is crucial, such as e-commerce sites. By not offering some kind of seal of approval from services like TRUSTe (www.truste.org) or Verisign (www.verisign.com), as well as a strictly enforced privacy policy, they are ill- equipped to win a visitor’s trust. And if they become a little too invasive with cookies (small bits of code sent by sites to individual computers, used commonly to identify them on return visits to those sites), then the growing number of cookie-savvy surfers must start wondering about the information they’re giving away – sometimes without even being aware of doing so.
These are some of the reasons why the developer of technical specifications for the Web, the World Wide Web Consortium or W3C (www.w3.org), decided in 1997 to launch an open-standard project called P3P (Platform for Privacy Preferences). The goal of this project, in the words of the consortium, is to develop a system whereby sites can “express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents” such as browsers. In other words, P3P will enable surfers to check a site’s privacy policy on the fly without having to read through the whole document first. In a sense this is like cookies in reverse, because users will be extracting “personal data” from websites rather than the other way around. (Cookies are small sections of code websites place on your hard drive as you surf, sometimes perhaps to save you logging into a site all the time, sometimes to track you.) P3P is a landmark development because it paves the way for the standardisation of privacy policies. This will help to correct the current imbalance between what the more invasive websites can currently get away with and the options open to surfers. Thanks to P3P, users can not only see what a site aims to do with their information upfront, but they can automate their browsers’ responses selectively. They will be able to decide beforehand what and how much information they are willing to supply, depending on the kind of privacy policy a particular website pursues. This is a major improvement over the comparatively primitive preset responses offered by browsers. Even with previously configured “trusted” sites and sites offering digital certificates, such preset responses essentially amount to “security on” or “security off”. Inflexible browsers that can only address privacy by way of blanket responses are also receiving attention from software developers. The emergence of new browser add-ons that help to adjust one’s privacy settings (such as whether to accept cookies depending on the site being visited) is a clear sign of the demand for a more sophisticated browsing environment in which the surfer isn’t treated as someone who must either put up or shut up. In line with this trend, Microsoft recently announced that it is working on a new browser (post-Internet Explorer 5.5) that will enable users to deal with cookies and other security concerns with greater personal control. Similarly, the preview release of Netscape 6 already allows enhanced control in the same area. Combined with P3P, such enhancements are set to boost the level of trust that surfers will feel in compliant websites. But while P3P seems to be a step in the right direction, it’s not the ultimate solution. The W3C readily admits that P3P doesn’t ensure that sites are going to abide by their own privacy policies. They nevertheless go on to say that their new standard could be used hand in hand with other mechanisms for confirming that sites are enforcing their own policies, as well as tools for transferring personal data securely.
The upshot is that no one standard or software package is going to make the Web risk-free by itself. Automated systems by their very nature are open to abuse. But just as it’s possible to revoke digital certificates and TRUSTe seals, so too can sites that implement P3P be monitored for infringements. Which means that at any one time we can reasonably expect the great majority of P3P-enabled sites to tell the truth when they say exactly how much respect they have for our privacy. After being in development for almost three years, P3P was subjected to its first round of public tests in New York in June. Companies such as Microsoft, IBM, AT&T, Hewlett-Packard, America Online and Proctor and Gamble have announced that their sites or portions of their sites are already P3P compliant.