Nearby: Workshop home page | Workshop mailing list

W3C Technology and Society Domain

Summary Report - W3C Workshop on the Future of P3P

Lorrie Cranor and Daniel Weitzner, Workshop Co-Chairs

On November 12-13, 2002, W3C held a Workshop on the Future of P3P at the AOL campus in Dulles, VA. Fifty-six participants registered from the following organizations: AOL, AT&T, BITS, CDT, Citigroup, Coremetrics, DoubleClick, European Commission, EPIC, Ericsson, Ernst and Young, Federal Trade Commission, Fidelity, Hogan & Hartson, Hunton and Williams, IBM, Information and Privacy Commission/Ontario, Internet Education Foundation, Microsoft, Netscape Communications, NeuStar, Office of the New York Attorney General, Privacy Regulation Report, PricewaterhouseCoopers, Siemens, Sun Microsystems, Technische Universit´┐Ż Mnchen, TRUSTe, University of California Berkeley, Catholic University Leuven, Wilmer Culter and Pickering, and W3C.

The workshop program included eight panel discussions on specific topics related to the future of P3P, and a closing discussion about next steps. In the sections below we provide a summary of each discussion and recommendations on how to proceed. We also include links to detailed notes that have been provided by workshop participants. The position papers submitted by the workshop participants also provide further details on these issues.

Vocabulary Issues

[Detailed Notes]

Panelists: Brian Zwit (AOL), Andrew Bybee (Microsoft), Matthias Schunter (IBM), Giles Hogben (JRC), Cheryl Charles (BITS); Moderator: Lorrie Cranor (AT&T)

The focus of this panel was on identifying specific issues with the P3P vocabulary that are causing problems in practice.

Primary vs. secondary data use

The PURPOSE elements in P3P vocabulary focus on describing secondary data uses. Primary data uses, for the most part, get covered by the "current" purpose. As a result, web sites cannot explain what their primary data uses are, except in the CONSEQUENCE field. Sites might want to explain, for example, that a cookie is being used to authenticate a user to a web site.

Disclosures necessary for compliance with EU Directive

There are some disclosures required by the EU Directive that are not accommodated by the P3P vocabulary. For example, there is no element to explain what jurisdiction data is going to, no element to explain a company's security practices, and no element to describe maximum data retention period. There may be ways to accommodate some of these disclosures using the human-readable fields in the P3P vocabulary or the extension mechanism. The security disclosure was not included in the P3P vocabulary because of concerns that it was not a meaningful disclosure.

Mismatch between users' and companies' needs

Users want privacy policies to be relatively simple; however, corporations often want to convey very detailed information in their privacy policies in order to comply with laws and explain the motivation behind some of their data practices. The P3P vocabulary probably provides more information than most users really want, but good user agent implementations can hide much of the extra complexity from users. Some people want to see even more detail added to the P3P vocabulary, regardless of whether or not user agents make use of it.

Financial industry concerns

BITS raised concerns that P3P user agents raise warning flags about some financial web sites, even though those sites are in full compliance with GLBA. For example, P3P user agents may draw attention to the fact that users may not be offered opt-outs. In the discussion that followed people said that while GLBA may permit a financial institution to use data in certain ways without offering an opt-out, there was no reason that a P3P user agent should not be able to alert users to this practice. There was a general consensus that the concerns raised were more about specific user agent implementations rather than the P3P vocabulary. In addition, part of BITS concerns are due to questions they have about legal standing of P3P policies and how regulators would be likely to view differences between a P3P policy and human-readable privacy policy.

Other issues

Some concerns were raised about the difficulty in describing agent or partner relationships. The need to specify how to use P3P with web services was also raised as an important issue.

User and Implementer Issues

[Detailed Notes]

Panelists: Brian Tretick (Ernst and Young), Brooks Dobbs (DoubleClick), Jack Humphrey (Coremetrics), Lorrie Cranor (AT&T), Steven B. Adler (IBM Tivoli Security and Privacy)

This session included a review of some surveys on P3P adoption rate and use of the AT&T Privacy Bird P3P user agent. Current indications are that a significant fraction of web sites have adopted P3P (about 25% of top 100), but adoption rate has slowed. The reasons for the slow down likely have to do with the general state of the economy and privacy officer teams being downsized. Legal uncertainty may also play a role. Feedback on AT&T Privacy Bird has been positive, and users say they would like to be able to take privacy policies into consideration in their buying decisions. More work is needed to improve policy summary format. Besides web site adoption and P3P user agents, we are also seeing companies building P3P into back-end products, for example the IBM Tivoli Privacy Manager.

