A Response to "P3P and Privacy: An Update for the Privacy Community" by the Center for Democracy and Technology

Karen Coyle, May, 2000

The Center for Democracy and Technology's April 2000 statement on P3P acknowledges some facts about P3P that we can all agree on:

There are still a number of areas where we disagree, many of which are covered in my original paper on P3P and the FAQ on data privacy that I authored for CPSR. Among these are: What it comes down to, however, is that I have fundamental, philosophical differences with CDT and the other developers of P3P. They aren't about the details of what P3P does or doesn't do, they are about whether P3P should exist at all. This is why we will never be in agreement, and I will never do as they call for at the end of their document, ... So I want to take a look at some of those basic differences and make them explicit as part of my criticism of P3P.

Personal Data and the Web

CDT states that personal data collection is a necessary part of the web experience: "... with anonymity or pseudonymity a person would be hard pressed to be involved in the full diversity of interactions occurring on the Internet."

Is this really the case? What activities on the WWW require you to give out information about yourself? We aren't talking here about communicating with friends over e-mail, or even participating in chats or newsgroups. We are talking only about visiting web sites, which is what the P3P protocol pertains to. (This in itself is artificially limiting as we have seen with incidents involved RealAudio and Comet cursors, where programs downloaded off of the Internet contained tracking devices but were not covered by the privacy policy of the web site.) Here are the situations that I can imagine where the collection of your personal data is required for participation in the WWW:

  1. Purchasing a product online. In this case, you must give your name, your credit card number, the address that is associated with that credit card number, and the delivery address. Under some circumstances, it may be necessary to contact you about the purchase, and most vendors will prefer to telephone or e-mail you rather than write a letter, so you will probably need to supply one or both of those contact methods.
Right, that's it. There are many other situations where you have to establish an identity of some kind, such as in online support forums sponsored by vendors. In some cases you interact using an e-mail address, which although it may be pseudonymous it is likely that your identity could be established from that information. But if we are talking about giving out your personal data, that is the information that identifies, describes and locates you in the real world, then there are very few interactions on the Web that depend on your real life identity and coordinates.

The fact is, however, that the purchase situation above is not the main interaction that is being addressed by P3P. Nor is it the primary way that data about is being gathered on the Web by sites that you visit. "Visit" is the key phrase here: most data is being gathered about you when you visit web sites, not when you make purchases or engage in any activity other than merely looking at the site. The current revenue model on the Net is the same advertising model that applies to commercial television, commercial radio, and magazine publishing: these products exist to deliver advertising to what in e-commerce is chillingly referred to as "eyeballs."

This reference to Web users as disembodied orbs, millions of virtual Santa Lucias, stands in contrast to the warm invitations to "join" a site's inner group of members or to personalize a site as your own online home. Users are not explicitly asked to give up their data for the purposes of marketing, they are offered "services" that were often devised purely as a way to get users to reveal information about themselves. Those personal services exist not because online users asked for them nor are they the only possible options for providing shortcuts to frequently visited sites; they exist solely as a way to gather data for marketing.

The personalization that a typical portal site allows is really a disguised selection between sponsors. The site allows you to choose among its shopping services or its news categories (e.g. stocks, sports); this establishes a basic profile of interests. Then you type in your zip code so that your local weather will appear on the page; now they have your geographical location. You can also type in your date of birth so that your daily horoscope will be included on the page; now they have your age as well as a data element that, combined with other information, can at times be used to identify you in other databases. You may also be able to add your own links the page but it is possible that the randomness of these links makes them virtually useless for the marketing function. All that matters is the selection that you make from within the advertising profile that the site supports.

That some users may find these personalized sites convenient or appealing does not make them necessary, nor does it justify the invasion of privacy that this personalization makes possible. Is the gathering of personal information necessary to the function? Not at all. Any Web user with a certain amount of technical skill can create a page for herself that links to news, local weather, and other information resources of interest. And any site on the Net could provide personalized pages but not use the information for anything other than delivering those sites to users. The use of the profiles of these pages for commercial purposes has nothing to do with the technology of the Internet and everything to do with economic models.

