Platform for Privacy Preferences (P3P): Lessons Learnt for Privacy Standards

Workshop on technical standards and privacy by design

A. Michael FroomkinLaurie Silvers & Mitchell Rubenstein Distinguished Professor of Law

University of Miami

August 21, 2012

2

The Problem P3P Was Designed to Solve• Privacy principle:

• Users should control use of personal information about them held by others – or at least negotiate rules about it

• But in fact:• Your browser says a lot about you• Users share data with web sites• Web privacy policies are

• Under-specified• Unclear, complex, non-standard• Unread

3

The Platform for Privacy Preferences (P3P)• A standards-based approach

• Server offers machine-readable policy• Web client retrieves privacy policy

• Can be set to take action based on preset user preferences

• User can import preferences from third parties• P3P enabled search engines could search for

content with privacy settings• Exclude or downgrade or flag privacy-unfriendly

sites• Similar triage could happen at browser level

4

How P3P Works

• Standard definitions of data practices• Expressed in standardized vocabulary

• User agent requests P3P policy reference file• May be on-site or in other location

• User agent compares policy to user’s preferences, acts accordingly• E.g. ‘privacy bird’ displays happy or angry• Sites are hidden, or popup warnings display• User can query differences from preferences

5

P3P Policy Contents

• Source: Lorrie F. Cranor, Praveen Guduru, and Manjula Arjula, "User Interfaces for Privacy Agents," ACM Transactions on Computer-Human Interaction (TOCHI) 13, no. 2 (June 2006): 135.

6

Advantages of P3P

• User empowerment• No centralized content control

• Some centralized semantic definitions• Extensible (XML)

• No censorship (except by user choice)• P3P spec developed by W3C consensus

process

• Relies on voluntary implementation• User demand for privacy could drive adoption

• US FTC liked the idea (“PICTS for privacy”)

7

Al Gore Liked It

"I welcome this important new tool for privacy protection … It will empower individuals to maintain control over their personal information while using the World Wide Web."

-- US Vice President Al Gore (1998)

(Larry Lessig liked it too.)

8

OECD Guidelines Checklist √

• P3P did address• Issue of data collection directly from the user

(web surfer)• Limitations on data use by web site can be

specified, e.g.• Original purpose• Authority of Law• Consent• Emergency

• Disclosure / openness of data usage

9

OECD Guidelines Checklist X

• P3P didn’t address• Practices relating to data collection from third

parties• Data storage and retention• Data quality• Anything beyond honor or external legal

control for data mis-use or disclosure• User’s ability to access data about her

10

Critiques (1)

• Formless – doesn’t set any minimum privacy protection

• Sets no default• Policy must be set by user somehow

• Doesn’t require Fair Information Practices (see checklist)

• Too complex• Will exclude good sites that don’t use P3P

• Procrustean policies – what about outliers?

11

Critiques (2)

• Original spec allowed for negotiation between site and user, but this was removed from final, which became a take-it-or-leave-it proposition

• Generalizes existing cookie problems – invisible stuff happens, user is lost or must make endless exhausting individual decisions

• No internal enforcement mechanism, but…• Markets• External laws & regulations against fraud, lies, unfair

competitive practices

12

Critiques (3)

• P3P analysis happens after the browser connection• Hence massive data is already sent

• IP#• MAC# (IPv6)• Browser fingerprint• Referrer source

• Even if P3P were widely adopted, it fails• Providers likely to set protections low, making high-

privacy browsing as difficult as no-cookie browsing

Privacy-loving users would self-exclude from much of the web

13

Was P3P the Best Tool?

• Other purely client-side tools such as cookie-blockers, and anonymizers might be surer, but what was on offer then were only more narrow solutions

• Top-down regulation was not likely, and certainly not likely across jurisdictions

• Prospect of 3rd party rulesets would make life easy for users

• XML was cool

14

Take-Up Was Low

• Less than 12 percent of the more than 3,000 websites TRUSTe certifies had an IE-compliant P3P compact policy in 2011.

• 2010 Carnegie Mellon study of 33,139 websites with P3P compact policies (CPs) found • “errors in 11,176 of them, including 134

TRUSTe-certified websites and 21 of the top 100 most-visited sites”

• errors at Microsoft’s live.com and msn.com!

15

Why P3P Failed

“The trouble with P3P was that consumers, lacking education or intuition about the risks of disseminating their personal data, had no incentive to spend this time on bargaining and even more importantly, the market had little or no incentive to pay or negotiate for data that they had previously collected for free. The model though, simply did not succeed. Although P3P was incorporated into Internet Explorer [6.0+] and other browsers, it has been largely ignored by the public and the market. No meaningful marketplace of choices among more or less privacy friendly websites evolved for the consumer.”-- Lilian Edwards, Coding Privacy, 84 Chi.-Kent L. Rev. 861, 864 (2010)

16

In Other Words

• P3P failed due to lack of incentives• Consumer behavior

• Time involved• Privacy myopia

• Web site operators• Do not want overhead• Do not want to pay to collect info

• Info-brokers• Don’t want the grief or the costs

• Plus, it felt complicated• (And, blockages inexplicable to some users)

17

What We Learn from P3P’s Elegant Failure• Economics matter enormously

• Parties need an incentive to install tools/use standards

• End-users have privacy myopia• Privacy Bird wasn’t cute enough – or too beta

• Site operators believe they can monetize info • Incentive cuts against adoption in many cases

• Defaults matter• E.g. ‘Do not track’ by default is more effective• Ease-of-use matters• "The act of designing a social technology is not an easy one"

-- Joseph Reagle, P3P project manager

18

Abandoned Specs Considered Dangerous• No one swatting the bugs

• Spec allows sites to use a trick to put a cookie despite IE user’s policy

• Taken advantage of by 21/100 most visited sites including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu.

• E.g. “underspecified” policy in headers with no proposed uses listed; IE 6-8 interprets that as a policy to make no use.

• Spec looks only at proposed uses – so if there seem to be none due to malice or typos…

19

User-Unfriendliness At Work?

• Proper P3P Compact Policy (CP) statement:• P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo

IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI“

• ‘SAMo’ == ‘We [the site] share information with Legal entities following our practices,’

• ‘TAI’ == ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’

• What Google sent:• P3P: CP="This is not a P3P policy! See

http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

20

But Don’t Forget the Attractive Aspects of P3P

• Worth emulating• User-empowering• No censorship

• Nor could it easily become a censorship tool• Extensible• Not centralized

• Invited third parties to draft and disseminate policies

• Worth debating• Regulatory / voluntary• Ties to legal regimes

• Not really clear if this was tested by P3P• Failed to address transnational issues (what law?)

THANK YOU