White Paper:
Platform for Privacy Preferences Project (P3P)
& Citibank
Kenneth Lee
Gabriel Speyer
Citibank Advanced Development Group
10/22/98
Disclaimer: The original purpose of this email was for internal circulation. It is being volunteered to the members of the P3P Implementation and Deployment Working Group of the W3C, and all other interested parties. The opinions expressed below are simply a statement of position or opinion of two Citibank employees, and do not necessarily reflect the positions or opinions of Citibank (or Citigroup) as a whole, nor any of its subsidiaries or agents.
Executive Summary
The purpose of this White Paper is to briefly explain what P3P is, and more importantly to examine its benefits and drawbacks as they relate to Citibank. In conclusion:
- P3P is both a way for users to specify under which conditions they are willing to divulge personal information to web sites, and a method of delivery of that information.
- Although it has some advantages, the concerns or issues from Citibank’s point-of-view include (but are not limited to) the following:
- From a consumer standpoint using P3P may be quite confusing, as the user may feel inundated with "legalese" and too many choices.
- Implementing P3P might limit the amount of marketing information, commerce and cross-selling a company can conduct online.
- P3P is just one component of what should be a full framework for online privacy. For P3P to be widely deployed and properly used, other (perhaps costly) measures must be bundled with P3P implementation to reconcile consumers’ and companies’ preferences. Such measures would include: self-auditing, a process of recourse for users, education/enforcement and authentication.
Note:
All information in this white paper is based on the Working Draft of P3P (Platform for Privacy Preferences), dated July 2, 1998. This working draft is merely a guide, or standard, that vendors should follow when implementing P3P into browsers, etc. The final implementation may vary.
Summary of P3P:
P3P (Platform for Privacy Preferences) is a way for users to specify the conditions they are willing to divulge personal information to web sites. It is also a way for users to know what the web site’s privacy policies are (how it will use the personal information it collects from users) and to reconcile the preferences of the users with the policies of the web site.
Note: Users always have the option to not use P3P at all on their browsers. So, in the worst case, the release of P3P would have no effect.
Note: Any changes that a user makes to his/her privacy conditions are valid from that point in time onward- future web sites the users visit will deal with the new settings, but old ones will have to be re-visited in order for the changes to be realized.
Note: There has been no concrete consumer research or study done on how users might react to the concept or usage of P3P.
Scenario:
- The user enters personal information (name, email address, etc) into the user’s browser.
- The user enters in the conditions under which user is willing to give out this information, e.g. the user will give out her information only if the web site does not sell the information to a mailing list, etc.
- The user surfs the Web, and nothing happens until the user hits a specific web page of a web site that needs information (for example, when the user needs to fill out information for ordering a product).
- If the user is at a web site that announces it collects information and will obey the conditions specified by the user, then the user’s browser would automatically send over the user’s personal information to the web sit. The user may choose to be notified when such a transmittal occurs
- If the user were at a web site that will use the collected information under different conditions than those specified by the user, then the browser would alert the user to the different conditions and ask for permission to give out the personal information.
- The user always has the option to not give out any personal information to a web site that does not use that information under his/her conditions.
Some Advantages:
The user can set up one-to-one relationships with different web sites, varying the amount of data divulged according to his/her comfort level with the web site/company.
The user can seamlessly transfer personal information to web sites/companies without typing information repeatedly.
The user will know how the web site is going to use the personal information being collected.
The user can make/decide on exceptions. A user can vary which information can be disclosed depending upon the usefulness of the data or the service provided by the web site.
Some Issues:
Complexity of P3P for Users.
The P3P specification seemingly was designed for maximum flexibility -- it allows the user to set up preferences for almost any piece of personal information. However, there is concern that the uuser may feel inundated with too many choices about too many pieces of information when configuring P3P. If the user does not choose to fill in the information beforehand, there will be a point when the user is transacting with a web site operator, that he/she would need to fill in that information. The user would then have to decide under what sort of conditions he/she would like to have personal information given out.