Web sites have encountered some problems in describing agent relationships with P3P. Sites would like to be able to explain who they are acting as an agent for, and also to explain when cookies that appear to be third-party by domain name are not really third-party. Sites would also like to setup P3P policies for their agents or companies that they are acting as an agent for, however, besides the technical limitations of P3P, there are concerns about companies declaring policies for other companies.

Going forward there is a need to specify how P3P can be used without binding it to HTTP and/or URIs so that it can be used with web services and other emerging standards and applications.

Compact Policies, Cookies, and Performance Issues

[Detailed Notes]

Panelists: Bill Duserick (Fidelity), Giles Hogben (JRC), Brooks Dobbs (DoubleClick), Andrew Bybee (Microsoft); Moderator: Lorrie Cranor (AT&T)

Many sites are finding P3P compact policies to be problematic. While not required by the specification, sites must implement them to avoid third-party cookie blocking, so they are turning out to be fairly important. The main problems people have with compact policies are a) there are concerns that the semantics of what a compact policy means are not fully understood, b) because there is no grouping mechanism in the compact policy, there is no way to indicate that a particular purpose applies only to a particular type of data rather than to all types of data referenced in the CP, c) there is no way to convey agent relationships in a CP (as discussed in the previous session). A short term fix for b may be to add a grouping token to the CP

Questions were raised about why CPs are needed at all. They were originally introduced as a performance optimization. Some participants felt that user agent performance would not suffer if CPs were eliminated. It was also suggested that user agents should fall back on full policies if CPs are not available, even if there is a performance penalty -- then it could be up to a web site whether it wanted to risk incurring a performance penalty. It would be useful to have actual performance numbers to discuss.

Concerns were also raised about cookie policies (regardless of CPs). There is confusion about exactly where to draw the line about what data is linked to a cookie.

Identity Management and Negotiation

[Detailed Notes]

Panelists: Ari Schwartz (CDT), Conor Cahill (AOL/Liberty Alliance), Bill Duserick (Fidelity), Matthias Schunter (IBM), Wolfgang Woerndl (Technische Universit´┐Ż Mnchen), Giles Hogben (JRC), Christine Varney (Hogan & Hartson/Liberty Alliance); Moderator: Lorrie Cranor (AT&T)

Early versions of P3P specifications included some concepts of identity management and negotiation that were eventually removed. Some people have suggested adding some of this back in. Others have suggested focusing on working with other groups that are working on these things and making sure they have hooks to P3P.

We spent a good part of this session discussing the work of the Liberty Alliance and how it might relate to P3P. The next Liberty Alliance specification will include the notion of a "container" for expressing privacy rights. P3P and other languages might be plugged into this containers. The spec will allow service providers to make requests for specific data elements that will be used in specific ways. A simple negotiation can then take place. Guidelines are needed for exactly how to plug P3P in. Currently the Liberty draft is not public and W3C working groups cannot work under NDA, so the P3P working group cannot get involved until the Liberty draft is made public, probably some time first quarter next year. This will not be the final draft, so there is still an opportunity to comment. There is also the possibility that in December or January Liberty group may make a pre-release of the relevant specs available to experts without an NDA.

While the discussion was focused on single-sign-on systems such as Liberty, there was recognition of the need to accomodate emerging technologies using multiple identities for a single individual to regain some degree of pseudonymity.

There was also some discussion about adding a basic consent mechanism to P3P that would allow users to signal that they agree to a policy.