Note that should P3P come into use the sites will have to reveal that the information about profiled members is used "to customize the site" and for "research and development." Yes, the gathering of data about customers for the full range of marketing and product development is called "research and development."

Having a Choice

"As privacy advocates, we believe that -- armed with more information -- individuals will seek out companies that afford better privacy protection."

This statement in the CDT document is hopeful but entirely unfounded. It makes the assumption that there are equivalent services on the Web that differ only in their privacy policies. There are two reasons why this is unlikely to be true. The first is that if the revenue model of the sites is that of being supported by advertisers, no site will be able to afford a significant amount of privacy compared to another. Even for sites that are mainly used for purchases, the sites that gather data for advertisers will be able to offer the lower prices. In the P3P model, choosing to give up more personal data for a lower price on goods is the definition of an "informed choice," and this is the kind of choice that we can expect people to be given. None of the choices will be to maintain ones privacy. As a matter of fact, if there is no great variation in the choices offered by sites, the impact of a protocol like P3P will be nil.

The other reason that choices are and will be limited on the Web is that information services tend to be unique. Because of the nature of intellectual property and copyright, there is generally only one outlet for an information resource. This is something that is often missed even by economists when they discuss the market model in an information environment. If I want to read the New York Times online but don't like their privacy practices, it doesn't do me any good to read another newspaper instead. My choice is simply to give up my personal data or to not get the product. In the case of the Times it is fortunately available off-line through newsstands where I can purchase it and read the articles anonymously. In the case of information resources that are only available electronically, I have no alternative format.

CDT is right that reaction of consumers about the most egregious of privacy invasions does have an impact on industry. But the day-to-day trickle of our data into the banks of direct marketers is the basis for the economy of the Net. If we rebel against that we have to develop some other model for supporting the Net infrastructure. Companies are pouring millions of dollars each year into their web sites, most of which are bringing in no revenue other than that provided by advertising. We can perhaps haggle about some of the details but it has been well-established that the connection between our virtual selves and our potential as consumers is the economic basis of the current version of the Internet. The question for us, therefore, is whether this is the Net we want and if we can create other options.

While it may seem overly idealistic to suggest that we could reinvent the Web with a different revenue model, there are good reasons to do so. There are reasons why the advertising revenue model is not the best one for our communications and information systems. Advertising works well for some products and for entertainment because these are promulgated appropriately through popularity, and advertising is entirely about making things popular. Information does not lend itself to the popularity contest model. Because it is hard to judge what information will be useful in the future we don't want only today's best-selling information to survive. Ideas don't kill each other off the way that "winning" products eliminate their rivals. A successful idea needs the unsuccessful ones to explain itself and continue its existence. And in our liberal world we expect the unpopular ideas to remain in circulation at least in libraries and academic environments where they can be constantly reassessed for validity.

If you need a popular product, information and ideas are not what you should be pushing. It's easy to see why the Web has become more of an entertainment center over the years since the privatization of the Internet, as compared to the information intense resources that were available when the Internet was non-profit and publicly funded. We can't expect the current model to support non-entertaining information services yet our information resources are increasingly digital and therefore need the Internet (or something very similar) as their delivery vehicle. We are in a bit of a pickle, no question about that, but the privatized Internet does not seem to be the answer to these particular needs. Since my field and my interest is in information services not entertainment, I am not content with this aspect of today's Web.

Is Any of This Really Necessary?

P3P is not a technical standard like XML or HTML 4.0. It is not about how the Net works. It addresses the current economics of the Net which are separate from the technology. As a matter of fact, the basic technology of the Web hasn't changed since 1990, yet the addition of P3P to the web protocols would have seemed nonsensical in 1992 or even 1994. It is appropriate that P3P is under the W3C category "Technology and Society," because it really is about a technological approach to a social issue. Although it would be implemented in the Web technology it is more about that economic model than it is about the structure of the Web and how it functions.

