P3P: A Privacy module for Web-Technology

W3C-Track, WWW-2002
Hawaii, 8 Mai 2002

Rigo Wenning <rigo@w3.org>
W3C/INRIA
Sophia Antipolis, France

Privacy is important for E-Commerce?

Polls show, that e-commerce is losing more than 35% of their potential clients because of the privacy issue
Even in countries with privacy legislation, the fear and mistrust is still high
60% of asked people in Europe did not know about their privacy rights
Conclusion: Transparency is key

I have to tell them, why laws alone are not sufficient. But I will say also, that P3P alone is not a sufficient condition for privacy

P3P is key to transparency

Policies can be easily found
Machine readable language: no legalese anymore
Software can help users interpret the policy
Users know before they enter a site

P3P will provide the following Information:

Who is collecting data?
What data is collected?
For what purpose will data be used?
Is there an ability to opt-in or opt-out of some data uses?
Who are the data recipients (anyone beyond the data collector)?

What else is provided?

To what information does the data collector provide access?
What is the data retention policy?
How will disputes about the policy be resolved?
Where is the human-readable privacy policy?

P3P: How it works

A protocol, that finds the policy reference file
A policy reference file to attach URI's to a privacy policy
A standard XML language to express privacy practices
An extensible dataschema to describe the object (data) of those statements made with the language
Sites can optionally provide a compact policy

This reflects the basic elements of the P3P protocol and how it works together. First, the user-agent tries to find the Policy Reference File, fetches and parses it. This way, it will find the appropriate Policy-file and can parse it and compare it to the user's preferences

A simple HTTP-Transaction

A HTTP-Transaction with P3P

How to make your site P3P compliant

Create a privacy policy
Translate it to P3P
Create a policy reference file for your site
Configure your server for P3P

Help for Implementers

Descriptions on the P3P-Homepage
Implementations Guide on p3ptoolbox.org
The P3P Deployment Guide
www-p3p-policy and www-p3p-dev

P3P is a module

Expected to work also with

CC/PP
SOAP
XForms
Web Services

We expect, that P3P is used to integrate privacy metadata into the whole business process

P3P-Applications: User Agents

IE6 [1] [2] [3] [4] [5]
Privacy Bird [1] [2]
JRC
ENC/ IA Japan

P3P-Applications: Authoring Tools

IBM
MS
IA Japan

P3P-Applications: other Applications

P3P Validator
ENC-Client with Policy-verification
Testsuite

Future work

Negotiation
Multiple policies/ Identity Management
Vocabulary
XML Schema for Basedataschema
Challenges from : Mobile Sector, Web Services, Soap Semantic Web to help