The concept sounds good, at least on paper: A forthcoming version of Microsoft Corp.'s Internet Explorer browser will come equipped with a technology that lets people adjust online privacy to the level they prefer, using simple tools to control the information Web sites can collect about them.
The engine behind this functionality is called P3P, the Platform for Privacy Preferences, a standard under development by the World Wide Web Consortium, which itself is also known by a cute acronym, W3C. To some people, P3P could be the cure-all for our collective Internet privacy concerns. To others, P3P is a flawed experiment that will bring no benefits and could prove especially troublesome for financial services companies, which could find that it disables online banking programs and other services offered through the Web. 
P3P, which has been in the works for three years, is essentially a computer language for talking about privacy. It offers a standard set of multiple-choice questions covering the major aspects of a Web site's privacy policies. Once a consumer answers the questions, which may one day be embedded in browser software, the browser can then "read" the privacy policy of a P3P-enabled Web site, compare its practices to the consumer's preferences, and let the consumer know whether the site conforms to his or her privacy standards.
"The browser will be able to say right away, either 'this is a site that conforms to your privacy preferences, go right ahead and proceed,' or 'this site is at odds with your privacy preferences in the following ways, proceed at your own caution,' " said Daniel Weitzner, a top cheerleader for P3P, whose title at the World Wide Web Consortium is technology and society domain leader.
He said that P3P is a step away from being a final Web standard - it is a "candidate recommendation" that awaits a final ruling from W3C members. "The working group responsible for its design considers it more or less finished," Mr. Weitzner said. "It's a call for tech vendors to start using and implementing this technology. Based on what happens in implementation, we may make some changes, but it's stable enough" to use today.
But critics of P3P - and there are many, including such influential groups as the Electronic Privacy Information Center - call the technology too complex, too expensive to install, too potentially disruptive to customary ways of doing business, and, at its core, unhelpful. "It is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy," according to a paper called "Pretty Poor Privacy" published last June by the center and another privacy group, Junkbusters. "There is little evidence to support the industry claim that P3P will improve user privacy."
The way P3P is designed could be particularly disastrous for banks, according to some people who have studied the technology. Internet Explorer 6.0, which is in beta testing now and scheduled for release this year, includes a dial that people can use to adjust for various privacy settings, and experts say the default setting - the one that the browser comes with - would block many Web banking services as they are set up today by disabling the "cookies" collected by third-party companies.
A lot of basic services that rely on content coming from different places could be hamstrung by P3P, experts say. These include account aggregation, electronic bill presentment and payment, co-branded products, and insurance and mutual funds that banks sell as agents for other companies.
A technology expert who has studied P3P in detail said it was conceived as a negotiating tool. A user would set preferences; the Web site would display its privacy policy in machine-readable format; and negotiations would ensue between the site and the user to see whether they could agree on a privacy contract. But for various reasons the designers of P3P could not accomplish this, and what emerged instead was an immense vocabulary for describing privacy-related matters.
This expert said that the vocabulary is both too complex and at the same time too rigid - it does not include the term "may," he said, which some financial services companies rely on in their privacy policies to hedge their bets against practices they could consider taking up in the future.
"In my judgment, a full implementation of P3P in the financial services industry would not be a good development," the expert said. "There need to be limits in terms of choices that are still relevant for consumers but that don't require the kind of complexity on the back end which P3P will generate."
Because P3P is viewed by some as a panacea, and because the financial services industry continues to sit on the hot seat where privacy is concerned, the expert did not want to attach his name to a detailed critique of P3P. Similarly, other executives are treating the matter gingerly.
"Anything that is of assistance to consumers makes sense," said Cheryl Charles, senior director of BITS, the technology arm of the Financial Services Roundtable. But "part of the historic difficulty with P3P has been its complexity. There can be unintended consequences." Some BITS members have been testing the technology, and "they're getting inconsistent results with it," she said.
Citigroup Inc. and American Express Co. have been putting P3P through its paces, as have BITS and the Financial Services Technology Consortium, which is a member of W3C. According to W3C's Mr. Weitzner, P3P enjoys tremendous momentum: Not only is Microsoft disseminating it, but also America Online (which owns Netscape) is planning to support it in the Mozilla browser, and International Business Machines Corp. and other companies in the server business are "working a lot on back-end customer relationship management that incorporates P3P."
The next step will be for merchants and other companies to support P3P on their Web sites, Mr. Weitzner said. A few of them are already doing so, he said, including AOL, Hewlett-Packard Co., Procter & Gamble, and Microsoft. "No question, this really does require the active participation of all service providers on the Web," he said. He added that the technology cannot police whether a Web site truly adheres to the privacy standards it espouses.
Whether or not P3P is good or helpful, its goals enjoy wide support, and it is getting attention in high places. Mozelle Thompson, a commissioner at the Federal Trade Commission, recently pointed to it during a Webcast teleconference on privacy sponsored by Ernst & Young. "Business needs to know that through this new technology called P3P that's embedded in the next generation of Internet Explorer, people are going to have a lot more to choose from - more privacy protections," he said.
Mr. Weitzner said P3P can help banks give the "conspicuous notice" of privacy rules that Gramm-Leach-Bliley requires. With the technology, "we're trying to get beyond the direct marketing opt-in or opt-out debate," he said. "That debate is based on a cynical effort to game out where you put the burden for understanding privacy. Do you want to make the users figure out what post office box they have to send a notice to? We can use the power of Web technology to help streamline this."
