FYI: Agencies on the path to P3P

http://www.fcw.com/fcw/articles/2004/0119/web-machine-01-21-04.asp


Agencies on the path to P3P 
BY Sara Michael 
Jan. 21, 2004  
Printing? Use this version. 
Email this to a friend.  

One piece of the E-Government Act of 2002 aims to make Web site policies
easier for users to understand. 

Developing privacy policies that can be understood by Web browsers would
be another step in the right direction, but most federal agencies are
lagging behind the commercial world, privacy officials said today. 

"It's very difficult as a consumer to know what's going to happen with
your information today," said Ari Schwartz, associate director for the
Center for Democracy and Technology, speaking today at a workshop hosted
by CDT and the American Council for Technology. 

Section 208 of the E-Gov Act requires agency Web sites to include
privacy policies in a machine-readable format. This is intended to allow
users to easily understand how their personal information is used,
stored and shared.  The format allows users to set their privacy
preferences into the browser and receive notice if sites match the
preferences, Schwartz said. Today, users have to comb through an often
long and esoteric privacy statement available on the site, he said. 

The only way for agencies to adopt these policies is by using the
Platform for Privacy Preferences Project (P3P) developed by the World
Wide Web Consortium.  The P3P policy directs the browser to notify the
user, block certain cookies and provide a summary of the policy. 

"It's a computer-readable language for coding all the common elements of
the privacy policies," said Lorrie Faith Cranor, the P3P Specification
Working Group chairwoman at Carnegie Mellon University, also speaking at
the workshop.  "Once [the browsers] read the policies, we would like
them to do something useful for us." 

Despite the legal mandate, most federal Web sites do not have
machine-readable policies, Schwartz said. 

"Government sites were not becoming compliant at the same rate as
commercial sites," he said. "In fact, government sites are far behind
the commercial sector today." 

But Schwartz said there are two major incentives for adopting the
policy: adherence to the law and Congressional wrath expected in the
spring.  Congress is expected to ask the General Accounting Office to
study federal compliance to the machine-readable format mandate after
March 1, when the Office of Management and Budget will be reporting to
Congress on agency's compliance with the E-Gov Act. 

According to Brian Tretick of Ernst and Young LLP, 23 percent of the top
500 Web domains were P3P compliant. Of those, one out of 19 government
sites, including state sites, were complaint. 

Tretick, presenting at the workshop, outlined five basic steps for
agencies to follow to implement a P3P policy: 

Baseline: Understand the various domains and Web sites with one agency
site, the types of users accessing the site and the information
gathered. Agencies should also review the privacy statements and
practices. 

Diagnose: Review the practices against the policy, including services
and elements provided to the site by a third-party, such as images or a
survey. 

Improve: Remedy the privacy policy and determine whether the site needs
several P3P policies or a single policy. Agencies should then develop
the P3P policy, using assistive software. 

Verify: Test the site to make sure it is indeed P3P compliant. 

Deploy and maintain: Review the policy and compliance periodically and
establish processes for changing the P3P policy.  

Received on Monday, 2 February 2004 04:10:20 UTC