Do-Not-Track and P3P: a matter of regulation


[Continued from part I]

Regulatory frameworks are critical to the success of any privacy standard relying on statements made by websites. There is a fundamental information asymmetry between consumers and sites they visit. Only the site has authoritative knowledge of its own data practices, consumer can not peek behind the curtain. They are forced to accept statements at face value, often without independent verification. This holds true for both P3P and DNT. But differences in the design/implementation of the protocols translates into varying degrees of dependence on regulation. P3P makes only modest demands for keeping websites honest in their policy statements. DNT in contrast requires heavy-handed market intervention for deployment.

For a website eyeing P3P, the options are:

  1. Do not implement it, and face the music. That could mean some functionality breaks.
  2. Implement P3P but deliberately publish an incorrect policy. This bogus policy will be crafted to meet the minimum bar for majority of users, preventing any interference with tracking cookies.
  3. Implement P3P with a policy accurately describing data practices. Again this may have consequences, if the policy leads to cookies getting dropped.
  4. Until recently: look for a loophole in P3P enforcement. The original Internet Explorer implementation was lenient about unrecognized syntax, making it possible to declare an invalid P3P policy which still satisfied the browser.

Along this spectrum P3P has just one dependence on regulation: create disincentives against option #2. The temptation for going down that route can be born of ignorance as often as malice. After IE6 launched, it was common for clueless developers to ask on help forums: “What header do I send to make Internet Explorer accept my cookies?”  In a world where privacy statements are not imbued with meaning,  that would be a legitimate question. Along those lines  P3P header is just an arbitrary sequence of symbols, a magic incantation to make web browsers behave correctly. It is the threat of legal repercussions that keeps reputable companies from testing that theory. This is all the while more astonishing considering that not a single court case has tested the theory of whether P3P statements are legally binding.**

Once outright deception is ruled out, market forces can decide between remaining options. The last one is primarily an implementation choice. After evidence emerged that it was being actively used to side-step P3P, MSFT fixed it by offering strict P3P validation in IE10. #1 and #3 are decisions about the business model of the website, ideally one that can be modeled as negotiation with users. Firefox and Chrome do not implement P3P; users are free to use either browser. Even for die-hard IE fans, the browser only provides default settings: users are free to override them if reasons were compelling. This is no different from websites pleading with users to enable ActiveX controls after security improvements to IE prevented them from running such dangerous code without explicit user action.

At first blush, DNT poses a similar set of choices:

  1. Do not implement the standard.
  2. Implement with false/misleading description of policies.
  3. Implement with correct description of tracking behavior. That includes the possibility that the website will not in fact change its tracking practices in response to user requests, as permitted by the standard.
  4. Look for a loophole in enforcement– recently one Adobe engineer had a creative idea to create a loophole for ignoring DNT statements from IE, on the technicality that the web browser made a decision for users. Sanity prevailed and that patch was reverted.

The kicker: the way IE10 implements Do-No-Track, there is no difference in user experience between  these. Option #2 may run afoul of same prohibitions against deceptive statements alluded to above. But there is no reason for any one to incur that risk when option #1 works just as well, with the added benefit of being less work.

P3P made minimal assumptions: regulation to prevent actors from making deliberately false statements. This blogger is not an attorney, but will posit the existence of laws already on the books covering that ground.

DNT as currently implemented requires much more. Because there are no incentives for deployment, heavy-handed intervention compelling websites is called for. That is a highly intrusive approach to technology regulation without precedent. After all no one is legally required to implement SSL, the most basic security protocol that can help protect user data in transit. For that matter websites are not required by law to comply with any RFC, support strong authentication, encrypt user data or conduct security reviews.

The debate around how far regulators should intervene in markets to correct privacy problems will continue. Making the success of a contentious privacy standard contingent on that question being resolved in a particular direction is guaranteed to further weaken the already long odds that standard faces.

CP

** P3P detractors soon hinged their hopes on that possibility, after realizing  deployment was inevitable.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s