Getting wired:Are we deprived of privacy?

We should be concerned that so little work is being done in the area of online privacy.

We should be concerned that so little work is being done in the area of online privacy.

Christmas time means e-commerce - at least in the online world - and so it is natural if e-tailers' thoughts are of shopping baskets, checkouts and secure transactions. But there is something missing from this festive picture of virtual tills ringing merrily. And it is not only now that this is the case: for much of 2002, the issue of privacy has been the great absence in the Internet world.

It is not hard to see why. At a time when surviving dotcoms have firmly battened down the hatches in a desperate attempt to reach that magic break-even point, niceties such as privacy policies are often cast aside. Nor is the e-commerce world wholly to blame: it is also down to the users to clamour for better privacy protection, but they too seem to have lost their earlier zeal - call it Net fatigue.

The recent case of identity theft, involving some 30,000 victims, should act as a wake-up call for anyone who doubts that the implications of privacy abuse can be serious - and very expensive.

Against this background, it is worth reading the summary of the state of privacy in the online world today called Privacy Online: a report on the information practices and policies of commercial Web sites. The overall conclusions are moderately upbeat - Web sites are tending to ask for fewer private details about people and to be more sensitive to privacy issues.

But one slightly disturbing fact to emerge from the report is that there is so little technical work going on in this area to address the problems. In fact, practically the only attempt to come up with a framework for privacy is the World Wide Web Consortium's Platform for Privacy Preferences Project (P3P).

From the P3P home page, there is the current specification and a FAQ. Probably the best general introduction to the initiative is the first chapter of an O'Reilly book on the subject, freely available online, which also has a very useful list of links in this area.

If you want to see what P3P looks like in practice, a good place to go is a p3p policy translator. To use it, choose one of the popular sites in the drop-down box, then press the interpret button. This converts P3P-speak into something vaguely English-like.

The semi-official list of sites using P3P is a little disappointing. Even those bigger names that are listed only comply with the older drafts of the standard. Perhaps the list is simply out of date: the report referred to above claims that about 25% of the most popular domains and 5% of random sites have implemented P3P technology.

In terms of P3P tools, the W3C offers a validator and there is a good list of P3P software available. These include policy generator and implementation tools such as IBM's P3P Policy Editor and the Web-based wizard P3P Edit.

On the client side, all of the top three browsers now support P3P. There is more information for Microsoft, Netscape and Mozilla. Also worth noting is the free browser plug-in from AT&T called Privacy Bird and IBM's Tivoli Wizard.

All of this activity may sound impressive but P3P is not a perfect solution. There is a document called Pretty Poor Privacy that outlines some of the issues, though this is a little out of date now.

Read more on IT risk management