W3CTechnology and Society

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Future of P3P Workshop

November 12, 2002

Vocabulary Issues

Moderator: Lorrie Cranor

The purpose of the panel is to discuss what needs to be changed in the P3P vocabulary in order to assure that people can more accurately express themselves within the specification.

Brian Zwit (AOL)

We want to assure that companies can accurately convey their privacy policies to their customers. AOL is unique because of its brands and that it shares a lot of content between sites (e.g. Netscape site with CNN content). There are two approaches to implementing P3P -- the kitchen sink approach or the case by case approach. The kitchen sink - one policy applies to the whole site and one compact policy (CP) applies to all for all of your cookies. If you do that, you need to write a very broad privacy policy. The other approach is to write very specific policies for smaller sets of content and cookies. The disadvantage to the kitchen sink is that consumers don't get a lot of accurate information about the policy. You may over-describe what a cookie might do. The disadvantage of case by case is that it's very time consuming and logistically difficult. The AOL approach has been to choose the case by case approach.

But in many cases AOL has over-described because they are concerned about the consequences of under-describing the cookie. For example -- a customized cookie that is set on a user's computer that contains info on how to lay out a page on a computer. But they over-describe and it seems ominous when it's really innocuous.

Opt in opt out section -- authorization services -- they use a cookie to transfer info from site to site. In many cases the cookie is required to build the functionality of the authorization service. If you describe it then it may be blocked under certain implementations. It looks bad that it's always required. General trend is that AOL over-describes.

Lorrie Cranor

asked about the authentication cookie and why the "current transaction" is not sufficient for describing the cookie. Brian Zwit responded that it sometimes is also used for customization as well. So, it's used for purposes beyond the authentication. That's where the problem comes in.

Ari Schwartz

- the overbroad issue. You must overstate what you do because of the implication. What is the solution? Lawyers may overstate.

Brian Zwit

- It will be a balance. Practices that many people find objectionable are often described as intrusive by consumers, regulators. Let's look at these types of uses. But first, let's address and then push to the side the benign cookie. Let's spend more time on the benign cookies in the vocabulary. Often, we end up describing a benign cookie in ways that seem ominous.

Lorrie Cranor

- We should spend more time on this.

Andrew Bybee (Microsoft)

- Microsoft (MS) wants to be a strong supporter of P3P. They want to push adoption of P3P. Users want to understand in clear and identifiable ways what they are using their data for but they don't want to be drowned with information. Within IE people that get an alert tend to be confused. They like the overall concept but want more usability. Often, MS partners with sites and collect name and address to bill by MS and service provided by the partner -- say Qwest. MS can't take responsibility for both companies. But, they want to be clear that the info is going to several companies. Distinction between current and secondary becomes very different. There are other efforts going on. As we go forward with P3P we have to adapt to things as the marketplaces move from Web sites to Web services where data flows through the entire enterprise. Then, the process of describing the practices becomes more nuanced.

Lorrie Cranor

acknowledged that in terms of Web services we need to work on it.

Matthias Schunter (IBM)

- Focus has been on describing information practices in enterprise services. The Sticky Policy Paradigm -- Joe's personal info is tied to the P3P promises. They refer to the platform for privacy promises. It's a promise and they try to find ways to match the promise to the data. We want to record the promise and the consent. As it moves through the enterprises the data is recorded with the promise.

Absolute recording of promises: Advertising privacy promises and recording consent. Elements are relative. Fixable Elements. Basically, the P3P consent can be shipped to their partners.

Giles Hogben (JRC)

- Dichotomy between what the user wants -- a simple statement -- and the complex needs of the enterprise. The EU directive requires that if the data goes into a different jurisdiction you must comply. One solution is to use in the P3P spec a jurisdiction attribute. Security vocabulary -- the Directive requires entities to take adequate security to protect but there is not a good way to do that in the P3P spec. In the next version, that should be thought about.

Users want simple answers, if I give you my data, will you spam me? We suggest that the P3P taxonomy be focused on ways to make answers much more simple for users.

Lorrie Cranor responded that the security issue was worked on. Disclosing all the elements of the security may not paint an accurate picture of the security. So, we punted on the issue.

