Nilesh's Weblog

P3P Not PET

With reference to my query on Ask Slashdot, a fellow /.er put up a nice link to an article on why P3P is not a Privacy Enhancing Technology. Get the article from here [pdf]. To quote some points -

P3P fails as a privacy-enhancing mechanism because P3P does not aim at protecting personal identity, does not aim at minimizing the collection of personally identifiable information, and is on a completely different trajectory than the one prescribed by the definition of PETs. P3P provides no genuine privacy protection: instead of being used to minimize the collection of personally identifiable information, P3P can easily be used to obtain data from consumers by facilitating the collection of personal information through the guise of notice and choice.
…
Why does P3P not ensure that websites conform to their privacy policies? Suppose a user sets his/her privacy protection preferences and a certain site satisfies the criteria (that is, does not get marked as a restricted site). Currently, P3P does not ensure that the website actually conforms to its privacy policies. How can we minimize the resultant false sense of security created for Internet users?
…
Why is P3P unsuccessful in getting Internet users to play an active role in their privacy protection? Panelists at the Internet Education Foundation sponsored P3P workshop pointed out that while most people acknowledge that their privacy protection is important, most people do not take the time to read privacy policies. Nor do the users pay attention to or tinker with the default settings. Consequently, it is at best uncertain that users will take the time to actively set their privacy preferences or to read the privacy-compliance summaries provided by P3P clients. This challenge of getting users to play an active role in their privacy protection is compounded by the fact that the average person is not technologically savvy.