Perspectives on P3P Goals

[Detailed Notes]

Panelists: Christine Varney (Hogan & Hartson), Ruchika Agrawal (EPIC), Deirdre Mulligan (University of California, Berkeley), Diana Alonso Blas (European Commission), Michael Waidner (IBM); Moderator: Lorrie Cranor (AT&T)

Christine Varney (former FTC commissioner) expressed her view that original goal of P3P was to let technology take a lead in addressing online privacy issues and identify areas for regulation where technology fails. She said she views P3P as a success. In response to questions throughout the day about legal consequences of P3P policies, she stated that she believes P3P policies have legal consequences and that sites that misrepresent themselves in either their P3P policies or their human-readable policies might be prosecuted for deception.

Ruchika Agrawal presented a detailed definition of Privacy Enhancing Technologies (PETs) and concluded that P3P is not a PET because it does not address all of the Fair Information Principles. She said it needs to be made more clear what P3P does and what it doesn't do. Several people responded that they felt P3P has clearly been presented as a tool for notice and choice / transparency, and that it would be difficult to make progress on every FIP with a single tool. There were some suggestions that future work might explore increasing emphasis on the choice and control aspect of P3P through negotiation, consent, or feedback mechanisms, or new P3P applications that would go beyond simply giving users notice to giving them some actual controls.

Deirdre Mulligan said that P3P had the very modest goal of giving people an automated way of figuring out what web sites were going to do with their information. She suggested that going forward we may want to look at some domain-specific extensions to P3P and also find ways of bundling P3P with other privacy tools. She also stated that while there was room for improvements and further work, she did not feel that privacy policies had gotten any more confusing as a result of P3P.

Diana Alonso-Blas gave an EU perspective on P3P. She said that initially the EU had many concerns about P3P. However, they have fewer concerns now and believe P3P is on the right track, although some concerns still remain. P3P should not be thought of as a classical PET, but a tool for transparency and consumer awareness. Law in and of itself will not solve all the problems, and P3P can play a role. More work is needed to explore how P3P can be used as a tool box in various regulatory environments -- not just in one country's context. In addition P3P and PETs need to be integrated into other technologies. She expressed some specific concerns about the ability to express EU Directive Article 10 requirements in P3P. She also said that compliance with P3P policies needs to be addressed, and that auditing tools may play a role.

Michael Waidner discussed the differences between privacy promises and privacy practices. While P3P allows companies to make privacy promises, additional tools are needed to help enforce these promises in practice in the enterprise. More work is needed on bringing P3P into business-to-business relationships and into back-end systems. Questions were raised about how to make sure consumers were represented in future P3P work. There was also some discussion about needing a more holistic approach to privacy, putting P3P in the context of other PETs as well as legislation.Some time was spent discussing the roll of transparency. Several people said that increased transparency tends to motivate companies to improve their practices, and also helps identify irregularities and problems. In addition, transparency has some value to users in and of itself because it gives them more understanding and is the first step towards allowing them to make choices and take control.

Finally, Ruchika Agrawal voiced the concern that by offering users increased technical options for protecting privacy P3P may be hampering arguments to pass new privacy legislation, especially in the US.

Legal Issues

[Detailed Notes]

Panelists: Diana Alonso Blas (European Commission), Jos Dumortier (University of Leuven), Dan Schutzer (Citigroup), Ann Cavoukian (Ontario IPC), David Stampley (Office of the Attorney General, State of New York); Moderator: Daniel Weitzner (W3C)

The legal issues panel brought together business and international regulatory perspectives on a few key issues that are raised by P3P deployment in a commercial context:

Openness and Transparency: P3P is necessary but not sufficient for online privacy protection

P3P occupies a unique role in the overall privacy policy and technology landscape. Ontario Privacy Commissioner Ann Cavoukian stressed the critical role that P3P plays in meeting consumer's notice and choice needs. "Openness and transparency are absolutely essential for privacy," she said. "It is where you begin." While P3P does not itself solve all privacy problems online, it is a critical and even necessary part of addressing privacy needs on the Web. Daniel Weitzner cited a remark by German Data protection Commissioner Alexander Dix to explain this view. Dix has described P3P as "necessary but not sufficient." It is necessary to have a standard, machine-readable privacy vocabulary or the Web in order to satisfy the basic Fair Information Practice requirements of notice and informed choice. Yet P3P or any other such technical standard is not, by itself sufficient because it does not address other fundamental privacy needs such as purpose limitation or security, nor does it in and of itself provide for the enforcement of privacy rights when they are breached.

