ProfessorMiller: Hi. This is Arthur Miller for our weekly chat. We are joined by a special guest, Joseph Reagle.
  Joseph is a former fellow at the Berkman Center but has gone on to bigger and better things.
  He is now at the World-Wide Web Consortium, at MIT's Laboratory for Computer Science.
  What we will do this evening is have a chat with Joe, and you are all free to join in by question or comment as we go along.
  In addition, maybe we will be able to get some reactions to our weekly hypothetical.
reagle: aha! I think I'm here, hello everyone :)
ProfessorMiller: Joseph, let's start off by letting you tell the group what it is you are doing "downriver" at MIT.
reagle: Sure
  I've been at the Consortium since 1996, my interests have been interdiscplinary and one of the recent projects I was involved with was PICS and P3P
ProfessorMiller: Translate that for the uninitiated.
reagle: both of the projects tried to address a social issue by providing computer tools that help computer users
  PICS wa sthe platform for internet content selection, it allowed sites to be labelled, in a way that might warn users or parents of harmful material
  we took that idea, and tried to extend it to privacy. to enable sites to label their privacy practices, such that users could more easily discriminate
  {over} :)
ProfessorMiller: so what choices does a user have with regard to privacy self-protection?
reagle: not much right now
ProfessorMiller: what are you hoping for then?
reagle: to protect your privacy in the present regulatory involvement, it takes a lot of work on behalf of the user
  the goal of the technology is to make it easier, but even then, some will say that isn't sufficient
  i am hoping to make it easier, and not all legal approaches are equal
  for instance, some of the research i've been interested in show that people have a wide range of views on privacy, consequently one size doesn't fit everyone perfectly so law may not be as agile as necessary
  also, when you look at a lot of present legal approaches to these problems, they aren't terribly senstive to the user, they are more concerned with exercising legal formalities to bind users to agreements they can't understand
ProfessorMiller: well let's suppose a user who wants maximum privacy--what possibilities will P3P offer?
reagle: once sites use P3P (and the theory is that it will be adopted because of regulatory pressure and sites want high-quality consistent user data) users will hopefully be able to voice their concern and say no to many of the practices you have to accept now
  if anyone with a cable modem has read the terms, you'll know they are completely abusive and ambigous, you have little choice today
ProfessorMiller: give me a few examples of the types of choices you would enable a user to have.
reagle: simply, users will be able to say, "i will not give any information to sites that give identifiable information to third parties"
  users can say, "i will only release this information in anonymous form, and for completing /this/ transaction"
ProfessorMiller: Would P3P enable a user to protect himself/herself against cookies?
reagle: yes, cookies are listed as a thing that sites must disclose
ProfessorMiller: so how would the websurfer in our hypo have been able to make different choices with P3P?
reagle: for one, you could perhaps load a different persona during your lunch break
ProfessorMiller: sneaky sneaky
reagle: and second, when your just cruising the web for fun, you'd set that persona to say i don't want to be tracked at all
ProfessorMiller: are you advocating that we all fly under false colors?
  taht the only protection to privacy is lying? In any event, here is a comment from one of our folks:
Dennis asks: Joe, do you believe that cyberspace will someday share a common set of privacy standards with real space? Are are the 2 worlds divided?
reagle: it isn't necessarily lying :)
  coceptually, they can be easily bridged, realisticly they are quite far apart
  the hardest thing to address in P3P is what happens when the relatively clean/explicit computer world touched upon the ambiguities of real life
ProfessorMiller: That's very deep.
reagle: for instance, you go to the LLBean website and buy something, who do they say the information with?
ProfessorMiller: -I'd love to hear more
reagle: UPS got your shipping address, they consider it theirs
  the credit card company got your info, they consider your purchasing behaviour their data too
  did you as the user know this? not likely? and how does the simple web site deal with all of this?
  and this has nothing to do with cookies! i suspect a lot of people woudl be frightened about what happens in the real world too, if they knew
  the real question is can we use the technology to correct the real world, or will the technology merely perpetuate real world practices further/faster/better
ProfessorMiller: are you saying that under P3P, the user of UPS or the credit card will be "forced" to understand the information/privacy consequences of a transaction with companies of that character?
reagle: let me find the text where the P3P spec addresses this ...
  Comment: Creating a set of values which are simple, informative to the user, and accurate for service provider representations is very challenging and the WG is not completely satisfied with the results.
