Position Paper for P3P

By:

Ann Cavoukian Ph.D. Information and Privacy Commissioner/Ontario

Mike Gurski, Senior Technology & Policy Advisor, Information and Privacy Commissioner/Ontario



Background:


The Information and Privacy Commissioner/Ontario (IPC) has been a staunch and involved supporter of the development and deployment of P3P. The IPC has also taken seriously the task of promoting P3P within Canada and abroad to raise P3P visibility and support the growing adoption of the specification by government and private sector Websites. The IPC will continue its support and commitment to P3P in years to come, in part because Lorrie Cranor has demonstrated a level of leadership throughout the P3P development process that reminds one of Hercules overcoming one challenge after another and each greater that the task before. The following comments are given in this context.


Lesson’s Learned

Through the course of the IPC’s involvement in the policy outreach team for P3P a few lessons were learned that bare addressing for the next version of P3P.


Use of Resources

The amount of staff time needed to effectively contribute on the part of the Commission to the P3P Policy Outreach Group was often above the resources available, due to competing priorities. As the Policy Outreach Group continued to evolve, the tasks for the Commission became more discernable, for example organising and hosting an outreach event, and allowed the Commission to effectively contribute above and beyond the normal promotion through speaking engagements and articles. This clarity of expectations needs to continue and develop. It is fair to ask Privacy Commissions and Data Protection Authorities to devote more resources, both technical and policy expertise, as Lorrie Cranor did in her presentation to CFP 2002. Still, it must be remembered that, at least for the IPC, this type of work is not within the legislated mandate of the agency, nor can it become a core business as was for CDT.


While much of the work was done through conference calls and e-mail, face-to-face meetings or events could not be supported by the Commission. The W3C needs to review its protocols for supporting the involvement of Privacy and Data protection Commissions regarding travel.


A last point on resources is a response to Lorrie’s suggestion that Privacy Commissions “fund projects to develop P3P user agents.” Speaking for the IPC funding for this type of work is outside the mandate of the Commission and while the IPC is willing to commit limited staff resources to these types of tasks other funding models need to entertained.


Future Work


We would like to leave aside the discussion of what V.2 should have in terms of functionality, or whether the initial discussions regarding ‘negotiating an agreement’ between the user and the Website need to be revisited.


Instead we would like to address a number of suggestions raised by Lorrie Cranor.

The first is the beginning of a response to Lorrie Cranor’s suggested tasks for Privacy Commissions and Data Protection Authorities in her CFP presentation.

Development of default privacy settings and user interface.

An initial response is that there should be no user interface, or more accurately the user interface for selecting privacy preferences should be embedded in the installation procedure of Internet browsers. It should take the form of a series of questions an user provided answers that allows the user to choose to what level of detail he or she wishes to control the disclosure and use of personal information to an organisation through its Website(s).

There likely also needs to be two types of user interface. One would be for the majority of users that do not know what cookies are, let alone the difference between 3rd party cookies and session cookies. A simple set of questions or prompts that can be nested around the key areas of privacy preferences included in P3P. The second interface would be similar to what appears once the ‘advanced user’ button in clicked in most software application installation or setting change processes. In other words a complete set of controls for the consent and use of personal information and the level of openness that the user consents to regarding access by Websites to his or her computing device.

Regarding default privacy settings, assuming that Internet browsers incorporate the more fulsome set of controls as provided by P3P add-ons like AT&T’s Privacy Bird, default settings that provide ‘medium’ privacy protection are reasonable. That reasonableness is based on the ease with which the user can access and change the settings. This assumes that the full P3P specification will be built into Internet Browsers within the next 2-3 quarters. What underlies this, as Lorrie intimates is a parsing out of each preference element and then a decision on what is bundled to comprise the various settings. While this roughly sketches out the setting bundles in IE6, the challenge will be to include the full set of P3P functionality.

A topic that has come up in the debate over P3P is the lack of connection between a Website’s privacy policies and the technology controls, at the database level for example that enact the organisation’s privacy policies. While this is outside the scope of P3P the IPC recommends that at least some pilot work be undertaken by the W3C in this regard.



Next we would like to address Lorrie’s last suggestion for a task for Privacy Commissions. Specifically, “groups might consider developing recommended setting files for these user agents and distributing them on their web sites.” This is a necessary task and we would open to be involved in such work, but again the resourcing for such a task needs to be supported through the W3C.

Introduction of a new P3P

We are not opposed to P3P Version 2. That work needs to begin immediately, however our expertise is not in the specifications development area. What we do see is the need for continued outreach and communication to promote the adoption and use of P3P V.1. The efforts of the policy outreach team have been nothing short of outstanding. Yet P3P, it name belies its techie aura and origins, needs to be transformed, rebranded perhaps, into a cool dude, perhaps not as treacly cool as the ‘Dell Dude’ but cool none the less. That is the true challenge for privacy as a whole, to become mainstream and cool and P3P in particular. It is also something the IPC is committed to help achieve together with the tasks outlined above.