Stake Five

Via James Governor, Kevin Murphy says that privacy policies should have RSS feeds.

Haig reminds us on James’ blog of the P3P (Personal Privacy Preferences) standard, though James seems to think that there’s no way we’ll ever be able to agree to standards for machine-readable privacy policies.

I don’t know about that - surely something akin to the Creative Commons licenses could be created for privacy policies? A common set of policies could be created in plain text, legalese and P3P, so that all consituencies, human, lawyer and machine, could be served equally. Assuming that these policies were capable of covering the privacy policies for most websites, they might find their way into general use, just as the Creative Commons licenses have.

While forming a common set of P3P privacy policies could be a start, things would get really interesting if, at some point, variations of the privacy policies could be posted for different jurisdictions, depending on local law. Once again, we have the Creative Commons as a reference point; CC licenses are available in a generic form, or for a selected jurisdiction.

The policies would at the very least have to cover elements of data collection (What data is collected? How is it stored? Is it anonymized?) and data disclosure (Who gets to see my data?). I would suppose that they might also be tailored to particular kinds of businesses - the needs of social networking sites and online retailers, for example, might be quite different.

If a site were to draft its own policy, a policy validator could be provided that would check which of the common policies the site’s policy conforms to. Now that would be great, especially if a site’s privacy policy could automatically be checked for conformance to APPEL (the P3P Preference Exchange Language, used to form rules defining P3P user preferences) expressions of privacy law for different jursidictions. And perhaps we might just be able to catch those nasty information monopolists in the act, so long as their P3P files do indeed declare their true intentions.

As for the current state of P3P, check out this ACM report (served up by ColdFusion, yeah!), which indicates an adoption rate of about 10% amongst e-commerce websites. The report also notes that the E-Government Act, which mandates that government agencies provide machine-readable privacy policies, has resulted in a drastic increase in the number of government websites providing P3P policies.

Interestingly, the team that came up with that report created their own meta search engine which looked for sites supporting P3P policies.To extend that idea, suppose Google were to have Froogle provide an option like “find only retailers who will not store my credit card information”, or even, for power users, “find only retailers who conform to my APPEL policies”. That would certainly provide a new and interesting spin on product searches.

There are already browser extensions such as Privacy Fox and Privacy Bird which are capable of providing a human-readable form of a P3P file, and even, in the case of Privacy Bird, checking which portions of a P3P-enabled website may violate a user’s APPEL privacy preferences. Now, if we had those common P3P policies, APPEL expressions of those policies and APPEL expressions of privacy law for different jurisdictions, we could have browser plugins automagically determine a site’s conformance level. How cool would that be?

P3P is definitely on the up-and-up - if you’re running a website and haven’t put a P3P policy in place yet, you might want to think about doing it now. The syntax is fairly straightforward. The only thing that might take you some time to get through might be your lawyers barfing on the XML. Now that would be a sight to see! ;-)