What P3P does represent is a tacit acceptance of the great increase in the tracking and monitoring of our minor activities that takes place over the Web. I say that it is an acceptance of this monitoring because it is designed to allow Web users interact within that environment, rather than trying to change the environment into one where the monitoring would not take place.

P3P and the assumptions behind the protocol tell us a lot about the Web and the kind of activities that take place there. P3P is clearly designed for an interaction between strangers, one of whom may decide not to continue the relationship based on the privacy policy or privacy desires of the other. An interaction that will be broken over the issue of privacy policy is probably a very thin interaction to begin with, with limited goals. The idea that a privacy policy will make or break a web site is a statement about the contentlessness of the web. If the site has something that people need, really need, many will visit it regardless of the site's privacy policy. We already make this decision in our offline interactions: we give up our privacy in order to obtain a driver's license, to purchase a home, to enroll in an educational program. We also give up some amount of privacy to speak out in public, to sign petitions for or against causes, to run for office.

There is concern about the privacy implications of these offline interactions but we perceive something different about the privacy invasions that take place over the Web. Part of the difference is that the requests for our personal data are not part of essential services, so there is very little justification for our loss of privacy on the Web. We might understand that property ownership requires us to identify ourselves to the community, but we are less willing to give up our privacy in order to see a weather report on our screens or listen to music over the Internet. It's not just that we are losing our privacy but that we can see no social justification for the information that is being gathered. It is notable that the same Net community that went wild over the idea that Lotus would market a CD ROM with personal data for marketing purposes did not take up the rallying cry against the giving their information to the 2000 U.S. Census. For all that the Net has a reputation of being a haven for privacy absolutists, there does seem to be some discernment that takes place.

Solutions for Privacy

How hard is it to protect the privacy of Internet users? It doesn't require complicated protocols. The first solution for maintaining privacy on the Web is to avoid giving out information about ones self. This means not signing up for personalized pages, not becoming a member of any site. For those who wish to participate in online forums or sign up for some services they can create a pseudonym and use an account created on a free e-mail service as their return address. For an even more secure identity, the company Zero-Knowledge will provide five untraceable identities that can be used for all kinds of Net interactions.

Because much of the tracking of site visitors is done through cookies, control of cookies is a vital part of maintaining privacy. The main Web browser programs, Netscape and Internet Explorer, have limited cookie controls built into them: they allow users to accept all cookies, reject all cookies, or be asked to make a decision for each cookie. None of these options works well, however. If you reject all cookies there are some sites that you will not be allowed to access; if you examine each cookie before accepting it you will be so bombarded with pop-up windows that it will be nearly impossible to surf the Web at all (some sites will attempt to send as many as thirty cookies before giving up). The best solution is to install one of the many "cookie cutter" programs that allows you to profile what cookies you do and don't accept and to easily delete any cookies that you have received in the past. This allows you to accept cookies from site you do trust and where you wish to maintain a relationship, such as a technical support site that keeps track of open problem reports through a cookie identity, and to automatically reject cookies from marketing companies like DoubleClick.

It is interesting to note that these more privacy-oriented cookie controls, although not at all complex as a technology, are not available in the browsers themselves. Had they been included in the primary Web browsers and been in wide use over the last five years, the Net would be different to what it is today in terms of personal privacy. We have to conclude that the developers of browsers made a conscious decision not to include privacy-oriented cookie controls because it might interfere with the economic model of many Web sites, including their own. It is also significant that the P3P privacy policy interaction relates solely to the immediate Web page that is visited. This means that P3P does not include the gathering of data through banner ad cookies and thus ignores the vast majority of privacy invasions on the Web.

Educating Web users to these two very simple methods of maintaining their privacy would not only mean privacy gains for users but it might even begin to change the nature of the Web by giving users some real choices.

©Karen Coyle, 2000
Creative Commons License
This work is licensed under a Creative Commons License.