|Computer Professionals for Social Responsibility|
Some Frequently Asked Questions About Data Privacy and P3P
by Karen Coyle
Version 1.2 - 11/21/99
Why is personal data collected on the Net, and how is it used?
What is data privacy?
How do people get data about me?
Why should I worry about what's collected about me?
Isn't privacy the default?
Don't I have a Right to Privacy?
What is P3P?
What are "privacy preferences"? Is this the same as "privacy protection"?
What is the problem P3P is designed to solve?
Will P3P give me more privacy when I use the Net?
Are privacy practices really the problem?
How will P3P work?
What will I see on my screen?
Will I know when my data is passed to a Web site? How will I know what of my personal data the Web site is getting?
What data can be revealed about me through P3P?
What data do I get in return about the Web site?
How are "privacy practices" defined in P3P?
What problems doesn't P3P solve?
What if I give false data?
How long can Web sites keep my data?
What if I change my mind after I give personal data to a Web site?
What can I do if a Web site lies about their privacy practices or misuses my data?
How does P3P relate to non-commercial communication on the Net?
What is "personally identifiable" data?
Who is W3C?
Why is personal data collected on the Net, and how is it used?There are times when you must give out some personal data over the Internet. If you are engaging in a transaction such as purchasing an item from a web-based retailer, you have to give your address, so that the item can be delivered, and your name and a credit card number, so that the online company can receive payment. If you are signing up to receive an electronic journal or online newsletter by e-mail, then your e-mail address has to be given.
But there are many other times when you are asked for personal data over the Net. If that data isn't essential for the delivery of a product then it is most likely being used for the purposes of marketing. For example, sites will offer some features only for "members" who sign up for a free account on their system. This allows them to track return visits and to link page views with a single user. Over time they may also gather some information on demographics and preferences. Some of this marketing may relate to you personally (i.e. you may receive targeting mailings from the company behind the Web site), and some of it may not. Web sites that carry advertisements almost always need some demographic information to inform advertisers about their audience. This can be produced in aggregate form in a way that does not reveal information about individuals. Whether it could be linked back to you, however, is hard to predict, as we discuss in What is personally identifiable data, below.
What is data privacy?Data privacy is used to mean those areas of privacy relating to information about you. It distinguishes this from other privacy concerns such as spying, wiretapping, eaves-dropping, etc. Data privacy relates to the use of your name, address, phone number, bank records, medical records, etc.
How do people get data about me?Your personal data can be gathered from a wide variety of transactions and activities. Each use of your credit card becomes a recorded transaction for the company or store you are shopping with. Phone calls to 800 numbers reveal the phone number you are calling from (even if you have caller ID blocked). Forms and warantee cards that you return to companies often ask for additional information about your buying habits and demographics. Grocery store customer cards link your identity to your grocery purchases. If you are a registered vote, own a home or a business, your name and address are in public records. Unless you lead a nearly hermit-like existence, your name and address are in a large number of customer lists and other databases.
The sum of these individual bits of data, some of which you have revealed consciously and others that are inherent in transactions, can create a fairly detailed profile of you. Computer techniques called "data mining" make it possible to put together data from different sources. In this way, data about you that was gathered by different people at different times can be combined creating a whole that is much more revealing than any of the individual parts. When you give a small piece of data about yourself during a transaction, you are unaware of the other personal data that company may have access to. This makes it very hard for you to know the effect of any one piece of data on your privacy.
Why should I worry about what's collected about me?Many of the uses of our personal data is merely annoying, not but not dangerous: it leads to an increase in junk mail and telemarketing calls. Sometimes it can even be amusing, like the six-foot tall man named Jean who receives mail-order catalogs for the "plus woman." Other times it can be heart-wrenching, as in the case of parents who have tragically lost a newborn child but find themselves on mailing lists for new parents.
The increase in data gathering, however, increases the risk of data-related crimes like credit card fraud and identity theft. The reliance on data banks of personal information for credit ratings means that data errors have the potential to greatly disrupt the lives of innocent persons. It also provides opportunities for scam artists who base their "cons" on detailed information about their victims. The more data that there is about us in databanks over which we have no control, the more opportunity there is for this data to be used in ways that cause us problems.
Isn't privacy the default?
Only in some situations. The privacy preference model is commonly used to describe the options that consumers have in the commercial marketplace. With most consumer actions in the United States, giving your information, like name and address, to a company is an implicit agreement that they can use that data unless you specifically "opt out" by stating that you do not want to receive mailings, phone calls, etc.
