|
Microsoft recently said it will require merchants that use Passport, which allows customers to access many Web sites by using a single password, to support the P3P standard.
Microsoft's planned shift from selling software licenses to bringing in revenue through services and transactions has made Passport a core part of the vendor's strategy. Microsoft has repositioned Passport from a server "wallet" service to the core authentication service for Hailstorm and .NET. With Passport's integration into Windows XP, concern that Microsoft will build a huge repository of consumer data has attracted public attention. Passport shares customer registration information (although not user ID and passwords) with Web sites signed up to the Passport service while allowing customers to opt out of sharing information. (Microsoft says it will change to an opt-in system soon.) To date, Microsoft has not required its partners to have specific privacy practices except for some form of privacy policy (see Research Note COM-13-5873 "Beyond the Headlines: Privacy Issues and the Enterprise").
Gartner believes that requiring merchants to adopt P3P v.1 on their Web sites is a short-term solution with no real benefit for consumers. Web server vendors and consumer Web site operations have largely driven the inclusion of the P3P specification in Internet Explorer 6 to stave off privacy regulations and assuage consumer concerns. Gartner has argued that P3P does not obviate the need for further regulation (see Research Note T-13-3436 "P3P Will Be the V-Chip of the Internet").
For P3P to benefit consumers, third parties must develop tools so that consumers can create their own privacy settings and understand the privacy policies of servers. Until this happens, the complexity of setting P3P preferences in their browsers will mean only a fraction of consumers will likely do so. Even then, if merchant privacy policies don't accord with the consumer preferences, the consumer can only accept the lower privacy standards or go elsewhere. Here is a wasted opportunity. Machine-readable privacy policies and preference setting would be more effective than today's legalistic privacy policies, with their hard-to-find opt-out clauses.
Gartner believes that Microsoft's ambitious plans for Passport will require more sophisticated security and privacy techniques than the company has used to date or required of Web sites and operators. Hailstorm will facilitate information exchanges between Hailstorm customers and consumers. Consumers specify what information they would like shared with each Hailstorm customer, rather than electing what information can be used or shared with any Passport Web site. The granular, opt-in privacy model required for Hailstorm is a far cry from what P3P v.1 has to offer today. Furthermore, Microsoft must also make sure Hailstorm customers adhere to the consumer's privacy preferences and have implemented proper security measures.
Web sites should not assume that P3P will form the basis for Hailstorm's privacy requirements. Gartner recommends that Web site operators and services vendors focus on how to provide more meaningful choices to consumers concerning how their information is used — e.g., by providing consumers with different privacy policies and information-use options according to the type of service, transaction or business unit involved.
Analytical Source: Arabella Hallawell, Information Security Strategies
|