  For instance, the issue of transaction facilitators, such as shipping or payment processors, who are necessary for the completion and support of the activity but may follow different practices was problematic
wseltzer: (working group, right?)
reagle: As it stands, such organizations should be represented in whichever category most accurately reflects their practices with respect to the original service provider.
  so, the site would have to disclose such people as seperate organizations with differnt practices
  yes, this is a comment in the specification that the working group that came up with the privacy practice disclosures
  http://www.w3.org/TR/WD-P3P/vocab.html
ProfessorMiller: Joe, let me put you in touch with some of the people who have been throwing questions your way:
conan_lib asks: How would P3P enforce/encourage compliance with a data agreement?
reagle: P3P is not a silver bullet; it is complemented by other technologies as well as regulatory and self-regulatory approaches to privacy.
  this type of solution must be cast in a context cognizant of its primary assumption: decentralized, agent-assisted decision-making tools allow users to make meaningful decisions.
  P3P's success will be determined by how well users' believe their privacy expectations are being met when using P3P.
  . This is dependent on the quality of the implementations, the abilities of users, and the presence of a framework that promotes the use and integrity of disclosures.
ProfessorMiller: is P3P supposed to function - just a rough analogy - like the securities laws? Namely, by forcing stock issuer and companies to disclose any info that might affect stock owners?
reagle: So, it will be user pressure, market pressure, and regulatory pressure
ProfessorMiller: The assumption is that the companies will maintain a high level of honesty and integrity.
  In short, it's stockholder pressure reinforced or reinforcing regulatory pressure.
reagle: Also, there are various "seal" programs out there, they state that the site has a high level of integrity. Like TRUSTe, and BBB-online
  Right, and I'm not saying it is enough. In fact I've argued that self-regulation in the US is enough
ProfessorMiller: That's like the SEC / Good Housekeeping seal of approval
reagle: (isn't enough)
ProfessorMiller: so how do we reinforce self-regulation?
  do we need governmental intervention, or some type of unit inside the Internet that polices and enforces?
reagle: Frankly, I think we need a partly regulatory approach that makes being a good privacy player a benefit to a commpany, not a liability -- which it presently is.
  Right now, by disclosing your practices, you are only increasing your liability since there is no legal requirement to do it anyway
  Boxed In: Why US Privacy Self Regulation Has Not Worked http://cyber.law.harvard.edu/people/reagle/privacy-selfreg.html
ProfessorMiller: That seems to be what Donna says:
Donna asks: How well are the seal programs working? Seems very laissez-faire, very much in the ethos of the space.
reagle: I think they are a good idea, but they aren't solving the problem. In our privacy/user survey we had some interesting results
ProfessorMiller: What were those results?
reagle: We found that A joint program of privacy policies and privacy seals seemingly provides a comparable level of user confidence as that provided by privacy laws.
  On the other hand, when we asked respondents about online privacy seal programs without mentioning any specific brand names, their responses suggest that they do not yet understand how Internet seal programs work.
  So in my mind, saying privacy seems to offer a comparable level as law presently, is not necessarily an endorsement. Both are doing poorly
ProfessorMiller: So part of the work of Internet privacy advocates is getting wider understanding of these issues.
  and getting people to consider the consequences of their actions.
reagle: (The survey paper can be found at: http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm) Beyond Concern: Understanding Net Users' Attitudes
ProfessorMiller: anabhan sets us off in another direction with the following question:
anabhan asks: How is the consumer confronted with the privacy consequences if their browser software always handles the interaction?
reagle: Very good question
  We found that users never want information to be sent automatically, even if they like the privacy practices, so that leads us to believe that user agents should always give the user the opportunity to explicitly consent on the final send of the info
ProfessorMiller: here's a great ethical issue:
conan_lib asks: How do you respond to the comment that P3P might encourage "redlining" of users, i.e., providers would simply not serve users that set high privacy settings?
reagle: Part of the whole problem is that privacy is a one way mirror. You never know what happens on the other side. Your P3P agent -- to be useful -- will abstract some of the problem making it easier, but shouldn't hide it. d
  Two concerns regarding P3P are frequently expressed:
  users will sell or barter away their privacy to get access to a site.
  sites' traditional practices (such as collecting HTTP log activity -- the W3C does it itself) will be challenged/threatened.
  P3P is predicated on the assumption that IF sites and users wish to exchange information it should happen in the context of an explicit agreement. The technology should not preclude a mutually satisfactory balance from being achieved.
  Otherwise, this issue is an important policy debate for society at large. P3P is designed such that it is the individuals, markets, and regulatory frameworks that ultimately determine the balance -- as it should be.
