Improvements to APPEL language
The following is a proposal for future work on P3P submitted following
the November 2002 Workshop on the Future
of P3P
Purpose
- To enable default settings of P3P privacy preferences to be distributed
among user agents in order to satisfy legal requirements, particularly
within the EU
- To provide the possibility for more uniformity between user agents and
hence more business investment in P3P due to consistent user agent
behavior.
- To produce a preference exchange language which would be acceptable and
easy to use for developers and which at the same time allows sufficient
expressiveness.
- To produce a language, which is not logically ambiguous - i.e. each
rule/preference will have the same behavior with all semantically
equivalent policies (this is not currently the case with APPEL).
- To produce a user interface/conceptual model for APPEL, which is
comfortable for non expert users.
Scope
The work involved in this item is as follows:
- Develop a specification for an XPATH enabled version of the current
APPEL. This would enable developers to write arbitrary queries, which
would more easily express the kind of logic required for expressing
sub-tree matching rules. This essentially provides for rules which can
match arbitrary policy fragments. This satisfies legal requirements
because legal bodies will wish essentially to have arbitrary scope in
creating APPEL preference sets for distribution.
- Consult with browser implementers who may eventually integrate the
preference exchange language, to make sure that the specification
provides what they require to be willing to commit to it.
- With this in place, it will be possible to distribute preferences sets
such as
EU default preferences
, US safe harbour default
preferences
etc.
- Provide a higher level ontology for the arbitrary matching capability
such that it is accessible to uninitiated users
There are two possible routes for point 4:
- Leave it to "market forces" to sort out standard sets of
preferences. One could imagine that some structured discussion among
interested parties could lead to a list of standard sets of
preferences so that for example, High, Low, Medium could be simply
APPEL rulesets with a well defined interoperable meaning.
- Develop a higher level ontology which restricts user agent
interfaces to a more limited set of higher level concepts with a well
defined mapping to the concepts of P3P. This would then have the
effect of standardizing the way that preferences are presented and
reducing confusion in end users. Clearly the second alternative is
preferable in the long run because in conjunction with a proven
conceptual mapping process such as that set out by Hameed (University
of Aberdeen), it offers a vocabulary which is adapted to the end-user
needs.
The two alternatives however are not incompatible and in fact the two
routes may be followed in sequence according to resources available. As the
JRC intends to lead an ontology project, the best possible route is probably
in the short term to develop satisfactory default rulesets for import. These
rulesets could then be simply tagged by name in IE/NS (for example instead of
high, low, medium it would show EU (high), EU(medium), US (high), trust-e
etcÂ… This would require no modification to the P3P specification but would
require the agreement of Browser developers, particularly Microsoft. In the
longer term, a higher level ontology could be incorporated into the P3P
specification, so that more detailed terms are grouped under higher level
headings, which then form the basis of a standardized end-user preference
scheme. This would need to be discussed with the Working Group.
Resources
The European Commission's JRC Cybersecurity team has already carried out
much of the work necessary to develop a new version of APPEL and resources
are available to complete this within the JRC. Resources are also available
within the JRC for the development of a higher level ontology which is part
of the proposals for the RAPID initiative.
Further resources required are commitments to discussion on
standardization of user agent interfaces by Microsoft, Netscape, Opera and
other user agent implementers.
Time Frame
The development of an improved version of APPEL should be possible within
9 months to a year including the consensus process. As Internet Explorer is
the most important user agent, account should be taken of the time frames for
development of new versions of IE.
The development, agreement and integration of a higher level ontology is
possible within 2 years and is therefore a process which should be assigned
to the P3P 2.0 specification.
Giles Hogben
Last update $Date: 2003/03/17 09:50:38 $ by $Author: rigo $