Let’s take a good look at privacy policies

To the readers who e-mailed me saying I have not answered their questions about privacy issues on the Internet, I shall endeavor to answer those questions now.

To Dr. Simon Richardson of Cambridge, Massachusetts, whose e-mail contained a quote from a book he read, let me include the quote because of its relevance to this article: "Technology hits us like a storm whirling in our heads in all directions – these same heads must provide the answers, otherwise, chaos will hit us like a bigger storm."

Four e-mails, being foreign, asked about which international organization they could seek advice from. Specifically, their questions had to do with the best information a website user can give away to protect his or her privacy. I know that the OECD (Organization for Economic Cooperation and Development), which was established by a group of at least 30 countries to provide governments with a venue for economic and social policy formulation, is one such organization.

The OECD members regularly meet to frame, develop and perfect economic and social policies. It is this organization that offers what is now called a "privacy statement generator" that allows users to respond to a questionnaire to create a privacy policy. My advice, however, is to be cautious in using any automatically formulated policies or stereotyped policies available on the Web, because there is an interesting dichotomy and variance in these form policies and, of course, the fact that users’ needs are all different.

Personal privacy statements are not yet in vogue in our country and not yet extensively used in the United States and Europe, but developing fast as a necessary (not only convenient) online tool in business and commerce.

The E-Commerce law of the Philippines or R.A 8792 mandated the Department of Trade and Industry (DTI) to come out with guidelines for many areas of the law. I was still handling telecommunications in the government when we helped craft this law. From the legislative sector, Senator Ramon Magsaysay and then Congressman Leandro Verceles Jr. were the most meaningful participants in the crafting of this law in collaboration with the technical and legal teams of the Department of Transportation and Communications then.

One e-mail informed me that my good friend, Senator Mar Roxas, who headed the first IT-enabled service mission to the US in 2001, paid tribute recently to the current DTI leadership for "finally" coming out with a comprehensive set of guidelines that "will ensure the protection of personal data in information and communications systems in the private sector."

The guidelines contained in Administrative Order No. 08 were issued, however, only last July 21. The E-Commerce law was passed on June 14, 2000. More than six years have elapsed since the enactment of the law. That is one reason why P3Ps, as an online safeguard, are hardly known in our country. Implementing guidelines to a law should be issued in collaboration with the agency’s private sector, within the first year from the law’s passage. But to let six years go by without the so-called "Implementing Guidelines" being issued is a lot of time wasted, and has negative consequences as far as the country’s relevance in the global ICT investment sector is concerned, and contributes to the already delayed responsiveness we have in the international community of nations.

The guidelines prescribe the rules for personal data protection, define the role of data protection certifiers, and encourage private entities and, for that matter, individuals, to adopt their own privacy policies on the Internet in accordance with P3P, known globally now as the Platform for Privacy Preference. I would like to echo Mar’s statement that "the private sector will now be more encouraged to venture into e-commerce in the country and we have one more tool to promote the country’s ICT sector as an investment area."

I certainly agree with his e-mail that having rules and regulations on data privacy use and protection is an important criterion for companies to decide where to outsource highly data-sensitive projects, and that the guidelines will provide Filipinos with knowledge on how to protect the privacy of their personal information, and how to fight those who abuse them using information and communications technology as a tool.

In order to comprehend what a typical privacy policy should incorporate, it is best to make even just a cursory review of the policies on the websites you frequently visit, because a number of them may already have them. Most likely you will discover that the policies have many things in common, but you will also find that there are subtle differences. At first glance, policies appear to be very protective but ultimately allow the business to do just about anything with its visitor’s personal information.

Since some of my readers are foreigners with home countries already utilizing privacy policies as a rule, let me inform them that the most important information to be considered in the formulation of one’s privacy policy pursuant to a P3P is, of course, with whom you intend to share your visitor’s personal information. Crafting a good privacy policy statement is not easy, meaning, one that treasures your customers but gives you sufficient space, as they say, to make money. This is tricky and many times the advice of your lawyer may be necessary.

Because websites have only recently begun to pioneer their privacy policies, issues and confusion have arisen. People complain that these privacy policies are difficult to understand, that at times they are really ambiguous and vague, and of course, many times that they are peppered with legalese. To resolve this, the W3C (World Wide Web Commission) developed the Platform Privacy Preference or P3P, which is the technological approach to interpreting and applying privacy policies, and is intended to limit – if not eradicate – the confusion, and this has been quite successful. It is therefore best that the Philippines take a good look at this and proceed to some degree of formal and standard adoption.

As globally discussed and recognized now, and in its simplest form, P3P is nothing but a standardized set of multiple-choice questions covering all the major dimensions of a website’s privacy policies. Taken together, P3P shows a clear snapshot of how a website manages its users’ personal information. P3P-enabled websites ensure that this information is visible and available in a standard machine-readable format, so that P3P-enabled browsers will be able to "read" this snapshot automatically and speedily and thus compare it with the consumer’s own set of privacy preferences.

P3P, therefore, as some conference speakers have already expressed, enhances user control by placing privacy policies where users can find them, in a form users can understand, and hence enables the users to act expeditiously on what they see – which is necessary. As of now, within the international context, no law, to my knowledge, requires any site to do so.

However, in the meantime, and until the acceptability and benefits of P3P become more generally and widely known, consumers and businesses should not ignore it. In the Philippines, with the issuance of DTI’s Administrative Order 08, it would benefit consumers to understand how their web browsers interpret P3P.

Jake Crawford, a Ph.D. from Baguio City, sent an e-mail where he asked when the International Telecommunications Union (ITU) would look at P3P seriously, "privacy issues being fundamental in the Internet community." He told me that he was in the audience when I delivered the keynote speech at a telecom conference in Baguio in 1996, when the "previously unfamiliar word ‘Internet’ seemed all too suddenly to be on everyone’s lips." For his and your information, P3P is already being discussed within the ITU study groups toward draft resolutions being developed.

But again, making certain that future problems emanating from any mandatory resolutions are taken into consideration and analyzed thoroughly, a phrase that has lingered in my memory after I read the book Human Involution comes to mind: "…the near-sightedness of the present…"

Because the paragraph is an excellent one, I’d like to quote it in full: "He should forego the near-sightedness of the present, the short-term nature of his thinking, and the immediate needs of today. He must shift his sights to the unknown, anticipate the problems of the future, and dream of the answers. He must address the questions and issues of the long term and realize that it is better to resolve them at the point of choice rather than at the point of consequence."

* * *

Thanks for your e-mails sent to jtl@pldtdsl.net