  Plus, if those sites simply won't do business, well then, 20/20 might do a show on them! :)
  My fear is that users won't be able to say no, even if they have the tool
ProfessorMiller: your reference to 20/20 makes me ask: are you satisfied that public pressure will force people to deal with high privacy users, or do you believe there must be some legal compulsion for them to do so?
reagle: I think we need law to force disclosures
  I think we need law to force disclosures, because the current system, even with 20/20 is Self Regulation by Sustaining User Ignorance
  I think we need law to force disclosures, because the current system, even with 20/20 is Self Regulation by Sustaining User Ignorance
  I think we need law to force disclosures, because the current system, even with 20/20 is Self Regulation by Sustaining User Ignorance
  I think we need law to force disclosures, because the current system, even with 20/20 is Self Regulation by Sustaining User Ignorance
  This regulatory approach operates when market players suppress business practices (or reports thereof) that alarm a majority of the citizenry. Problems which are pointed out by the FTC, advocacy groups
  or the media can sometimes result in improvements by the targeted company
  . Occasionally, a coalition of companies may find the scrutiny to be loathsome enough to exceed their legal obligations and uniformly reform the industry's practices. Given the number and diversity of services on the Web, such efforts are doubly difficult.
ProfessorMiller: again, a change in direction:
Trevor asks: Don't we still struggle with the international issues? Any regulatory solution will, presumably, only apply in one jurisdiction. How do we develop a universal regulatory reinforcement?
reagle: The approach to P3P, is to be as descriptive as possible; this is an alternative to saying "this is legal in the US" or "legal in Europe" which has little value outside of its context
  So, this will be continued to be duked out at the international level, but we're speaking pure politics there
anabhan asks: What if a country wanted to grant more extensive protection for privacy than the P3P's default settings? Could those countries write law forcing people to set their P3P a certain way?
reagle: Yes they could. They could write their own "rules" files, or they might even come up with their own disclosure language. This is the strength of P3P, people can write additional disclosure vocabularies.
Dennis asks: Has P3P received any interesting comments from the European Commission's Data Protection group?
reagle: So the political/consensus problem with P3P, was to fit as much in while both the American Marketers and the Europeans stayed at the table
  Neither got their way, so i consider it a qualified success. :)
  My fear is that users won't be able to say no, even if they have the tool
  (my browser just hickuped)
ProfessorMiller: now burp it
reagle: the EU WG Party responsible for implementing the directive issue an opinion on P3P
  there were 4 points, but my brief characterization was that they wanted to make it clear that technology would not supercede or negate their regulatory requirements
Dennis asks: Do you have any prognostications on the Safe Harbour negotiations?
reagle: Could I ask the questioner to be more specific?
ProfessorMiller: Dennis, what's on your mind about Safe Harbour?
reagle: Does this relate the "contract" approach for determining "adequacy?"
Dennis asks: I suspect that the American point of view is overly optimistic. Europeans don't see a happy ending.
reagle: Well, actually, I'm not terribly optimistic right now. :) The thing is, I think the US is too loose, the EU is to restrictive, so we have an opportunity to craft the happy middle ground on the Web, but it's a long path ...
  Well, like any technology, the Directive still needs to be interpreted and applied in many contexts, before it is mature
Dennis asks: Personally I feel the Europeans are exerting a healthy impact on Americans in this issue. Would you disagree?
reagle: To the degree that they push us towards a middle ground yes. But I wouldn't want a graft of the European approach to the US, as a US citizen
  To the degree that they push us towards a middle ground yes. But I wouldn't want a graft of the European approach to the US, as a US citizen
ProfessorMiller: and how about this for a closing question:
anabhan asks: What do you think the next direction will be for the technology? What's beyond P3P?
reagle: You will get a little more control over your cookies in the newer browsers, but I suspect the technology of collecting info will advance faster than teh approaches to protect it
  Just think of people watching WebTV! They will know to run commercials for pizza because they will know when and who you buy pizza from when you are weatching Seinfeld
ProfessorMiller: Well that's it for tonight. I want to thank Joe Reagle for joining us. You can find more of his work online at www.w3.org, or cyber.law.harvard.edu/reagle.html
reagle: In this instance, technology is only a tool to help users, if users aren't willing to help themselves, then there's trouble in that solution
ProfessorMiller: oops!
reagle: Ok, thanks for allowing me to participate!
ProfessorMiller: sorry Joe
  I was thinking of that pizza you just mentioned :)
  and some cookies to go along with it
  Good night!
reagle: Ciao!