P3P - Criticisms

Criticisms

The Electronic Privacy Information Center (EPIC) has been critical of P3P and believes P3P makes it too difficult for users to protect their privacy. In 2002 it assessed P3P, and referred to the technology as a “Pretty Poor Policy”. According to the EPIC, some P3P software is too complex and difficult for the average person to understand, and many Internet users are unfamiliar with how to use the default P3P software on their computers or how to install additional P3P software. Another concern is that websites are not obligated to use P3P, and neither are Internet users. P3P has been known to undermine public confidence by collecting enormous amounts of information that can be used against its user. Moreover, the EPIC website claims that P3Ps protocol would become burdensome for the browser and not as beneficial or efficient as it was intended to be.

The basic idea of privacy protection can be misleading to the visitors on the site. For example, people think that their privacy is actually being protected, but it is not. P3P facilitates data collection from websites. If the actual intention of P3P was to protect visitors to web sites then the information gathering would not be so easy to pass along personal information. Also, people who visit websites where P3P is present are uninformed and misunderstand the level of privacy that P3P provides. There needs to be more effective ways of educating people on the level of privacy and what P3P actually does to protect people.

Another main concern is that the data that is collected does not have an expiration date. People who buy something on the internet will have that information saved for an infinite amount of time, whether it will be recorded for a year or ten. This problem has led people to question where their information is being distributed to and for how long third parties will have access to their information. The idea that people’s personal information can be distributed to other people for an indeterminate amount of time makes people very uncomfortable.

A key problem that occurs with the use of P3P is that there is a lack of enforcement. Thus, promises made to users of P3P can go unfulfilled. Though by using P3P a company/website makes a promise of privacy and of the use of gathered data to the site’s users, there are no real legal ramifications if the company decides to use the information for other functions. Currently, there are no actual laws that have been passed by the United States about data protection. Though it would be nice to be able to trust every company that states its use for our information, there is no binding reason that the company must actually adhere to the rules it says it will comply by. Though using P3P technically qualifies as a contract, the lack of federal regulation downplays the need for companies to abide.

The agreement to use P3P not only puts in place unenforceable promises, but it also prolongs the adoption of federal laws that would actually inhibit the access and ability to use private information. If the government were to step in and attempt to protect Internet users with federal laws on what information can be accessed, and specific regulations on how user information can be used, companies wouldn’t maintain the leeway they do now to use information as they please, despite what they may actually tell users. In 2002, then EPIC employee Chris Hoofnagle argued that P3P was displacing chances for government regulation of privacy.

Critics of P3P also argue that non-compliant sites are excluded. According to a study done by CyLab Privacy Interest Group at Carnegie Mellon University only 15% of the top 5,000 websites incorporate P3P. Therefore many sites that don’t include the code but do practice high privacy standards will not be accessible to users who use P3P as their only online privacy guide.

EPIC, the technology's obviously largest critic, also talks about how the development and implementation of P3P can cause a monopoly of private information. Since it tends to be only major companies who implement P3P on their websites, only these major companies are tending to then gather this information seeing as only their privacy policies can compare to privacy preferences of users. The EPIC website says, "The incredible complexity of P3P, combined with the way that popular browsers are likely to implement the protocol would seem to preclude it as a privacy-protective technology," EPIC continues on to state, "Rather, P3P may actually strengthen the monopoly position over personal information that U.S. data marketers now enjoy."

The failure for its immediate adoption can be related to the idea of it being a notice and choice approach that doesn’t comply with the Fair Information Practices. According to the Chairman of the FTC, privacy laws are key in today’s society in order to protect the consumer from providing too much personal information for other’s benefit. Some believe that there should be a limit to the collection and use of the consumer’s personal data online. Currently sites are not required under any United States laws to comply with the privacy policies they publish, therefore P3P causes some controversy with consumers who are concerned about the release of their personal information and are only able to rely on P3P’S protocol to protect their privacy.

As people become comfortable with P3P, the technology may be limiting the perceived need of related privacy legislation.

Michael Kaply from IBM is reported saying the following when the Mozilla Foundation was considering the removal of P3P support from their browser-line:

Ah the memories. We (IBM) wrote the original P3P implementation and then Netscape proceeded to write their own. So both our companies wasted immense amounts of time that everyone thought was a crappy proposal to begin with. Remove it.

Live Leer, a PR manager for Opera Software, explains the deliberate lack of P3P support in their browser:

At the moment, we aren't sure whether P3P is the best solution. P3P is among the specifications we are considering for support in the future. There have been some issues with how well P3P will protect privacy, and for that reason we have decided to wait until these are resolved.