In other situations, such as our interactions with medical and legal professionals, privacy is assumed to be the default and our personal information can only be revealed to others under specific circumstances.
Don't I have a Right to Privacy?There is no right to privacy in the U.S. similar to the right to free speech. Privacy isn't mentioned in the constitution (and may not have been an issue at the time that the founders were considering basic rights.) There have been some important court decisions that maintain a basic right to privacy (i.e. Roe v. Wade), but other court decisions come to the opposite conclusion, as in those that assign to the banks the ownership of your bank account informaton (U.S. v. Miller). U.S. citizens should inquire about data privacy legislation in their state since privacy legislation is often implemented at a state rather than federal level.
Some countries do specify a privacy right in their constitutions and laws -- see the GILC paper Privacy and Human Rights 1998 for a country-by-country survey of privacy rights.
What is P3P?P3P is the "Platform for Privacy Preferences," a new Internet protocol being developed by the World Wide Web Consortium (W3C). Protocols are the rules around which Internet software is developed. This means that the P3P functions will be implemented as part of the functioning of the World Wide Web, and most likely it will be intergrated into Web browsers like Netscape and Internet Explorer. P3P defines a standard way that the privacy practices of Web sites can be defined and that a consumer's personal data can be requested.
What are "privacy preferences"? Is this the same as "privacy protection"?No, privacy and privacy preferences are very different concepts. Most people consider privacy to mean that others, especially strangers, do not have access to information about you. In the privacy preferences model, your personal data is not inherently private since modern transactions often consist of an exchange of personal information for goods and services. Engaging in that exchange is an exercise of ones' privacy preferences. So if you sign up for an online information service, such as a daily newspaper, you might be exchanging information about who you are (your email address and some demographic information) and your reading habits for the access to those newspaper articles.
What is the problem P3P is designed to solve?An article by the main developers of P3P states: "Many online privacy concerns arise because it is difficult for users to obtain information about actual Web site information practices.... Thus, there is often a one-way mirror effect: Web sites ask users to provide personal information, but users have little knowledge about how their information will be used." P3P is not designed to eliminate or reduce the exchange of personal data, but to give the Internet user a way to exercise some discretion over the exchange of that data based on the stated data gathering and use policies of that Web site.
Are privacy practices really the problem?
It is known that consumer concerns about the safety of using the Internet are a barrier to the development of electronic commerce. When polled, many Internet users indicate that they do not purchase items over the Internet because of privacy and security fears. If successful, P3P would help users overcome these fears and therefore increase the number of consumers who use the Internet for purchases.
Privacy practices is only one factor in the consumer/retailer relationship, however. Consumers develop trust relationships with companies, whether they are home-town stores, national chains, or catalog retailers based on the company's reputation and the customer's previous experience, not with their privacy practices. Many people do mail-order shopping even though they know that the companies they are dealing with sell their address to other mail-order companies. P3P seems to be designed for situations in which that trust relationship does not yet exist. However, what isn't clear is whether knowing how the data will be used will resolve this conflict.
How will P3P work?The first implementations of P3P have not yet been released publicly, so we don't have details about how it will look to Net users. We do know that P3P will probably be incorporated into Internet browsers like Netscape and Internet Explorer, and perhaps will be used in other Internet software. The P3P protocol does state that the software must install with the maximum "privacy" as the default. Users will provide their personal information (name, address, etc.), probably in a form, and will indicate their "privacy preferences." When the user surfs to a Web site that uses P3P, the data request of the Web site will be compared to the user's preferences. If they match, the requested data will either be transmitted to the Web site or the user will be asked to fill a form with the information.
What will I see on my screen when data is requested?This depends on how P3P is implemented in the browser and by the Web site. There are provisions in P3P for the Web site to provide plain language explanations of its request for data, or to promote the service it is offering in exchange for the data. This may look very similar to the statements in Web site privacy practices that can be seen on the Internet today. Because this part will be written by the Web sites themselves, and P3P isn't be used yet, we don't know what kind of practice will be developed.
Will I know when my data is passed to a Web site? How will I know what of my personal data the Web site is getting?The current version of P3P (November, 1999) does not say anything about how the data is transferred from the user to the requesting Web site once the negotiation regarding privacy practices is completed. It should be technically possible for the data to be exchanged automatically and without specifically informing the user about which data elements were received, but hopefully users will have the option to always be notified before any data is sent.
What data can be revealed about me through P3P?The required data elements in P3P are:
Bill to address
Ship to address
P3P can also carry any number of optional elements, including (taken from P3P documentation):
- Physical Contact Information - Information that allows an individual to be contacted or located in the physical world such as phone number or address.
