Agencies on the path to P3P

One piece of the E-Government Act of 2002 aims to make Web site policies easier for users to understand.

Developing privacy policies that can be understood by Web browsers would be another step in the right direction, but most federal agencies are lagging behind the commercial world, privacy officials said today.

"It's very difficult as a consumer to know what's going to happen with your information today," said Ari Schwartz, associate director for the Center for Democracy and Technology, speaking today at a workshop hosted by CDT and the American Council for Technology.

Section 208 of the E-Gov Act requires agency Web sites to include privacy policies in a machine-readable format. This is intended to allow users to easily understand how their personal information is used, stored and shared. The format allows users to set their privacy preferences into the browser and receive notice if sites match the preferences, Schwartz said. Today, users have to comb through an often long and esoteric privacy statement available on the site, he said.

The only way for agencies to adopt these policies is by using the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium. The P3P policy directs the browser to notify the user, block certain cookies and provide a summary of the policy.

"It's a computer-readable language for coding all the common elements of the privacy policies," said Lorrie Faith Cranor, the P3P Specification Working Group chairwoman at Carnegie Mellon University, also speaking at the workshop. "Once [the browsers] read the policies, we would like them to do something useful for us."

Despite the legal mandate, most federal Web sites do not have machine-readable policies, Schwartz said.

"Government sites were not becoming compliant at the same rate as commercial sites," he said. "In fact, government sites are far behind the commercial sector today."

But Schwartz said there are two major incentives for adopting the policy: adherence to the law and Congressional wrath expected in the spring. Congress is expected to ask the General Accounting Office to study federal compliance to the machine-readable format mandate after March 1, when the Office of Management and Budget will be reporting to Congress on agency's compliance with the E-Gov Act.

According to Brian Tretick of Ernst and Young LLP, 23 percent of the top 500 Web domains were P3P compliant. Of those, one out of 19 government sites, including state sites, were complaint.

Tretick, presenting at the workshop, outlined five basic steps for agencies to follow to implement a P3P policy:

Baseline: Understand the various domains and Web sites with one agency site, the types of users accessing the site and the information gathered. Agencies should also review the privacy statements and practices.

Diagnose: Review the practices against the policy, including services and elements provided to the site by a third-party, such as images or a survey.

Improve: Remedy the privacy policy and determine whether the site needs several P3P policies or a single policy. Agencies should then develop the P3P policy, using assistive software.

Verify: Test the site to make sure it is indeed P3P compliant.

Deploy and maintain: Review the policy and compliance periodically and establish processes for changing the P3P policy.