W3CTechnology and Society

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Future of P3P Workshop

November 12, 2002

User and Implementer Experiences

Brian Tretick: Ernst & Young

Looked for a reference file, went through list of 500 sites manually.

Then looked for P3P, to identify adoption rates : 24% in top 100, 16% in top 500.

Incremental 1% increase annually. This is a slow adoption rate.

Uncertainty issue: legal, will we be sued. English, P3P full and compact policy, will FTC come after us. FTC is not sure, so will address on case by case basis.

If it ain't broke don't fix it. What's the problem?

Economy, privacy officer and teams downsized.

Brooks Dobbs: Double Click

DC has a number of Products and Services affected by P3P, we set 3rd party cookies.

Two areas, universal cookie we use, software product, sell to clients, where they become their own infrastructure.

P3P requires stating what is linked to a cookie. Came up with a policy, to be able to directly communicate to end user: DC privacy statements. Demystified what DC did with data.

Difficulties; what statements within P3P policy could be made.

Software products where clients have to make P3P policy statements. E.g. companies that thought they didn't need to make P3P statements but now need to. How do I get my cookies accepted under P3P, thus working in reverse, a 'wrong' approach to created a P3P policy for an organisation.

Jack Humphrey: Core Metrics

P3P demystimifying.

Agent: provides data

Client: see slides for details from here.

Cookies and compact policy issue

No way to indicate that cookie is set to collect data on behalf of first party, limitation to IE-6, Paper has details on suggestions.

In short, enhancements, purpose references, require user agents to recognise these relationships.

Will benefit end user, increased transparency on how data collected and used.

Lorrie Cranor

Co. acting as agent for another company. Then agent has to offer policy on their behalf, might be near impossible.

Richard Shockie: Neustar

Looking at 10 protocals for policy options to apply to data element to transfer to 3rd parties. Value of P3P unique binding to HTML.(HTTP?)

In IETF, presence and privacy closely bound. How can P3P be made more generic to HTTP as a methodology.

Lorrie Cranor

User Study: Privacy Bird, 20k users. 2k surveyed. Got 17% response. Demographics. Mostly men, older, better educated, English speaking, 70% US. 1/3rd not familiar with P3P. 20% knew a lot about P3P.

More knowledgeable about cookies, 18% not heard of 3rd party cookies, 60% did't really know what a 3rd party cookie is.

Room for improvements. Not enough P3P enabled.

Policy Summary, need to be improved, cleaner format. Giving about right information, but getting greater understanding.

A good P3P user agent should allow you key in on red bird sites (issues with privacy policies). Educational experience.

Would PP impact buying decisions? Lot said would take into account 1/3rd with good (best privacy policy, etc.

Full paper on the Web W3C site.

Steve Adler: IBM

Tivoli Privacy Manager, using P3P as a policy language, on Web and between applications.

Danny Weitzner: W3C

How are enteriprise customers: where should our efforts be directed

Answer: Customers to comfort that IBM decided to use an open standard. We are at the dawn of privacy technology. See lots of apps regarding unique privacy requirements. To form a platform.

CPOs have built communications, executive, hr strategies. Need standards based technology approaches.


has been call for transporting data, across domain. Web policies across domains


Not much call for this. As web service grid emerges, could become a requirements


How does structure interact with data collection on Web, how does tool track.


Assume Co. declares policy, and has ensured consistency with IT management. Assume consent choices already their.


Consent? Who's consent, person at the web site.


define policy framework for choices for their customers


Don't want to have consent in paper form to allow electronic consent.

Brooks Dobbs:

Pushback, no one understands liability yet, don't understand the language,

There is notion, how long your policy is going to be active. Those kind of issues, fear about taking first step in.

Not who is or isn't enabling, but where are they enabling is the more interesting question. That is who is investing in learning the spec.

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Last update $Date: 2003/01/06 09:39:50 $ by $Author: rigo $