- Online Contact Information - Information that allows an individual to be contacted or located on the Internet such as email.
- Unique Identifiers - Non-financial identifiers issued for purposes of consistently identifying the individual such as SSN or Web site IDs.
- Financial Account Identifiers - Identifiers that tie an individual to a financial instrument, account, or payment system such as a credit card or bank account number.
- Demographic and Socio-economic Data - Data about an individual's characteristics such as gender, age, and income.
- Preference Data - Data about an individual's likes and dislikes such as favorite color or musical tastes.
What data do I get in return about the Web site?The Web site must identify itself (although it appears that this can be as little as its Web address) and specify its privacy practices in relation to the data being requested.
How are "privacy practices" defined in P3P?Privacy practices are defined in 6 codes. These are: Completion and Support of Current Activity, Web Site and System Administration, Customization of Site to Individuals, Research and Development, Contacting Visitors for Marketing of Services or Products, Other Uses.
On their own, these codes leave a lot of questions unanswered. To begin with, how is "support of the current activity" defined? And while many users will understand "contacting visitors for marketing" they probably will not expect that "research and development" includes the gathering of visitor information for marketing purposes (like getting demographic data, etc.). "Customization" can include such features as greeting you by name ("Welcome, John Smith") or showing you a message on your birthday. Each of these codes can cover a wide range of activities. For example, a user might wish to participate in a product review for the purposes of research and development but not for the marketing aspect which is included in that category.
There are two other codes that relate to how the data will be used. The first is whether the data gathered will be used in a personally identifiable way (see What is Personally Identifiable Data?, below). If this is coded "no" it does not mean that the data does not identify you as an individual; this has to do with how the data is being used by the Web site. The other code tells you whether your data will be shared with other companies or institutions. The most restrictive level of this code is "only ourselves and our agents" and the broadest is "public fora." It isn't clear how "ourselves" is defined; in this era of corporate giants, if "ourselves" extends to parent companies and subsidiaries, it could be a broader category than it seems on the surface.
What problems doesn't P3P solve?P3P actually covers only a very specific part of the online interaction: the transmittal of privacy practices to a user, and the comparison of these to the user's preferences. P3P does not increase the security of Internet transactions. It does not make it safe to send credit card numbers over the Net. It doesn't protect consumers from Internet eaves-dropping that gleans passwords and consumer data as it travels over the network. Security must be provided by other software such as the Web browser. It does not provide any enforcement of the privacy practices that are promised by the Web sites, nor does it give individuals any information about the trustworthiness of the site they are visiting. It does not address whether information gathered on the Net will be combined with information gathered elsewhere to create a more detailed profile of the user. It does not reduce the amount of personal data that is gathered from Internet users and it is not intended to do so.
What if I give false data?There is no way for Web sites to know if the data that you provide is false. However, if P3P becomes widely used for online transactions some data elements (your name, address and credit card number) must be valid for the transaction to take place. Users may also be encouraged to provide accurate information if the P3P-provided data is incorporated into the personalization of sites (i.e., sites providing age-appropriate information).
How long can Web sites keep my data?P3P does not address how long a site can store and use data. There is an optional data element that indicates whether or not the site discloses how long it intends to store the data, but only the element of disclosure (yes/no) is addressed, not the actual length of storage.
Lengthy storage of data presents a number of problems. After many years the data may no longer be valid. Also, transformations of the company's computer systems over time may result in the separation of your personal data and the original agreement for its use. In general, the passage of time can be expected to cause some erosion of the privacy practices, and long after the consumer's relationship with the company or institution has ended.
What if I change my mind after I give personal data to a Web site?There is no requirement that sites allow you access to your data once the immediate transaction is completed. Sites that do have this capability can indicate through P3P that they do have a change agreement which may or may not allow you to remove your data from their database.
What can I do if a Web site lies about their privacy practices or misuses my data?In the U.S. there are no laws that prevent the gathering and exchange of consumer information, and consumer data privacy is being left to industry self-regulation. However, the Federal Trade Commission is concerned about business practices and privacy and has stated that it will take action against businesses that do not adhere to their own privacy statements.
In some other countries there are data privacy laws. The European Union has passed a general directive relating to data privacy and consumer protection that is being implemented in all E.U. countries. Residents of those countries may be able to appeal to the agency that regulates and enforces data privacy law for that nation and there would be penalties attached to violations of those regulations.
