Re: Proposal to help fight deceptive software

 From my limited experience, pushing P3P adoption is quite difficult. 
Comparing it to web seals isn't a very good comparison.  Studies have 
shown that with web seals, most users don't understand what they mean, 
and assume that they mean the site has a good privacy policy (note: this 
isn't the case; the seal only means that the site *has* a privacy policy 
and tries to follow it, it says nothing about the content of the 
policy).  Thus, by using a web seal, a company spends a little money and 
gets a huge benefit since it convinces many users that the company has 
good privacy practices, even though that might not be the case (and 
frequently isn't).

P3P is quite different.  By posting a P3P policy, a web site makes it 
much easier for the user to understand exactly what the site's policy is 
(again, this is quite the opposite with web seals).  Thus, sites that 
don't have good policies have no incentive to adopt P3P, whereas a site 
with a bad policy has a huge incentive to post a seal.

Looking at sites with good privacy policies, they also have little 
incentive to adopt P3P, and more of an incentive to use a web seal. 
Many companies have expressed reluctance to adopt P3P because they claim 
their policy changes frequently, and thus they would need to regularly 
update their P3P policy as well (it's not clear that this is really the 
case).  Additionally, the natural language policies are written by 
lawyers, so they want lawyers to update the P3P policy as well, but in 
many cases they don't have the technical skills and are unaware of the 
tools out there.  Another excuse that I've commonly heard is that they 
have specific clauses in their natural language policies that cannot be 
expressed in P3P (this is often not the case as well).  Thus, by putting 
up a seal, the company gets a similar benefit (the company appears to be 
privacy conscientious in the eyes of the user), and they don't need to 
worry about updating it or making sure the seal is consistent with the 
natural language policy.  This is the standard dichotomy of "doing the 
right thing" and "appeasing the shareholders."  It's too bad that many 
companies are myopic in this regard and do not realize that the two are 
not mutually exclusive.

So, how to fix this?  I think this is just a standard adoption/critical 
mass problem.  Once enough tools are created to help users understand 
P3P policies, a bigger demand is created.  Eventually a segment of the 
user base grows accustomed to being able to disseminate P3P information 
(whether it be through browser plugins or another means), and thus more 
sites begin adopting it.  When enough sites have adopted it, other sites 
will start adopting it.  I recently presented a paper on P3P adoption, 
which you might be interest in:

http://lorrie.cranor.org/pubs/icec06.html

Thanks,

serge

Brian Erdelyi wrote:
> I think it can work voluntarily, however, thats why I posted to the P3P 
> list.  How easy is it to get websites to volunatarily publish P3P policies?
> 
> Many vendors spend alot of money to get TRUSTe certified.  This is 
> essentially an assurance for marketing purposes.  A Clearware label 
> could be freely used to help improve consumer awareness and show their 
> commitment to the end-user while differentiating themselves from 
> competitors.
> 
> I have been discussing with some vendors who are interested in using the 
> idea, but it's slow to get moving.  Getting vendor participation is the 
> bigest issue so far.
> 
> Brian
> 
> 
> I like that idea, Brian. I'm guessing you've already thought of this, 
> but can it work without labelling being mandatory? Presumably the 
> purveyors of deceptive software are the least likely people to comply. 
> I'd be interested to know your thoughts.
> 

Received on Thursday, 7 September 2006 17:55:38 UTC