Computerworld

MS, Others Unveil Online Privacy Tools

FRAMINGHAM (06/21/2000) - At a conference in New York today, Microsoft Corp. and other companies unveiled software tools - based on an Internet privacy specification proposed by a World Wide Web Consortium (W3C) working group - that they said should help protect the privacy rights of online consumers.

Microsoft said support for the Platform for Privacy Preferences (P3P) specification - which offers Web sites a way to communicate their privacy policies in a standard, machine-readable format - will be included with the next major version of its Windows operating system, code-named Whistler, which is due out next year.

A number of smaller software vendors made similar announcements at today's event, and companies such as America Online Inc., AT&T Corp., Hewlett-Packard Co., IBM and Procter & Gamble Co. said all or parts of their corporate Web sites are being made P3P-compliant.

In addition, the White House said in a statement released today that it supports the W3C's privacy initiative. The statement also said that the White House's Web site, as well as the Department of Commerce's and 35 other public and private Web sites, plan to demonstrate the P3P specification.

But the W3C's efforts to protect online privacy - which come as Congress is considering whether to enact privacy legislation or allow companies to self-regulate - have drawn criticism from others who aren't sure the P3P specification can adequately protect consumers.

In testimony before the Senate Commerce Committee last week , Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington, said the privacy research group doesn't think P3P will do enough to promote online privacy.

The W3C's proposed standard "builds on the very weak 'notice and choice' approach that is increasingly asking consumers to trade in their privacy for the benefits of electronic commerce," Rotenberg said. EPIC contends that P3P technology requires Internet users to decide how much privacy information they want to divulge before they access information - which it says is tantamount to asking them how much privacy they want to give up.

In addition, privacy groups such as EPIC and Junkbusters Corp. in Green Brook, New Jersey, are concerned that the P3P specification lacks an enforcement mechanism. Jason Catlett, president of Junkbusters, said P3P is a "complex and confusing protocol that will make it more difficult for Internet users to protect their privacy."

Horst Joepen, CEO of Webwasher.com AG, a German developer of privacy software that's backed by electronics giant Siemens AG, also criticized the P3P proposal in a telephone interview. Consumers still would run the risk of giving out sensitive personal information such as their names, telephone numbers, birth dates and addresses, Joepen said.

And even if a Web site states that it has a P3P-compliant privacy policy, there's no way for individual consumers to verify its existence, Joepen claimed. No one, he added, ever verifies that Web sites actually conform to their stated privacy policies.

But Lorrie Cranor, chairwoman of the P3P working group and a senior technical staff member at AT&T Labs in Florham Park, New Jersey, said P3P is only meant to be one part of the online privacy puzzle. "Other pieces, like legislation (that would address enforcement issues), are also needed to complete this puzzle," she said.

And Richard Purcell, director of corporate privacy at Microsoft, said the Federal Trade Commission does hold Web sites to the policies that they list on their Web sites. He added that consumers should look for Web sites that have been certified by BBBonline, TRUSTe or other Web certification organizations.

"Consumer privacy is a complicated issue," Purcell said. "And P3P helps simplify the understanding that consumers have of this issue."

The W3C, an international industry group with more than 420 members, said it expects to finalize the P3P specification later this year.