« Congrats to another... | Main | Catch Me If You Can »
February 20, 2003
P3P
I went to a lecture today by Dr. Lorrie Carnor today, where she spoke about her work in providing P3P authorization and protection services. A very interesting talk to say the least.
Minor quips about the talk first, and then everything else. Dr. Cranor rushed through the talk, it seemed rather obvious to me. Her speech just felt like it was going too fast and without emphasis (and pause) on the important parts. It's obvious there is a lot more to discuss than just the 1.15 hours she was alloted. I'd love to hear her talk more about this at some point in a casual manner. We all have words that we prefer to use a lot, hers is "whirlwind."
Now onto the rest of it.
The progression of her work towards implementing a series of privacy 'catches' for web browsers is fascinating. One of the points she makes is that people REALLY don't have a clue about what data is being collected and distributed about themselves online. Even more important is that users don't even realize it when they are giving out this information!
One of the other things I took away from this, privacy experts are so far removed from the audience they are protecting that they cannot communicate with each other.
Her initial project started out as a large matrix of checkboxes denoting good and bad options for a website to collect. The matrix size began to jump dramatically as more legalese was added, eventually becoming just unusable. Her group realized this and began to find new ways around this. Clumping multiple options into the same group, and limiting the extra fine granularity of user control.
What I took away: P3P isn't hard. The suggestions are in place, and the framework is ready. It's just a matter of running through those steps to make it useful. The hard part is, believe it or not, getting users to become knowledgeable. Not only do they not realize when data is being collected about them, but they don't realize what data they do want collected. Dr. Cranor used an example of not distributing a social security number ever to a website, but in cases of a health care provider the blanket option didn't work. It was later shown that it is easier for users to decide what they DON'T want a website to collect rather than what they should offer to be collected.
More importantly, they learned a massive amount about human computer interaction and GUI design. The end result of all of this work, Privacy Bird, is truly an amazing thing. Unfortunately it only works on Windows platforms, and worse yet for Internet Explorer only.
Now the semi-good news. The good folks at Mozilla have implemented a series of P3P restrictions EXTREMELY similar to all of her work. The only big downfall is the lack of a nice big means of notification that Privacy Bird uses. Hopefully there will be a correction to this in the near future.
Posted by Dan at February 20, 2003 01:46 PM