Privacy safeguard proves elusive

World Wide Web Consortium

On its face, the idea seems simple: Rather than allow automated functions to erode the privacy of Web users, why not automate the processes to protect privacy?

In fact, Web browsers do allow users to set their privacy preferences. Users are then alerted if a Web site does not match their predetermined preferences.

That process, however, has proven to be far from simple for Web developers. Privacy advocates say that even though agencies are required by law to have so-called machine-readable privacy policies, most do not.

Before creating automatic alerts, agencies first have to grasp the intricacies of complicated written privacy policies.

"The main thing you've got to be able to do is understand your privacy policy," said Zoe Strickland, chief privacy officer for the U.S. Postal Service, one of several agencies complying with the mandate. "You need to get with every other player. You need to have the right people there to fully understand your privacy policies."

The technical process for adopting machine-readable policies isn't necessarily cumbersome, officials say, but it requires the same time and attention other aspects of the privacy provisions have recently garnered.

The machine-readable policies are mandated in Section 208 of the

E-Government Act of 2002.

Officials from Congress and the Office of Management and Budget may soon turn their attention to this mandate, privacy advocates say, which is expected to prompt a rise in the number of compliant agencies.

To guide agencies' implementation of the privacy provisions, OMB officials last fall required that they come up with plans for translating their policies into a machine-readable format and provided reasonable milestones for this goal.

Agencies submitted their plans

in December 2003 as part of the

E-Government Act status report, which OMB will present to Congress March 1. Officials expect Congress to ask the General Accounting Office to study federal compliance with this part of the mandate after they have received the report.

The format is intended to allow Web site visitors to easily understand how their personal information is used, stored and shared. Users can set their privacy preferences in the browser and receive notice if sites match the preferences, according to Ari Schwartz, associate director of the Center for Democracy and Technology. Today, users have to comb through often long and esoteric privacy statements posted on the sites, he said.

"It's very difficult as a consumer to know what's going to happen with your information today," Schwartz said at a forum last month.

Currently, the only way for agencies to adopt machine-readable policies is by using the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium (W3C). The P3P policy directs Web browsers to notify the user, block certain cookies and provide a summary of the site's policy. It details how data is collected, what is gathered, when data is shared and how long it is retained. It also includes information about the site and how to resolve privacy disputes, such as a help-desk contact.

"It's a computer-readable language for coding all the common elements of the privacy policies," said Lorrie Faith Cranor, chairwoman of the P3P Specification Working Group at Carnegie Mellon University. "Once [the browsers] read the policies, we would like them to do something useful for us."

Despite the mandate, most federal Web sites do not have machine-readable policies, Schwartz said.

"Government sites were not becoming compliant at the same rate as commercial sites," he said. "In fact, government sites are far behind the commercial sector today."

Strickland said agencies have been dedicating their time to creating privacy impact assessments that detail how personal information is used and shared, which is required under the law for new or changing systems. This may explain why some agencies haven't addressed machine-readable policies. "There's a lot of work in that," she said. "Other agencies are starting to tackle that so it's taking up a lot of energy."

According to Brian Tretick, a principal with Ernst & Young LLP, out of 137 federal Web sites recently surveyed, only nine (or about 6 percent) comply with P3P standards for machine-readable policies. In comparison, the company found that

23 percent of the 500 most popular Web domains were P3P-compliant. Of the 19 government sites on that list, only one was compliant.

Tretick said they plan to update the status each quarter, and he expects to see a steady increase in compliant sites.

"I would [expect to] see more activity late spring into summer," he said. "They just have to do it."

Developers of commercial Web sites that use cookies to track and identify users were motivated to become compliant because without the P3P policy, users would not have full functionality on the site, Tretick said. Government Web sites don't use cookies, making the benefits of adopting the policy less apparent.

"P3P doesn't help them get over some browser functionality. They don't get that benefit, so the benefit today is not going to be tangible," he said. "It's not going to be anything so blatant. People will never notice it."

Compliance with the law may be the short-term benefit, but in the long run, the goal is to make the policies easier for users to understand, Strickland said. The larger goal here is to better serve customers. "Machine-readable [policies] really go to that," she said.

Officials from the Federal Trade Commission embarked on the process last fall when upgrading the agency's privacy policies for the Do Not Call registry, said Stephen Warren, the FTC's chief information officer. During the revision, officials decided to format the machine-readable policy, he said, and they have had it in place since at least Oct. 15, 2003. Although part of the motivation was the law, they also have an obligation to their customers, he said.

"Privacy is something we as an agency are very interested in, especially on the Internet," Warren said. "We're always aware and interested in making sure we are doing what we recommend folks do."

Warren said most agencies will likely address the machine-readable policies as part of their normal cycle for reviewing and updating their Web sites. Officials at the Social Security Administration were alerted to the requirement by the Office of Disclosure Policy, part of their general counsel's office, which was working on a privacy impact assessment.

"Frankly, I didn't know a lot about it," said Bruce Carter, SSA's Webmaster and policy analyst. He said he was vaguely aware of the P3P protocol, and he and Tim Evans, an SSA program analyst, set out to research the process.

Using an IBM Corp. tool linked to the W3C Web site, Carter and Evans simply entered their policy. This process was made easier by the agency's coherent written policy, which OMB used a few years ago as an example for other agencies.

"Once I figured out how it worked, it was a matter of filling in the blanks," Evans said. "We were able to essentially cut and paste from our text policy."

However, figuring out how it worked caused a speed bump for SSA officials as they looked to compliant Web sites for guidance. For example, they discovered that in addition to having the machine-readable Extensible Markup Language file with the extended policy, there must also be an XML file pointing to the policy, known as a compact policy.

SSA's process took three or four weeks, and they tested the site on an internal browser for a few weeks more before posting the machine-readable policy.

"Tim and I both found there was a dearth of instructions on how to work on this," Carter said. "There really needs to be better instructions on how to implement this piece of the E-Gov Act. It would have been nice to have instructions."

***

Machine-readable privacy policies

Five basic steps to adopting a Platform for Privacy Preferences Project (P3P) machine-readable policy:

* Create a baseline: Understand the various domains and pages within your Web site, the types of users and the information gathered. You should also review your written privacy statement.

* Diagnose: Review the site's practices, including the use of third-party content such as images or surveys.

* Improve: Determine if the site needs several P3P policies or a single one. Then use software to help develop the P3P policy.

* Verify: Test the site on an internal server to make sure it's P3P-compliant.

* Deploy: Launch the site and periodically review its compliance.

Source: Ernst & Young LLP