For as much as P3P in necessary, it also introduces a novel third tier in the generally bilateral privacy relationship that has existed between web service and consumers. Whereas notice and consent without P3P have been expressed in bilateral communications between service provide (data collector) and consumer (data subject). P3P adds a third element to the communication in that it depends on a user agent positioned between the user and the service. The user agent has the new role of parsing and possible taking action on the users behalf based on the contents of the machine-readable P3P policy. The introduction of this third component raises several issues discussed by the panel.

Legal force of P3P policies

All of the regulators (Canadian, European and United States) represented on the panel expressed the opinion that P3P policy statements (in XML) are equally as binding on service operators as are the human-readable policies that web sites generally post. Whether a policy is in a machine-readable code that is translated by a user agent, or simply in HTML on a web site, the policy constitutes a representation to consumers on which they can be expected to rely.

Expressiveness of P3P policies: The proper relationship between P3P statements and human-readable policies

Recognizing that sites may be held accountable for the contents of their P3P policies, some expressed a variety of concerns

Citibank and BITS expressed the view that because of these concerns, P3P policy statements should be considered informative but not legally binding. The P3P Recommendation states that

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

Beyond that, most of the panel felt that it is not appropriate for W3C to attempt to define the precise legal or regulatory significant of P3P or any other technical specification. Moreover, the regulators suggested that even if the P3P Recommendation contained a disclaimer of the legal significance of P3P statements, regulators would draw their own conclusions and likely determine that P3P statements do, in fact, bind those who make them in a consumer context. Professor Jos Dumortier pointed out that P3P ought to be considered similar to any other type of commercial communication. Though commercial web sites do exercise care in making commercial communications online, they have become comfortable with the practice. Prof. Dumortier suggests that the same degree of comfort will develop with P3P as deployment levels increase. Panelists notes that strong link between this issue and the request from a number of workshop participants to further specify user agent behavior (including standard natural language expressions associated with statement elements).

Predictability of User Agent Behavior

Throughout the workshop, various participants have sought mechanisms by which it would be possible to specify user agent behavior more precisely, especially in the rendering of P3P statements to the user. This requirement was strengthened somewhat on this panel with the suggestion from regulators that to the extent user agents render policies incorrectly, or at variance from the expectations of the service provider, that users cannot be expected to bear the burden or risk from any resulting confusion.

Prospects for machine-assisted consent mechanisms in the background

Among the possible future work items considered in the workshop is a mechanism to enter into binding agreements on privacy policies expressed in P3P. Under this proposal, P3P vocabulary would be used to express the terms of a proposed agreement under which personal information would be exchanged (an offer), and some combination of audit and signature technology would be used to record the agreement (acceptance) of the policy. Though the panel did not have the chance to consider specific implementation details, regulators and other panelists agreed the under such a system it would be possible to achieve legally-sufficient consent to data collection policies.

User Agent Guidelines and Conformance

[Detailed Notes]

Panelists: Lorrie Cranor (AT&T), Brian Zwit (AOL), Matthias Schunter (IBM), Giles Hogben (JRC), Marty Abrams (Hunton & Williams), Ian Jacobs (W3C); Moderator: Daniel Weitzner (W3C)

Concerns have been raised about the accuracy of P3P user agents and about the fact that user agents, not web sites, control the presentation of P3P-related information to end users. The P3P specification places few requirements on and offers limited guidance to user agent implementers. As a result we are seeing inconsistent interpretations of P3P policies and some errors by well-intentioned implementers. We might imagine more severe problems caused by less well-intentioned implementers. While working group members have been reluctant to constrain implementers in ways that do not impact interoperability, there seems to be interest in the development of some guidelines for implementers, especially in the area of how to present the P3P vocabulary elements to end users. Such guidelines would ease some of the concerns web sites have and some of the implementers indicated they would welcome guidelines because they would remove some of the burden they have of trying to make judgment calls about how to present the P3P vocabulary to end users. Whether any of these guidelines might turn into requirements and what their official status might be is a question for further discussion.

Marty Abrams discussed a project to develop "short notices" versions of privacy policies. He said short notices should have at most seven elements. He was interested in exploring the idea of expressing P3P policies as short notices.

