Comment on the potential role of PETs in internet privacy Although the technical means mostly exist, and many are mature, PETs do not seem to have achieved either the adoption or the impact which one might have expected or hoped for by now. I believe this is because the adoption and dissipation of new technologies is affected by a complex set of related factors - described at a high level by so-called "s-curve" models of maturity. I have applied this analysis to the adoption of PETs, and published the results in the Information Security Technical Report (Vol 14, Issue 3), which is available online here: http://dx.doi.org/10.1016/j.istr.2009.10.010 A pre-print version of the same article is also included as an attachment. A couple of points are worth drawing out in summary of the paper's over-all message: First, PETs will need to overcome a common 'security technology obstacle': to deliver complex functionality reliably, while shielding the user from some or all of the complexity involved (think of browser SSL, for instance). However, the more the user is isolated from underlying compelxity, the more they have to rely on other factors to reassure them that the mechanism is working as intended... and of course, those other factors can be attacked, spoofed, subverted and so on. Second, if only some online services are made available in a privacy-enhancing form, the effect may be to limit the choice available to users concerned about their privacy - effectively "herding" them into a smaller subset of online services. Paradoxically, this may actually make it easier to correlate and/or track the activities of those users, potentially damaging rather than enhancing their privacy. The paper goes on to consider other challenges facing the designers, implementers and adopters of potential PETs, and proposes a model for analysing the "eco-system" of related factors which successful implementations will have to address.