Mozilla is throwing their hat into the ‘privacy commons‘ ring. Inspired by Aza Rankin’s ‘Making Privacy Policies Not Suck‘, Mozilla is trying to think through a series of icons intended to educate users about websites’ privacy policies. This is inspirational, insofar as a large corporation is actually taking up the challenge of the privacy commons, but at the same time we’ve heard that a uniform privacy analysis system is coming before….in 1998. A working draft for the Platform for Privacy Preferences (P3P) was released May 19, 1998 during the still heady-times of people thinking that Privacy Enhancing Technologies (PETs) could secure people’s online privacy or, at least, make them aware of privacy dangers. The P3P initiative failed.

Part of the reason behind P3P’s failure was the length of its documentation (it was over 150% the length of Alice in Wonderland) and the general challenge of ‘properly’ checking for privacy compliance. Perhaps most importantly, when the P3P working group disbanded in 2007 they noted that a key reason behind their failure was “insufficient support for curent Browser implementors”. Perhaps with Mozilla behind the project, privacy increasingly being seen as space of product competition and differentiation, and a fresh set of eyes that can learn from the successes of the creative commons and other privacy initiatives, something progressive will emerge from Mozilla’s effort.

As is noted by CNET, a core problem behind the P3P movement was the massive explosion of privacy categories: they grew from three to seventeen (!). One can imagine that, were the creative commons much more complicated than their current instantiation, we’d still be focusing almost exclusively on GPL and similar licensing regimes. (Note: this isn’t a elbow jab at non-creative commons models, but a gentle suggestion/reminder that creative commons has generally been more successful than other licensing models in getting the attention of non-technical end-users than other licenses. User interface and marketing matters!)

To be sure, it helps that Lessig marshalled interest in the creative commons, leading to the support for the project in the form of academic articles, public books, and major celebrity endorsements. The RIAA’s carpet-lawsuit campaigns presumably also had a major effect on spreading public awareness of the creative commons. I imagine that without the RIAA going to war with consumers that the creative commons would have been far less likely to have succeeded – there wouldn’t have been the same drive to learn about copyright, and copyright alternatives – and I don’t know that a similar visceral reaction towards the management of privacy currently driving a move towards a privacy commons.

Privacy commons models have been trialled in Canada, with the notable case where Canadian researchers launched a Firefox extension called ‘PIPWatch‘ to try to raise surfers’ awareness of how compliant websites were with Canadian privacy laws. The extension is described as,

the first privacy technology designed specifically for Canadian Internet users. Built as a toolbar extension for the Firefox web browser, PIPWatch gives real-time feedback on the privacy practices websites visited by Canadian users, in particular whether a site’s owners respect Canadian privacy laws.

Something that was unique about their approach was that when the extension’s users got to a site that was (1) described non-compliant with Canadian privacy law; (2) was not part of the PIPWatch database, the users could send a message to the identified privacy officer of the website. Unfortunately, this entailed some ‘heavy lifting’ by the first visitor of a website not in the database: first vistors had to track down the information needed to send that first message so that subsequent visitors could send their own messages with a click of button. This model was inefficient, terribly time-consuming (especially where it was unclear who was responsible for corporate/web privacy issues), and without a large number of users using the extension it failed to generate the adoption-rates required for it to truly be effective (effective in the sense that corporations and websites themselves would self-contribute to the database) on a wide-scale. It is notable that Facebook was proactive, years before their roundabout with the Office of the Privacy Commissioner of Canada, in working with PIPWatch so that it displayed the correct ‘privacy warning’ for visitors to that site.

PIPWatch, admittedly, didn’t have the support of a large and (comparatively) well-resourced group like Mozilla. The researchers behind the project adopted a ‘community-centric’ model to privacy policies, in variance with P3P. I’ve previously suggested a set of icon-categories for the privacy commons and noted the difficulties in building them out. Specifically, in relation to this latter point I wrote that:

… the benefits of a machine-readable privacy commons are high….but only if substantial market penetration can be achieved. Ideas of a commons aren’t new – they’ve been swimming through academic literature in various iterations for the past decade and a half or so – and whenever there has been an effort to impose a machine-readable privacy system uptake is the key issue. Copyright doesn’t face the same issue, insofar as most people would (probably) be happy with a ‘regular’ copyright. Further, copyright has been around long enough that most people at last can imagine what their permissions might include where they don’t see a creative commons licensing icon. Privacy, however, isn’t as well defined in legal statutes, has deep variations around the world, and (perhaps most importantly) lacks an international advocacy group that is composed of businesses who see advancing privacy as essential to their business interests. Google fought to add the very term ‘privacy’ on their homepage, and they’re a web-savvy company. Facebook suffered through an extended investigation to have their privacy policy changed. How reasonable is it to expect large fortune 500 companies to adopt any kind of privacy commons position?

Thinking about implementation, perhaps what is required is a middle-ground between PIPWatch and P3P. Such a model could support an API so that companies and individuals can leave generic information about how data is/isn’t collected and used, but also enable visitors of websites to either contact Mozilla when a website not participating in the privacy commons is discovered (so that Mozilla can notify the site owner about the privacy commons) or offer a direct ‘click here to send a generic message to site owner’ option.

Whereas the creative commons has the “advantage” of copyright being a high-profile issue in light of punishing lawsuits in the US, I think that any Privacy Commons effort needs to assist individuals in contacting companies about the individuals’ concerns about privacy, as well as building out an API for classifying sites’ policies. Ideally, messages to site owners would include not just a question about joining the privacy commons but also basic information about how to integrate the API into the web environment, as well as a resource to contact at Mozilla for more information. As we’ve seen to date, relying exclusively on either an API or notification has been unsuccessful; let’s start investigating the value of ‘hybrid’ approaches, backed with institutional resources and end-user feedback, and see if a privacy commons movement can genuinely be started and sustained.