It is probably wise to wait until prototypes from either Netscape or Microsoft are available before we can judge how the user might react. The final implementations will determine how complex P3P will be. Implementations will undoubtedly allow users to select from a short list of privacy conditions (e.g. low, medium, and high) and will allow users to provide their conditions for individual items of information. Nevertheless, there is a possibility that P3P will discourage neophytes from transacting or interacting online altogether.
Potential Conflict Between Cross-Selling and Privacy Protection.
As a bank that has just entered a merger with the intent to cross-sell a full line of financial services, Citibank is wary that P3P may precipitate a decrease in the flow of marketing information, even where the intended use is benign.
P3P allows a user to dictate under what sort of conditions she is willing to give out personal information. If Citibank does not agree to whatever conditions the user puts forth, the user may opt to not transact with the bank at all – thus putting the onus on the bank to tighten the privacy protection until users are willing to transact i.e., to the lowest common denominator.
There is a concern that P3P would let ordinary users see, in full gory detail, how their personal information might be misused by less trusted or responsible web site operators. Such knowledge may cause users to resist giving out information altogether. Some individual business groups have done focus studies on users, and, though the results deserve further study, some concluded that most users would prefer to give out only information needed for the transaction and that they do not like the idea of someone monitoring their browsing behavior.
Additional Costs incurred to "fulfill the promise."
For all of P3P’s complexity, it can not stand alone, either in reality or in user perception. All users know that a protocol like P3P is a promise that may not be kept. Therefore internal processes are required at a fulfillment level. These measures (which come at a cost) could include, but are not limited to:
- Self-Auditing
- Process of recourse for a user who thinks that his/her privacy preferences may have been violated
- Training of company personnel and internal enforcement.
- Authentication of the web site operator
- Web sites can misrepresent their policies.
Web sites can make false promises of how they will use the personal information collected from users. A potential solution to this is privacy auditing, education and enforcement (see below).
- Web sites can misrepresent themselves.
Companies with less integrity may claim erroneously to be another company altogether, or a subsidiary of a different company.
- Data is not secure in P3P.
P3P does not provide for secure means to store information. Data stored on the user’s computer (either by the web site, by or the user) can be accessed by almost any other web site.
- Web sites can request additional pieces of information.
Web sites may request new items of information that they want from the user (e.g., household income) that is not included in the standard P3P profile. It is possible that many web sites will request additional items, and thus inundate the user with many prompts to fill in such information. There is no regulation as to this process, but again, it is in the best interest of web sites not to needlessly trouble the user, because the user ultimately may choose not to use P3P at all.
It is possible that multiple web sites may request the same information, but call them different names (e.g. foot size or shoe size). The user might be faced with filling out identical bits of information for different web sites. However, there are ways around this, namely improving the logic in the browser to check for similar bits of information, or making it easier for web site authors to re-use names that are commonplace.
- Deploying P3P Globally.
Since Citigroup is a global organization, deploying P3P would mean deploying it around the world. However, countries have different laws regarding privacy over the Internet. Fortunately, P3P is flexible enough that Citigroup could vary the privacy conditions it adheres to depending on the country. The local Citigroup web sites that are viewed by such users may modify their P3P conditions as well, to comply with local laws.
- Record of the Transactions or Agreements.
The current specification does not call for any recording of the transactions that take place between the user and the web site operator. A scenario we envision is if the user changes his/her privacy preferences at least once after conducting a transaction, there would be no record of the previous agreement that was in effect during the transaction.
This is a valid point because should the user decide to take any sort of action against the web site operator, there needs to be a record of the transaction and the agreement that was in effect when the transaction took place.
- P3P is Not a Cure-All.
It is important to keep in mind that P3P is not a privacy cure-all. It only deals with the issue of respecting a user’s privacy preferences after collecting personal information from him/her on the Web. There are numerous other channels where Citibank deals with customers, and there must be thought given to whether those other channels deserve the same privacy protection as the one on the Web.