Agencies on the path to P3P

One piece of the E-Government Act of 2002 aims to make Web site policies easier for users to understand.

Developing privacy policies that can be understood by Web browsers would be another step in the right direction, but most federal agencies are lagging behind the commercial world, privacy officials said today.

"It's very difficult as a consumer to know what's going to happen with your information today," said Ari Schwartz, associate director for the Center for Democracy and Technology, speaking today at a workshop hosted by CDT and the American Council for Technology.

Section 208 of the E-Gov Act requires agency Web sites to include privacy policies in a machine-readable format. This is intended to allow users to easily understand how their personal information is used, stored and shared. The format allows users to set their privacy preferences into the browser and receive notice if sites match the preferences, Schwartz said. Today, users have to comb through an often long and esoteric privacy statement available on the site, he said.

The only way for agencies to adopt these policies is by using the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium. The P3P policy directs the browser to notify the user, block certain cookies and provide a summary of the policy.

"It's a computer-readable language for coding all the common elements of the privacy policies," said Lorrie Faith Cranor, the P3P Specification Working Group chairwoman at Carnegie Mellon University, also speaking at the workshop. "Once [the browsers] read the policies, we would like them to do something useful for us."

Despite the legal mandate, most federal Web sites do not have machine-readable policies, Schwartz said.

"Government sites were not becoming compliant at the same rate as commercial sites," he said. "In fact, government sites are far behind the commercial sector today."

But Schwartz said there are two major incentives for adopting the policy: adherence to the law and Congressional wrath expected in the spring. Congress is expected to ask the General Accounting Office to study federal compliance to the machine-readable format mandate after March 1, when the Office of Management and Budget will be reporting to Congress on agency's compliance with the E-Gov Act.

According to Brian Tretick of Ernst and Young LLP, 23 percent of the top 500 Web domains were P3P compliant. Of those, one out of 19 government sites, including state sites, were complaint.

Tretick, presenting at the workshop, outlined five basic steps for agencies to follow to implement a P3P policy:

Baseline: Understand the various domains and Web sites with one agency site, the types of users accessing the site and the information gathered. Agencies should also review the privacy statements and practices.

Diagnose: Review the practices against the policy, including services and elements provided to the site by a third-party, such as images or a survey.

Improve: Remedy the privacy policy and determine whether the site needs several P3P policies or a single policy. Agencies should then develop the P3P policy, using assistive software.

Verify: Test the site to make sure it is indeed P3P compliant.

Deploy and maintain: Review the policy and compliance periodically and establish processes for changing the P3P policy.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.