Agencies on the path to P3P

One piece of the E-Government Act of 2002 aims to make Web site policies easier for users to understand.

Developing privacy policies that can be understood by Web browsers would be another step in the right direction, but most federal agencies are lagging behind the commercial world, privacy officials said today.

"It's very difficult as a consumer to know what's going to happen with your information today," said Ari Schwartz, associate director for the Center for Democracy and Technology, speaking today at a workshop hosted by CDT and the American Council for Technology.

Section 208 of the E-Gov Act requires agency Web sites to include privacy policies in a machine-readable format. This is intended to allow users to easily understand how their personal information is used, stored and shared. The format allows users to set their privacy preferences into the browser and receive notice if sites match the preferences, Schwartz said. Today, users have to comb through an often long and esoteric privacy statement available on the site, he said.

The only way for agencies to adopt these policies is by using the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium. The P3P policy directs the browser to notify the user, block certain cookies and provide a summary of the policy.

"It's a computer-readable language for coding all the common elements of the privacy policies," said Lorrie Faith Cranor, the P3P Specification Working Group chairwoman at Carnegie Mellon University, also speaking at the workshop. "Once [the browsers] read the policies, we would like them to do something useful for us."

Despite the legal mandate, most federal Web sites do not have machine-readable policies, Schwartz said.

"Government sites were not becoming compliant at the same rate as commercial sites," he said. "In fact, government sites are far behind the commercial sector today."

But Schwartz said there are two major incentives for adopting the policy: adherence to the law and Congressional wrath expected in the spring. Congress is expected to ask the General Accounting Office to study federal compliance to the machine-readable format mandate after March 1, when the Office of Management and Budget will be reporting to Congress on agency's compliance with the E-Gov Act.

According to Brian Tretick of Ernst and Young LLP, 23 percent of the top 500 Web domains were P3P compliant. Of those, one out of 19 government sites, including state sites, were complaint.

Tretick, presenting at the workshop, outlined five basic steps for agencies to follow to implement a P3P policy:

Baseline: Understand the various domains and Web sites with one agency site, the types of users accessing the site and the information gathered. Agencies should also review the privacy statements and practices.

Diagnose: Review the practices against the policy, including services and elements provided to the site by a third-party, such as images or a survey.

Improve: Remedy the privacy policy and determine whether the site needs several P3P policies or a single policy. Agencies should then develop the P3P policy, using assistive software.

Verify: Test the site to make sure it is indeed P3P compliant.

Deploy and maintain: Review the policy and compliance periodically and establish processes for changing the P3P policy.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.