Mobile Devices and Location Privacy

[Detailed Notes]

Panelists: John Morris (CDT), Helena Lindskog (Ericsson), Jorge Cueller (Siemens), Becky Richards (TRUSTe), Yirong Xu (IBM); Moderator: Daniel Weitzner (W3C)

New mobile web services bring privacy challenges both in the types of applications they seek to offer and in the architectural constraints unique to the mobile environment. Unlike the traditional applications context of the web (personal computers with large screens and relatively high-bandwidth connections to the Net), mobile appliances will tend to rely on server-side processing of much information (including privacy preference data) and will have severe bandwidth constraints. Hence solutions to respect user privacy must be developed that meet these new requirements. Lindskog has suggested that it is possible to use P3P together with CC/PP to accomplish efficient transfer of personal information at the same time as full consent is obtained for data collection. Xu offers an architecture for server-side processing of P3P preference data. Reactions to sever-side processing noted various privacy risks associated with transporting user privacy preferences to untrusted servers, however.

Mobile services will offer a wide range of applications based on the location of the user. Location data is clearly quite sensitive from a privacy perspective and all agree that these applications must extend meaningful control over the use of user's location data. P3P is seen as a valuable component to both mobile web applications as well as services that are not based on http. Morris noted that abstracting the P3P vocabulary from it's implicit http binding would be important if P3P is to meet the privacy needs identified by the IETF GEOPRIV working group for services such as SIP, SIMPLE and JABBER. Cueller points out that privacy statements must be able to make reference not just to a users location data, but also to other state and presence information that is important but privacy sensitive.

Next Steps

[Detailed Notes]

Workshop participants identified a list of areas for possible further work on P3P. Participants were then divided into small groups to discuss and prioritize the list. Individuals volunteered to write-up one-page proposals on how to proceed with the items they were most interested in. The areas we identified as well as links to the writeups produced since the workshop are as follows:

1. Vocabulary issues (high priority - mostly for P3P1.1, maybe some for P3P2.0)

a. EU Directive Article 10 issues [Alonso-Blas/Hogben]

b. primary data uses [Cranor]

c. general vocab review [Cranor] (maybe long term)

2. Add element to indicate agent status, multiple domains owned by same company, etc.[Zwit] (high priority - possibly for P3P 1.1, otherwise for P3P 2.0)

3. Clarify spec ambiguities [Schunter] (short term high priority)

4. Compact policies (high priority for 1.1)

a. What are performance issues that motivate CP and what are alternative approaches? Where exactly is the problem? [Dobbs]

b. Semantic issues [Dobbs]

c. Cross-product problem -- need for grouping mechanism [Dobbs]

5. User agent behavior [Zwit] (high priority, either short term or long term)

Human readable notices

6. Statements in the spec to better articulate what P3P is and isn't [Zwit] (short term high priority)

7. How to use P3P independently of HTTP binding and possibly with references to objects that have no URIs [Weitzner] (quick win)

8. Consent recording mechanism [Schunter] (long term high priority, not a priority short term)

9. Feedback channel (little interest)

10. User preference language -- APPEL, etc. [Hogben] (high priority)

a. ontology - default languages

11. Convert P3P data schema to XML schema [Hogben] (low priority but might be quick win)

12. Coordination with other efforts [Weitzner] (high priority for both short term and long term)

13. Add XML signatures to P3P [Hogben] (low priority but might be quick win)

14. P3P in backend databases (little interest -- can be done by individual companies without W3C coordination)

15. Using P3P for identity management (independent of other efforts, little interest)

16. Outreach - to be covered by POWG

Recommendations

A variety of areas of future work were identified for both the short-term and long-term. The consensus was that the immediate next steps should be to charter a working group with a duration of approximately one year to work on the short-term priorities that can be addressed quickly and may impact adoption, and to coordinate with other efforts. This working group would aim to produce a P3P version 1.1 that is backwards compatible with P3P 1.0, perhaps by using the existing extension mechanism. Workshop participants will be supplying short proposals for work in the coming weeks. These will be added to this report and they are received and evaluated.

Further discussions are needed about longer term work. We expect to hold a second workshop in Summer 2003 to discuss longer term issues and make recommendations about how to proceed in addressing them.