Response to Jason Catlett's open letter on P3P from Ann Cavoukian on 1999-09-29 (www-p3p-public-comments@w3.org from September 1999)

From: Ann Cavoukian <Acavouk@ipc.on.ca>
Date: Wed, 29 Sep 1999 16:43:37 -0400
To: www-p3p-public-comments@w3.org
Message-Id: <s7f241df.037@ipc.on.ca>

Mr. Jason Catlett
Founder and CEO
Junkbusters Corporation

September 29, 1999

Dear Jason:

Thank you for copying me on your open letter to Lorrie Faith Cranor, head of the development team regarding the Platform for Privacy Preferences (P3P). Given your prominence and history of advocating for the protection of consumer privacy in the electronic world, I reviewed your letter and its arguments closely.

As you know, my office has been a supporter in the development of P3P as a machine-to-machine protocol to allow consumers to respond in an informed way to the stated data use practices of Web sites. We participated in a sub-committee of the P3P project as well as having publicly supported the work of the P3P team in a speech given to the Data Protection Commissioners' Conference in Spain last year. Our involvement was, and continues to be, as a party with no vested interest or business ties. Our goal, like yours, is to advance informational privacy. P3P, once implemented, should, in my view, bring a greater measure of control to the consumer regarding what information he or she decides to share with a Web site and how the information can be used. This will result in more control than consumers currently have, which, at present, is very limited.

Our support of P3P in this context remains unchanged. However, you have raised a number of key points that need to be addressed by the P3P team, especially in the area of communications and marketing. P3P has likely been oversold as the 'privacy technology of the future' by lobbyists and third parties outside the P3P team. I agree that the development of privacy standards and regulatory frameworks (whether as legislation, or as an industry developed and policed regulation) have been delayed. However, this cannot be wholly attributed to the expectation, held by some, that P3P will resolve the current privacy issues faced internationally or in the United States. There are social, political and economic forces at work that make this far more complex than laying all the blame on P3P. But that should not stop us from "moving the yard sticks" regarding informational privacy.

We, like you, have not stopped our efforts to promote the importance of privacy in other areas beyond P3P. My office has been deeply involved in:

* strongly supporting the development and passage of Canadian privacy legislation aimed at the private sector, due out later this year,
* advancing the use of privacy enhancing technologies that give individuals greater control over their personal data.

I agree with you that P3P should not be construed as a promotional tool for self-regulation. P3P is viewed as neutral to the regulatory/standards/legislative environment under which it will operate. As I mentioned, you have identified a number of challenges that the P3P project needs to address. At the top of my list I would put better communication and marketing regarding what P3P will and will not do. This a job for the P3P team and I have committed my office to assist in this area.

Second, I agree with you on the need to explore standards as well as privacy-friendly defaults that could be used by P3P. My understanding is that P3P has already made some headway in that area. P3P has the ability to include third party APPELs (a P3P Preference Exchange Language) that would act as defaults which a consumer could choose from to identify the actions to take depending on the type of disclosures made by a Web site. You are right to suggest that standards and defaults are a major challenge, but they are also a necessary step.

Finally, I agree that the jury is still out as to the level of adoption that P3P will have. Only time will tell. Consumers, as many surveys have shown, place privacy in the on-line world as one of their top concerns.

The arguments you bring forward suggest to me that, rather than simply abandoning P3P, we need to redouble our efforts to address the issues you have raised.

Sincerely yours,

Ann Cavoukian, Ph.D.
Commissioner

c.c. Ulf Brüühann, DG XV, European Commission
Lorrie Faith Cranor, AT&T Labs
Peter Hustinx, Netherlands Data Protection Commission
David Medine, Federal Trade Commission
Larry Irving, U.S. Dept of Commerce
Peter Swire, Office of Management and Budget
Tara Lemay, Executive Director (President), Electronic Frontier Foundation

Received on Wednesday, 29 September 1999 16:46:44 UTC