Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

Carnegie Mellon Study Claims Thousands of Web Sites Misrepresent Privacy Settings

The Platform for Privacy Preferences Project, or P3P, involves browser technology that allows a user to set privacy conditions and state what personal information may be seen by websites.     Websites usuing P3P are supposed to respect the user’s settings.  Heralded as a privacy enhancing technology when the World Wide Web Consortium recommended it in 2002, adoption of the automated tool, it has never caught on and the vast majority of consumers don’t use it.

Nevertheless, a just-released study by Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald and Robert McGuire of the Carnegie Mellon Cy Lab has concluded that large numbers of websites are misrepresenting their P3P privacy practices, "thus misleading users and rendering privacy protection tools ineffective."  From the Abstract:

"Platform for Privacy Preferences (P3P) compact policies (CPs) are a collection of three-character and four-character tokens that summarize a website’s privacy policy pertaining to cookies. User agents, including Microsoft’s Internet Explorer (IE) web browser, use CPs to evaluate websites’ data collection practices and allow, reject, or modify cookies based on sites’ privacy practices. CPs can provide a technical means to enforce users’ privacy preferences if CPs accurately reflect websites’ practices. Through automated analysis we can identify CPs that are erroneous due to syntax errors or semantic conflicts. We collected CPs from 33,139 websites and detected errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites. Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it’s default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

Just as a recent University of California-Berkeley study about flash cookies and privacy prompted a series of lawsuits recently against Quantcast and Clearspring and users of their technology, there is speculation that the Carnegie Mellon study may inspire new lawsuits and investigations.  The websites using P3P compact policies are not without their defenses however, so it remains to be seen whether the study serves as a sturdy "platform for plaintiffs’ preferences."