I want my P3P?

Microsoft's new way of packaging privacy leaves some Net observers skeptical.

MICROSOFT WANTS to take care of you—they want to let you know that they are out there protecting your privacy. They’d like us all to start thinking of them like, well . . . a big brother.

Bill Gates has seen the future and decided that it is in selling software as a service. To make that work, Microsoft needs people to feel OK about keeping almost all of their files and personal information “in the cloud,” stored on Microsoft’s centralized servers—a leap of faith people may not be ready to make. As a first step, Microsoft is adding automatic controls for dealing with cookies deposited by Web sites in the upcoming version of Internet Explorer, proof of just how much our privacy really means to them.

Cookies (in case you’d forgotten) are the trail of electronic breadcrumbs that Web sites leave behind on your hard drive. They allow the sites to remember you like a friendly store clerk. Then there are others, often hidden in banner ads, that allow third parties such as the infamous Double Click to track your movements from one site to another, collecting detailed information on what you look at and for how long. Cookies have been the bane of privacy advocates for years, since they allow companies to extract sizable amounts of personal information without anyone noticing. And, while most browsers can be reset to reject cookies, most people using them either don’t know how or discover that the resulting parade of permission notices at virtually every stop along the Web convinces them to just give up the data and be done with it.

Deborah Pierce, a staff attorney with the Electronic Frontier Foundation, says the practical effect is that consumers are forced to give away their personal information as the cost of accessing the Web. “Sites that want to track you are making you choose between not giving up your personal information [and not getting onto their sites]. They’re saying ‘It’s our stuff, it’s our contract. If you don’t give us this personal information, we’re not going to let you on our site,'” she says. “I think that’s not a fair trade.”

Microsoft’s new system relies on a software language for building Web sites called XML (for eXtensible Markup Language). Webmasters use standard codes, called the Platform for Privacy Preferences (P3P for short) to describe their privacy policies. If the policies don’t match preset levels for what is acceptable, the browser automatically rejects the cookies for you.

“The advantages of adopting P3P in the browser,” says Richard Purcell, Microsoft’s director of corporate privacy, “are fundamentally that it enables a machine-level talk between the Web site and the person surfing the Web in order to provide better notice of what data’s being collected [and] how that data is intended to be used by that Web site.”

Up to now, browsers have let people “turn off cookies,” prompting you to choose to accept them one by one as they came along, an approach to Internet privacy that Purcell called “a kind of blunt instrument” compared to P3P’s range of privacy options.

“Keep in mind that privacy is about strangers getting your information,” Purcell says. “It’s not necessarily about people that you’re dealing with directly. It’s logical and obvious that we have to set defaults. . . . Part of what we’re trying to do here is to raise consumer awareness. We are encouraging all consumers—through the interface, through our news releases, through public presentations, through Web site postings—to begin to take advantage of the [privacy preference settings in IE 6] that enable them to control their personal information.”

The problem, according to most privacy advocates, is not with the concept in itself, but with the way it is being implemented. Since the majority of people never even look at the preference settings in their Web browsers, Microsoft is left setting the basic standards for how much private information flows out through the Web.

INTERNET PRIVACY ADVOCATES like Marc Rotenberg, director of the Electronic Privacy Information Center, don’t have a problem with XML in particular, but he says he does see Microsoft’s use of P3P as “biased against the interests of consumers.” Like many other critics of the software and e-commerce industry’s voluntary standards, he sees legislation as the best way to keep a lid on data collection. “From the consumer viewpoint, [P3P] is a very complicated technique. We don’t see it promoting the type of uniformity that would boost consumer confidence in Net activities. In the political world, it seems [like] an effort to hold off legislation. I think it’s a detour.”

Given that people who are intimidated by their VCRs are unlikely to start experimenting with the preference settings on their Internet software, EFF’s Pierce thinks the preset standards give away far too much. “I’ve always wanted to know why they set up the defaults the way that they did. The settings are set very low, so most things are going to come through. When you combine that with the fact that most of the businesses are doing ‘opt-out’ rather than ‘opt-in,’ I just don’t see that that’s going to protect people’s privacy.”

Ultimately, the real issue is trust. For Microsoft’s grand dot-Net strategy to succeed, they need to have people trust them, and all the other companies that will be collecting and trading data on the Net, to an unprecedented degree. At the same time, Purcell says, Microsoft sees “very little agreement on the definitions of privacy, of personal information” and is “being very cautious around legislation . . . that sets a privacy threshold for individuals.”

For their part, privacy advocates say the only way to ensure that companies actually live up to the privacy policies they advertise—and don’t change them without giving users a way to back out first—is to have regulations with real teeth in them.

“This is where people who favor self-regulation and those of us who are privacy advocates part ways,” says Pierce. “We believe we need strong enforcement, which generally means something based in law. P3P doesn’t do anything with regard to that.”