- From: Serge M. Egelman <egelman@cs.cmu.edu>
- Date: Thu, 07 Sep 2006 10:54:57 -0700
- To: Brian Erdelyi <brian@clearware.org>
- CC: "STRUAN.ROBERTSON@OUT-LAW.COM" <struan.robertson@out-law.com>, www-p3p-policy@w3.org
From my limited experience, pushing P3P adoption is quite difficult. Comparing it to web seals isn't a very good comparison. Studies have shown that with web seals, most users don't understand what they mean, and assume that they mean the site has a good privacy policy (note: this isn't the case; the seal only means that the site *has* a privacy policy and tries to follow it, it says nothing about the content of the policy). Thus, by using a web seal, a company spends a little money and gets a huge benefit since it convinces many users that the company has good privacy practices, even though that might not be the case (and frequently isn't). P3P is quite different. By posting a P3P policy, a web site makes it much easier for the user to understand exactly what the site's policy is (again, this is quite the opposite with web seals). Thus, sites that don't have good policies have no incentive to adopt P3P, whereas a site with a bad policy has a huge incentive to post a seal. Looking at sites with good privacy policies, they also have little incentive to adopt P3P, and more of an incentive to use a web seal. Many companies have expressed reluctance to adopt P3P because they claim their policy changes frequently, and thus they would need to regularly update their P3P policy as well (it's not clear that this is really the case). Additionally, the natural language policies are written by lawyers, so they want lawyers to update the P3P policy as well, but in many cases they don't have the technical skills and are unaware of the tools out there. Another excuse that I've commonly heard is that they have specific clauses in their natural language policies that cannot be expressed in P3P (this is often not the case as well). Thus, by putting up a seal, the company gets a similar benefit (the company appears to be privacy conscientious in the eyes of the user), and they don't need to worry about updating it or making sure the seal is consistent with the natural language policy. This is the standard dichotomy of "doing the right thing" and "appeasing the shareholders." It's too bad that many companies are myopic in this regard and do not realize that the two are not mutually exclusive. So, how to fix this? I think this is just a standard adoption/critical mass problem. Once enough tools are created to help users understand P3P policies, a bigger demand is created. Eventually a segment of the user base grows accustomed to being able to disseminate P3P information (whether it be through browser plugins or another means), and thus more sites begin adopting it. When enough sites have adopted it, other sites will start adopting it. I recently presented a paper on P3P adoption, which you might be interest in: http://lorrie.cranor.org/pubs/icec06.html Thanks, serge Brian Erdelyi wrote: > I think it can work voluntarily, however, thats why I posted to the P3P > list. How easy is it to get websites to volunatarily publish P3P policies? > > Many vendors spend alot of money to get TRUSTe certified. This is > essentially an assurance for marketing purposes. A Clearware label > could be freely used to help improve consumer awareness and show their > commitment to the end-user while differentiating themselves from > competitors. > > I have been discussing with some vendors who are interested in using the > idea, but it's slow to get moving. Getting vendor participation is the > bigest issue so far. > > Brian > > > I like that idea, Brian. I'm guessing you've already thought of this, > but can it work without labelling being mandatory? Presumably the > purveyors of deceptive software are the least likely people to comply. > I'd be interested to know your thoughts. >
Received on Thursday, 7 September 2006 17:55:38 UTC