Platform for Privacy Preferences Project (P3P)
Position Paper on Considerations for Future Versions of P3P
Submitted by Fidelity Investments
This paper will discuss several issues to be considered for the future of P3P. These issues are as follows:
Objective presentation of privacy negotiation
Scope of P3P policies
Conflict between compact policies and full policies
Integration of P3P with other privacy communications
P3P's recognition of identity management protocols and circles of trust
Communicating simultaneous viewing of Web session using P3P
P3P-enabled user agents make subjective interpretations of a Web site's privacy practices by comparing them to a user's preferences. For example, user agents may block or downgrade cookies deemed 'unsatisfactory'. In these circumstances, a user does not have an opportunity to understand the reason for the conflict between their preferences and the Web site's policy before an action is taken. A user's only remedy to this subjective interpretation is to turn off privacy monitoring - an all or nothing situation.
A scheme where the user can make a decision based on P3P's recommendation (for example, the disposition of a cookie would be a preferred approach. A future version of P3P may set standards for how user agents can present the result of the privacy negotiation to the user, before the user agent can take action on the user's behalf.
P3P-enabled user agents appear to interpret the P3P policy as a description of an enterprise's data collection practices for all channels. Although P3P "is a protocol designed to inform Web users of the data-collection practices of Web sites", consumers may overlook this distinction based on the user agent "report". Since businesses also collect personal information from other channels (e.g. phone and mail), a future version of P3P should reinforce the "Web only" scope of P3P. Consumers should not be discouraged from conducting business with a firm through non-Web channels because of statements made by user agents.
P3P 1.0 allows a Website to express its privacy practices using a compact policy (CP), a performance optimization whose policy scope is limited to cookies, and through a Full Policy (FP), a longer XML expression of a Website's entire privacy practices. Ostensibly, a CP is an abbreviated subset of a FP, but it is not always the case.
While P3P 'compliance' requires a FP but not a CP (CP is described as optional in the 1.0 specification), some user agents have elected to base privacy decisions and warnings based on interpreting the CP without consideration to the FP. Web site operators (and their legal departments) face difficult questions such as:
Can they post a CP to address browser features, but not a FP?
Can they post a FP to achieve P3P 'compliance' without posting a CP due to its limited vocabulary?
A future version of P3P should address whether the CP is needed alongside the FP. The FP has the advantage of being more easily implemented and maintained, while large numbers of servers and multiple operating systems make the CP's implementation and maintenance complex. For Web sites, a single P3P expression makes analysis and development of a P3P policy easier. For user agents, a single policy expression may standardize interpretation of Web site privacy practices.
Gramm-Leach-Bliley (GLB) was the first legislation to impose privacy notice requirements to members of a large industry. However, actual notices vary from company to company and they have been widely criticized for their complexity and poor readability. Efforts to simplify and standardize the appearance and content of the notice, especially online versions, have emerged with a goal of helping users understand privacy policies more readily and providing them a basis for which to compare policies across companies.
Future P3P versions should recognize these emerging privacy communications standards and coordinate future P3P enhancements with them. It is likely that firms will explore more ways to express their privacy practices in readable forms. P3P's inattention to these developments may confuse consumers and businesses alike, both of which will attempt to harmonize the human-readable with the machine-readable versions.
Online users and service providers are being confronted with various identity management protocols designed to streamline e-commerce by sharing authentication credentials and personal attributes among Web sites. Terms such as identity providers, service providers, attribute providers, and 'circles of trust' are becoming part of the Web lexicon.
P3P should recognize this trend and add attributes to allow Web sites to tell users when they have entered a 'circle of trust' and communicate choices they have or permissions they can grant within that 'circle'.
Many customer care centers use desktop tools that allow service reps to see what their caller (customer) sees simultaneously. This allows the rep to guide customers through Web sessions more efficiently. Currently, consent to work simultaneously with the user is granted verbally over the phone.
A future version of P3P should enable this to be communicated to the user, possibly using an additional token for purpose or recipient. This token should have a consent suffix to indicate approval of the user.
Fidelity Investments, Page 3 of 3