Question and Answer

Lorrie Cranor

-- Users want something simple and companies want to include all the details because they are complying with a law or want to explain why the uses are not that bad. That's where the problem comes in. The user agents are giving them high, medium and low and grouping things under each respectively.


- Does the development process allow for organic development of vocabulary without the committee process?

Lorrie Cranor

- the vocabulary is richer than anything that they would disclose. We hope that the user agent developers and the Web sites will track users' understanding of issues.

Question from Danny Weitzner

- where is there a gap between users and companies. Lorrie says that user agents would sort that out and give users what they want. Are there specific examples where it's not possible to develop a user agent in simple ways? What are specific examples of where the gaps are?

Matthias Schunterion -- maximum retention period and promise for deletion if data is not used -- th

- Retention -- maximum retention period and promise for deletion if data is not used -- these two things should be included in the spec.

Lorrie Cranor

- Most US companies do not have retention policies that's why many US companies disclose retention indefinitely.

Andrew Bybee

- let's be careful about mixing business objectives and describing what users want on the issue of data retention. P3P should focus on what users want. Someone should think about how P3P fits into other standards.

Cheryl Charles (BITS)

- BITS is a non-profit organization of financial services companies. Mission is to focus on strategic implementation of technology. They are affiliated with the Business Roundtable. Through BITS they have been discussing issues with the W3C for about a year as an organization. Some of the concerns that the BITS members have are -- if you look at the human readable policy there is nuance there that cannot be achieved in the P3P policy. The BITS members have been saying if we can do the best translation job but we must assure that the human readable policy controls. The verbatim translation process has put the breaks on implementation. Lack of implementation reflects the legal issues raised.

e.g. GLB Act -- Companies can share with third party under joint marketing without opt-out. In P3P, a user agent may determine that a policy is not in congruence. If P3P could allow a site to communicate that it would be great.

e.g.2 -- Many business want to market to their customers. P3P allows companies to disclose the disclosure but many user agents don't allow users to opt-out of the use.

e.g.3 -- Under GLB third party service providers -- many of them are reluctant to post P3P policies. In the protocol, it would be great if P3P would allow (see position paper) a third party to not have the P3P policy.

Lorrie Cranor

- Your complaint is that the user agents in their default settings alert users to those practices. On the one hand you have user groups saying that those default settings are not high enough.

Question from Brooks Dobbs

- There is confusion between the spec itself and the user agent implementations.

Answer from Matthias Schunter

- said that he heard that you can say anything in P3P and say something different in human readable policy. If this is the case, P3P is not workable. From the user perspective, if the bank practices look bad, then it would be a mistake to make it less expressive.

Answer from Brian Zwit

- We should not divorce the vocabulary from the specification. In terms of the user agent, allow the company to explain accurately, but give users what they want. Zwit wonders what the FTC will say and what the NY AG will say if we try to give the user something they can understand.

Question from Deirdre Mulligan

- There was a huge effort in the development of P3P top stay away from determining what is a good practice. You can also point to user polls that say that GLB disclosure rules are not what consumers want. Accuracy issues are important and should not be glossed over. W3C should not be in the position to determine what is legal and binding. Don't turn to the w3c and say that your standards are legally binding. The vocabulary must get richer not less. How do you reconcile those things?


- We need top address Financial Services company concerns to express their practices. Can we do a better job of describing the choices people have? Can we split that out relevant to a specific set of data?


- I have been hearing that we need to add complexity but I agree with the speakers who say we need to make it less complex.

Lorrie Cranor

- You don't need to change your law enforcement disclosure every time the law changes because it's a general disclosure.

Ari Schwartz

- What I am hearing from BITS is: we can say in P3P that we use this information in these ways but they just don't want to say it. It's not about not being able to say it in P3P. The financial services companies can say it, they just don't want to.

Danny Weitzner

- Cheryl has expressed a concern about user agent behavior. We need to address this concern. We should be interested in solving the rendering of existing elements rather than establish new elements.

P3P evolved in discussions with people that we tried to establish a balance between what we could in the spec and where the P3P policy is not sufficient, the human policy fills in the gaps.

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Last update $Date: 2002/11/29 17:36:03 $ by $Author: rigo $