Can User Agents Accurately Represent Privacy Policies?
Joel R. Reidenberg
Fordham University School of Law
Lorrie Faith Cranor
Carnegie Mellon University - School of Computer Science and Carnegie Institute of Technology
August 30, 2002
The Platform for Privacy Preferences (P3P) is a W3C specification that provides a standard computer-readable language for web sites to encode their privacy policies. This standardization allows for the creation of web browsers and other user agents that can display privacy warnings and signals that are meaningful to users or that automate actions in accordance with user instructions. This paper shows that P3P user agents will necessarily include judgmental design decisions and that the accuracy of the P3P user agent interactions becomes a critical matter. The accuracy of P3P user agents raises significant legal concerns about privacy agreements, inadvertent deception, and liability. The technological mediation designed to make it easier for users to understand the privacy practices of web sites risks adding ambiguity, confusion and legal uncertainty. This paper argues that one way to avoid having privacy practices represented inaccurately by P3P user agents is to certify P3P user agents for the accuracy of their representations of web site P3P policies. While there are some things that P3P user agents might do that would be readily identified as inaccurate or misleading, there is a large gray area in which user agents might present factual information side-by-side with subjective judgments. These judgments may be deemed misleading by some people but not others. Many of the issues raised here are new, but this is not likely to be the last time that these issues arise. As work progresses on computer-mediated search and negotiation technologies with a wide variety of applications, these issues are likely to surface repeatedly. In this paper we explore these issues and suggest some possible solutions, as well as a number of open questions.
Number of Pages in PDF File: 22
Keywords: Internet, privacy, P3P, user agent, web site, code, standardization, contract, misrepresentation, deception, negligence
JEL Classification: K10, K12, K13, K20, K30
Date posted: October 28, 2002 ; Last revised: May 15, 2014