Electronic Commerce Research andApplications
abstract: We studied the deployment of computer-readable privacy policies encodedusing the standard W3C plat-form for privacy preferences (P3P) format to informquestions about P3P’s usefulness to end users andresearchers. We found that P3Padoption is increasing overall and that P3P adoption rates greatly varyacrossindustries. We found that P3P had been deployed on 10% of the sites returned inthe top-20 resultsof typical searches, and on 21% of the sites returned in thetop-20 results of e-commerce searches. Weexamined a set of over 5000 websitesin both 2003 and 2006 and found that P3P deployment amongthese sites increasedover that time period, although we observed decreases in some sectors. In theFallof 2007 we observed 470 new P3P policies created over a 2-month period. Wefound high rates of syntaxerrors among P3P policies, but much lower rates ofcritical errors that prevent a P3P user agent frominterpreting them. We alsofound that most P3P policies have discrepancies with their naturallanguagecounterparts. Some of these discrepancies can be attributed toambiguities, while others cause the twopolicies to have completely differentmeanings. Finally, we show that the privacy policies of P3P-enabledpopularwebsites are similar to the privacy policies of popular websites that do notuse P3P.
1. Introduction
According to a 2005 poll conducted by CBS News andthe NewYork Times, 82% of Americans believe that the right to privacy inthe USis either under serious threat or is already lost. This samepoll also found that83% of Americans are concerned about compa-nies collecting their personalinformation because of the risk thatcompanies might share their personalinformation inappropriately[8]. These responses are similar to a 2000 surveyconducted by ThePew Internet & American Life Project, in which 86% ofrespondentssaid that they wanted companies to require permission beforeusingpersonal information for purposes other than those for whichit was provided[24]. To address concerns about their handling ofpersonal data, many websitesare posting their privacy policies.
However, most users do not read these policies[36]. Furthermore,a majority of individuals surveyed held the mistaken beliefthat themere presence of a privacy policy means that a corporation will notsharetheir data [38]. Even those who do bother to read privacypolicies often cannotunderstand what the policies mean [18].
Additionally, websites with poor privacy practiceshave littleincentive to disclose these practices, while websites withgoodpractices may view the posting of their policies as a burden [39].
Thus, privacy policies do not seem to be servingwebsite visitorswell.
The platform for privacy preferences (P3P) wascreated by theWorld Wide Web Consortium (W3C) to make it easier for websitevisitorsto obtain information about sites’ privacy policies [11]. P3Pspecifies astandard XML format for machine-readable privacy pol-icies that can be parsedby a user agent program. This allows usersto specify their privacy preferencesto their web browser or otherapplication. When a user encounters a website thatdoes not con-form to the user’s preferences, the agent can alert the user ortakeother actions such as blocking cookies.
Both end users and researchers may benefit fromincreasing P3Padoption. P3P best serves end users when a large numberofwebsites with which users share data make their privacy policiesavailable inthe P3P format. Even if only a fraction of websitesare P3P-enabled, user agentscan help users identify the websitesthat do use P3P, as well as those that haveprivacy policies thatusers deem acceptable. Automated tools can also be used tocollectand analyze P3P policies for research purposes. This makes it easyforresearchers to collect large numbers of policies and comparethem across legaljurisdictions or industry sectors, and to track pol-icy changes over time.
This study aims to assess the state of P3P adoptionto informquestions about P3P’s usefulness to end users and researchers.InSection 2, we provide background on P3P and existing P3P .Electronic CommerceResearch and Applications 7 (2008) 274–293Contents lists available atScienceDirect
Electronic Commerce Research and Applicationsjournalhomepage: http://www.elsevier.com/locate/ecraagents. In Section 3, we present ourstudy methodology. In Section4, we measure P3P deployment among a number ofdifferent setsof
abstract: We studied the deployment of computer-readable privacy policies encodedusing the standard W3C plat-form for privacy preferences (P3P) format to informquestions about P3P’s usefulness to end users andresearchers. We found that P3Padoption is increasing overall and that P3P adoption rates greatly varyacrossindustries. We found that P3P had been deployed on 10% of the sites returned inthe top-20 resultsof typical searches, and on 21% of the sites returned in thetop-20 results of e-commerce searches. Weexamined a set of over 5000 websitesin both 2003 and 2006 and found that P3P deployment amongthese sites increasedover that time period, although we observed decreases in some sectors. In theFallof 2007 we observed 470 new P3P policies created over a 2-month period. Wefound high rates of syntaxerrors among P3P policies, but much lower rates ofcritical errors that prevent a P3P user agent frominterpreting them. We alsofound that most P3P policies have discrepancies with their naturallanguagecounterparts. Some of these discrepancies can be attributed toambiguities, while others cause the twopolicies to have completely differentmeanings. Finally, we show that the privacy policies of P3P-enabledpopularwebsites are similar to the privacy policies of popular websites that do notuse P3P.
1. Introduction
According to a 2005 poll conducted by CBS News andthe NewYork Times, 82% of Americans believe that the right to privacy inthe USis either under serious threat or is already lost. This samepoll also found that83% of Americans are concerned about compa-nies collecting their personalinformation because of the risk thatcompanies might share their personalinformation inappropriately[8]. These responses are similar to a 2000 surveyconducted by ThePew Internet & American Life Project, in which 86% ofrespondentssaid that they wanted companies to require permission beforeusingpersonal information for purposes other than those for whichit was provided[24]. To address concerns about their handling ofpersonal data, many websitesare posting their privacy policies.
However, most users do not read these policies[36]. Furthermore,a majority of individuals surveyed held the mistaken beliefthat themere presence of a privacy policy means that a corporation will notsharetheir data [38]. Even those who do bother to read privacypolicies often cannotunderstand what the policies mean [18].
Additionally, websites with poor privacy practiceshave littleincentive to disclose these practices, while websites withgoodpractices may view the posting of their policies as a burden [39].
Thus, privacy policies do not seem to be servingwebsite visitorswell.
The platform for privacy preferences (P3P) wascreated by theWorld Wide Web Consortium (W3C) to make it easier for websitevisitorsto obtain information about sites’ privacy policies [11]. P3Pspecifies astandard XML format for machine-readable privacy pol-icies that can be parsedby a user agent program. This allows usersto specify their privacy preferencesto their web browser or otherapplication. When a user encounters a website thatdoes not con-form to the user’s preferences, the agent can alert the user ortakeother actions such as blocking cookies.
Both end users and researchers may benefit fromincreasing P3Padoption. P3P best serves end users when a large numberofwebsites with which users share data make their privacy policiesavailable inthe P3P format. Even if only a fraction of websitesare P3P-enabled, user agentscan help users identify the websitesthat do use P3P, as well as those that haveprivacy policies thatusers deem acceptable. Automated tools can also be used tocollectand analyze P3P policies for research purposes. This makes it easyforresearchers to collect large numbers of policies and comparethem across legaljurisdictions or industry sectors, and to track pol-icy changes over time.
This study aims to assess the state of P3P adoptionto informquestions about P3P’s usefulness to end users and researchers.InSection 2, we provide background on P3P and existing P3P .Electronic CommerceResearch and Applications 7 (2008) 274–293Contents lists available atScienceDirect
Electronic Commerce Research and Applicationsjournalhomepage: http://www.elsevier.com/locate/ecraagents. In Section 3, we present ourstudy methodology. In Section4, we measure P3P deployment among a number ofdifferent setsof