Some sites will join auditing services such as Truste or BBBonline. Sites can display the logo of these services and list the auditing service in their P3P interaction only if they pass and maintain their auditing requirements. Users can notify the services if sites misuse personal data gathered over the Web and the sites risk losing the assurance of these trusted auditors. This auditing mechanism of a key element of self-regulation. Note, however, that these services cover only the gathering of data over the Web and do not assure that other privacy practices of those companies are within compliance.
How does P3P relate to non-commercial communication on the Net? (i.e. personal information research)The creators of P3P do not address the issue of non-commercial or non-financial online transactions. It is probably assumed that non-commercial sites will not use P3P. Many sites that provide information that Net users come to for personal reasons, however, are commercially based. Because the model of "pay per view" for information has not been successful, these sites are financed through advertising. The advertising model requires that they provide their advertisers with information about the site visitors who are viewing the ads. Although it is not conscious, when we sign up for "free" use of an information resource on the Web (i.e. to be able to access the back files of a newspaper) we are paying for the information resource with some amount of data about ourselves. This is a model in which P3P would fit quite well and wide-spread use of P3P could mean an increase in the use of our personal data as payment for online information.
What other models are being used on the Net to encourage consumer trust?Other models for consumer trust exist on the Internet such as the "peer" reporting model of auction sites like eBay. In those environments the sale takes place between individuals who have no prior knowledge of each other. Buyers and sellers use pseudonymous "handles" and do not exchange any personal data until the actual purchase and exchange of goods must be made. At this point, however, only the data that is essential for the purchase is exchanged. The trust factor is handled through a comment system where anyone can comment on their experience with the seller or the buyer. So although the sellers' real identities are unknown, their reputations are very public. Because personal data is exchanged only when it is absolutely essential (and at a point where the buyer and seller can agree to finish the transaction over traditional media, like the telephone), the e-auction environment gives both buyers and sellers a high degree of privacy.
There are also sites that set themselves up as trusted intermediaries between consumers and companies. These sites claim to pass only non-identifiable data to Web sites, such as demographic information, while they retain the anonymity of the individual user. As of yet this type of service has not gained much ground on the Net.
What is "personally identifiable" data?This is data that can identify who you are as an individual. While you may feel that your name identifies you, in fact it is highly likely that there are others who share your name. For this reason, social Security Numbers are often requested of people because they are considered a single piece of data that identifies the individual. Driver's license numbers are similarly used.
It is difficult to assure that data will not reveal a person's identity. Seemingly innocuous data elements can identify an individual under some circumstances or when combined with other pieces of information about that person. One study showed that the combination of zip code and date of birth was enough to identify many individuals when compared against the public voter registration record.
Because data can be stored for a long time, individual bits of information about a person that are not in themselves personally identifiable may eventually build up into a personally identifiable profile over time. It's very hard to say with certainty what data is and isn't personally identifiable, which is why the P3P protocol refers only to whether the data gathered is intended to be used in a personally identifying way. However, since data may be stored for an indefinite length of time and combined with other data elements, there is no real assurance that it will not be used in a personally identifiable way some time in the future or under other circumstances.
Who is W3C?The W3C is the standards body that develops new functions and features for the World Wide Web, called "protocols". It was founded by Tim Berniers-Lee, the scientist who created the very first protocols that made the World Wide Web possible. It is based at MIT.
The W3C is made up of over 300 member institutions including the major companies involved in the computer and Internet industries. New features of the World Wide Web are developed by the members of this consortium. The W3C is funded by its member corporations which pay a membership fee and provide technical staff to work on the standards. Membership fees vary based on the size of the corporation can cost as much as $50,000 a year ($5,000 for non-profit organizations). There are no consumer advocacy or public interest groups in the consortium at this time.
Because W3C is a members-only organization, non-members do not have access to the protocols as they are developed except when drafts are posted publicly for comment. This FAQ is based on the latest public draft (November, 1999), and there may be revisions that we have not seen. We will update this FAQ as information is made public.
- CPSR's Privacy Page http://www.cpsr.org/program/privacy/privacy.html
- CPSR's SSN FAQ http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
- The Privacy Rights Clearinghouse http://www.privacyrights.org/
- The Electronic Privacy Information Center (EPIC) http://www.epic.org
- U.S. Federal Trade Commission's privacy page
- The Global Internet Liberty Campaign's Privacy and Human Rights http://www.privacyinternational.org/survey/
This document prepared and maintained by Karen Coyle, with generous help from Andy Oram, Rick Barry, Harry Hochheiser and Marc Rotenberg. Send comments to firstname.lastname@example.org.
Created before October 2004