Whatever happened to P3P?

OUT-LAW Radio, 08/10/2009

We find out why the P3P system which allowed computers and websites to automatically negotiate the use of private information failed and look at what might replace it.

• Download OUT-LAW Radio 08/10/2009 (10MB, 11 minutes)
• Low quality recording for 08/10/2009 (2MB, 11 minutes)
• Instructions for listening and subscribing to OUT-LAW Radio

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, where we hope to keep you up to date with the latest news and the most fascinating features from the world of technology law.

My name is Matthew Magee, and this week we investigate the failure of an innovative technology called the Platform for Privacy Preferences which could have rendered redundant those massive website privacy policies.

But first, here are some of the top stories from OUT-LAW.COM, where you can read breaking technology law news throughout the week.

OUT-LAW reveals Spotify's income

and

Phishing attacks on the rise

Music streaming pioneer Spotify earns more than £1 million a month from its premium subscribers, OUT-LAW.COM can reveal. Earnings could be as high as £72m a year. Spotify has been reluctant to reveal how many of its users have upgraded to its premium version, which costs £9.99 a month and allows users to hear music without adverts being played every few songs.

OUT-LAW can reveal that the number of those subscribers who have upgraded is between 100,000 and 600,000 people in the six countries in which the service has launched. That translates into monthly earnings of £1m to £6m and annual earnings of up to £72m.

Spotify's director of content Niklas Ivarsson revealed last night that the number of users who have upgraded is ‘in six figures’.  Company Chief Executive, Daniel Eck told an event for entrepreneurs in London two weeks ago that the number of subscribers was fewer than 10% of the total which is six million. That means that the number of paying users is between 100,000 and 600,000.

The number of phishing attacks on online banking systems has risen by 26% in the first half of the year, according to a banking industry trade body.

Phishing is the practice of creating fake versions of websites and asking users to enter their login details. Those details are then stored so that they can be used on the real sites.

Banking trade body the UK Payments Administration has now said that UK users' bank accounts are facing a steep rise in phishing attacks. In figures just published it said that phishing attacks had risen by 26% in the first six months of this year and that overall online banking fraud rose by 55% to £39m.

Those were some of the top stories from this week's OUT-LAW News.

Have you ever read a privacy policy? I mean really read it, followed all the links, pored over all the small print, worked out exactly what it means? Me neither.

They used to be a couple of sentences at the bottom of forms about whether a company would share your details for marketing or not but privacy policies have grown into many headed monsters which few can be expected to fully understand.

Of course they have had to get more complicated because the opportunities for gathering, storing and exploiting our personal data have grown exponentially in recent years.

So our personal information is in more danger of being misused than ever, but the policies governing the use are becoming necessarily more sprawling and complex; so what is to be done?

Well a few years ago a fantastic solution emerged. Why not turn privacy policies into instructions that computers can read. A user can say what is acceptable and what isn't and every time they visit a website the computers can compare privacy needs and usage between the user and the website and reveal whether or not the site does things with data that the user doesn't like.

This is called the Platform for Privacy Preferences, or P3P, and it was a great idea but the body behind it, web standards organisation The Worldwide Web Consortium, gave up work on it in 2007.

Rigo Wenning is The Worldwide Web Consortium's legal counsel and spokesman on privacy. He told us about how parts of P3P still inform work being done on how to help users and sites negotiate on privacy. But first he told us what happened to P3P.

Rigo Wenning: The transparency was really key to it and this has, on the other hand not resulted in browser makers using this to show the user anything. So we had all this privacy information from the service side, we had all this information out there and the browsers did not do anything with it, i.e. six contained some very basic P3P implementation that was only looking at cookies and could display policy a bit. So this transparency was not really achieved because of the client side, not because of the weakness of the protocol or the weakness of the vocabulary, it is more or less the client side. We did not manage to convince the browsers, that is the big failure.

On one thing Wenning is absolutely clear: people need to be better informed about the way websites and services use their personal information. It is, he says, a fundamental issue facing every web user and every company that gathers data.

Rigo Wenning: Personal information is the fuel of the internet industry and the battle is about usability of those fuel, how much you get, how much you can sell, under which conditions; and for the moment users are overwhelmed.

The P3P project made it abundantly clear what was actually happening behind the scenes, said Wenning.

Rigo Wenning: P3P had only one goal, to make the data collection for it’s parent, to show it to the user because what you can do in internet protocol stays a lot chatter, there is a lot of ambient information in the network, browser manufacturer operating systems, time, date, location, sometimes derived from your IP address.  There are lots of cookies where you can have stayed, this state can be remembered.  You can have cookies to watch the movement of the user inside your shop, inside your websites.

P3P had immediate and practical effect: it actually caused some companies to behave better, he said.

Rigo Wenning: On the service side we were pretty successful because people, large website providers but also smaller ones, were forced to think about their data use, their use of personal data, their collection of personal data, sometimes they removed large chunks of collection of personal date just because they realise we don’t need that whatsoever. So let’s get rid of it; and sometimes they ran into deep trouble when it was in the core of their business model and they had to reveal finally that they are doing this collection and they make a living out of it.

What it also did, was make users much more aware of privacy. Web users have now returned said Wenning, to a pre-P3P attitude where they don't care what happens to their information until there is a catastrophe.

Rigo Wenning: As long as their personal information, you know, does not come back into their life, so it is spread out, it is traded, it is something, and they don’t realise it.  Now if it comes back to their life, then they get really scared.  We see that people disregard privacy policies when they are written in 22 pages of legalese and businesses hide behind those privacy policies, and consumers do not care as long as there is no incident.

Wenning is a firm believer that our privacy needs to be protected by more than just a legal framework. Companies need to actually implement policies and use technologies that actively protect all of our privacy in a way that we control. The law, he says, is really only for the big guys or for the major incidents.

Rigo Wenning: Privacy enhancing technologies are still weak, too, far too weak and many people in the market believe only in legal remedies. I haven’t seen them happening. That the legal remedies, legal remedies are triggered, you know, to massive misbehaviour and abuse but so the daily ambient data collection is addressed by legal means but I don’t know whether it is really a remedy and so you get more and more complex human readable privacy policies that are written by lawyers that nobody, not even the lawyers, understand any more and that mask a massive data collection on the backside.

So what is happening now? Wenning says that the European Union funded Prime Life Project is carrying on research into privacy enhancing technologies, or PETs, and that it is largely based on the work that was done for P3P.

Rigo Wenning: If you really care about privacy in your backhand, it just takes a whole lot of engineering. All research in this area, in the policy area is based on P3Ps, it is all based on the assumption that you label data. Now how do you get a data warehouse that is a bit more intelligent than that, is that you have to transport the semantics attached to personal data. What have you promised, what was the initial attention to collect this data. If you stored the semantics in the data warehouse or in your backhand database, whatever, it makes life easier and it allows easy compliance or easy care for privacy by companies. It’s coming but it takes time, it takes time because it’s really very complex.

That's all we have time for this week, thanks for listening. Why not get in touch with OUT-LAW Radio? Do you know of a technology law story that you think we should cover? We would love to hear from you on radio@out-law.com. Make sure you tune in next week; but for now, goodbye.

OUT-LAW Radio was produced and presented by Matthew Magee for international law firm Pinsent Masons.