False Statements

 

Junkbuster and EPIC, et. al.  Claim	The FACTS
“There is no user base and no user demand.”	Not True. Studies have shown that Web users do want the functionality that P3P could provide.  We have seen no evidence to contradict these studies.

 

A November 1998 survey asked Web users about the importance of having a Web browser that they could configure to read privacy policies and let them know when Web sites were collecting data for purposes that did not match their privacy preferences -- 97% said this was important and 74% said it was very important.[1]  Obviously software companies believe that there is user demand or they would not be implementing the specification.

 

 

 

Junkbuster and EPIC et. al. Claim	The FACTS
The EU Commission “has rejected” P3P.	Not true. Since the drafting of an EU report[2] on an early version of P3P, the specification has changed significantly and the P3P working groups have held encouraging meetings with the EU and many European privacy commissioners.  In fact, some privacy commission staff members have even joined on the P3P Working Groups.

 

The EU’s report on P3P was written on the specification before undergoing substantial revisions. The EU has not officially looked into P3P since these changes.  Several European privacy commissions have worked on P3P and several commissioners have made positive remarks about the new protocol as recently as August, 2000.  A press release from the Independent Centre for Privacy Protection Schleswig-Holstein, illustrates an understanding of how P3P can help protect privacy along with public policy standards:

 

Among European Privacy Protection Commissioners the consent grows: P3P technology is useful for online privacy, but not sufficient on its own because P3P only offers a basic standard for privacy protection. Under any circumstances, additional, effective privacy monitoring and precise laws in order to protect Internet users are required. P3P allows to transfer a great part of the model European privacy protection acts into "bits and bytes". It is more difficult for privacy protection in the USA where citizens have to get by without the backing of laws and Privacy Protection Commissioners..[3]

 

Since that report, the P3P process has benefited from the participation of a number of Data Protection commissioners from around the world, including France, Germany and Canada. At the urging of members of the European Commission, there are now many EU-supported P3P development activities, including the development of P3P products tuned to the needs of European users.

 

 

Junkbuster and EPIC, et. al.  Claim	The FACTS
“P3P proposes the development of an elaborate range of privacy ‘choices’ that require individual Internet users to make selections about the collection and use of personal data, even for online activities that would not normally require the disclosure of personal information, such as visiting a Web site.”	Not True. P3P standardizes notice from which choices can be made.  It does not “require” compliant technologies to have users input preferences.  The P3P Guiding Principles make it clear that practices that would invade privacy such as the automatic disclosure of personal information without a user’s consent cannot be a part of any P3P implementation.

 

P3P is designed to be an extensible framework, but the current version of P3P does not specify preference input.  The fact that the authors miss this basic point about P3P indicates that they have not closely reviewed the specification.

 

 

Junkbusters, EPIC, et. al. Claim	The FACTS
“[E]arlier versions of P3P were withdrawn because the developers recognized that the proposed negotiation process was too burdensome for users and that the automatic transfer of information would be widely opposed.”	Not true. Data transfer was removed for many reasons, mostly because it is already happening through competitive protocols, specifying it in P3P was unnecessary and would only serve to slow down the movement of the specification of the more important aspects of P3P.

 

While some members of the P3P Working Groups would still like to see negotiation move forward in later versions of P3P, there is agreement in the group that the technologies to accomplish this goal need to be standardized and become more commonplace before they can be considered for future versions of the protocol.  The Working Group has had a description of the reasons for removing the data transfer mechanism on the W3C Web site since September 1999. [4]  The authors of the Junkbusters/EPIC report conveniently chose to ignore the main reason that the Group gave for not moving forward.

 

 

Junkbusters, EPIC, et. al. Claim	The FACTS
“It is anticipated that this version of P3P will also be significantly overhauled once it is reviewed.”	Not True.  The P3P Specification Group, which warned of major changes during earlier phases of the process expects only minor changes during this “last call” period.

 

The P3P Working Groups have held an unusually open process for the creation of the standard, because we realize the impact that the protocol could have.  This has lead to meetings with many interested parties from around the world and longer than usual drafting periods.  As one would expect, this led to substantial changes early on, but now the specification has stabilized.  In fact, the specification has changed very little in over a year.

 

As with all Web and Internet technology, P3P has been in a period of intensive design and development. However, once P3P functionality is available in major browsers, the specification will be stable. After that, we hope that, like most of features of the Web, it will continue to evolve to meet new needs. This will not burden the user, rather it will give vendors the ability to provide important new features in response to user reaction to the first round of P3P-based products.

 

 

Misleading Statements

 

 

Junkbusters, EPIC, et. al. Claim	The FACTS
“P3P fails to comply with baseline standards for privacy protection.”	This is misleading.  P3P is not trying to answer every concern of privacy on the Internet.  It is simply a means of giving users better notice and choice.

 

P3P is designed to describe the diversity of privacy practices in place on the global Web. Individuals or enforcement organizations may take action based on these descriptions, but P3P is not intended to be self-enforcing

 

 

Junkbusters, EPIC, et. al. Claim	The FACTS
“[P3P] is a misleading and confusing protocol that will make it more difficult for Internet users to protect their privacy.”	This is also misleading.  The P3P specification is not meant to be read by average users.  P3P is aimed at helping Web sites express their policies and software designers provide tools that help users read these policies.

 

The Web has proven that simple interfaces can be built using languages and protocols that are themselves too complex for the average user to understand. No one criticizes that Web because HTML is not easy enough for the average user. Even the first round of P3P prototype implementations have shown that it is possible to develop simple user interfaces that give users access to the power of the P3P capabilities.

 

 

Junkbusters, EPIC, et. al. Claim	The FACTS
Cookies are “the” precursor to P3P	A preposterous and misleading comparison.  Cookies by their nature do not give adequate notice or choices.  This is the sole function of P3P.  Cookies were designed with no input from privacy advocates, public policy makers, Web site designers, or the general public.  P3P has committed to ongoing discussion and open comment periods, which have been largely ignored by the report’s authors.

 

The purpose of cookies is to provide an ongoing relationship — known as “state” between a Web site and a specific Web browser.  P3P does not provide state and creating a relationship is not the goal of P3P.  P3P is designed only to give users more information about the Web site’s privacy practices.

 

Junkbuster and EPIC, et. al.  Claim	The FACTS
Users will be overburdened with prompts if they set their P3P settings too high.	According to the specification, a product that would overburden users is not an acceptable P3P implementation.

 

While the developer selects the default settings, the specification makes it clear that products that do not protect privacy or make using a product a burden on the user, are not P3P implementations.  The P3P working groups realize that this will be a difficult balancing act for implementers, which is part of the reason that they are sponsoring so many demonstrations of the technology in order to get public and industry feedback.