Improvements to APPEL language

The following is a proposal for future work on P3P submitted following the November 2002 Workshop on the Future of P3P

Purpose

• To enable default settings of P3P privacy preferences to be distributed among user agents in order to satisfy legal requirements, particularly within the EU
• To provide the possibility for more uniformity between user agents and hence more business investment in P3P due to consistent user agent behavior.
• To produce a preference exchange language which would be acceptable and easy to use for developers and which at the same time allows sufficient expressiveness.
• To produce a language, which is not logically ambiguous - i.e. each rule/preference will have the same behavior with all semantically equivalent policies (this is not currently the case with APPEL).
• To produce a user interface/conceptual model for APPEL, which is comfortable for non expert users.

Scope

The work involved in this item is as follows:

1. Develop a specification for an XPATH enabled version of the current APPEL. This would enable developers to write arbitrary queries, which would more easily express the kind of logic required for expressing sub-tree matching rules. This essentially provides for rules which can match arbitrary policy fragments. This satisfies legal requirements because legal bodies will wish essentially to have arbitrary scope in creating APPEL preference sets for distribution.
2. Consult with browser implementers who may eventually integrate the preference exchange language, to make sure that the specification provides what they require to be willing to commit to it.
3. With this in place, it will be possible to distribute preferences sets such as EU default preferences, US safe harbour default preferences etc.
4. Provide a higher level ontology for the arbitrary matching capability such that it is accessible to uninitiated users

   There are two possible routes for point 4:

   1. Leave it to "market forces" to sort out standard sets of preferences. One could imagine that some structured discussion among interested parties could lead to a list of standard sets of preferences so that for example, High, Low, Medium could be simply APPEL rulesets with a well defined interoperable meaning.
   2. Develop a higher level ontology which restricts user agent interfaces to a more limited set of higher level concepts with a well defined mapping to the concepts of P3P. This would then have the effect of standardizing the way that preferences are presented and reducing confusion in end users. Clearly the second alternative is preferable in the long run because in conjunction with a proven conceptual mapping process such as that set out by Hameed (University of Aberdeen), it offers a vocabulary which is adapted to the end-user needs.

The two alternatives however are not incompatible and in fact the two routes may be followed in sequence according to resources available. As the JRC intends to lead an ontology project, the best possible route is probably in the short term to develop satisfactory default rulesets for import. These rulesets could then be simply tagged by name in IE/NS (for example instead of high, low, medium it would show EU (high), EU(medium), US (high), trust-e etc… This would require no modification to the P3P specification but would require the agreement of Browser developers, particularly Microsoft. In the longer term, a higher level ontology could be incorporated into the P3P specification, so that more detailed terms are grouped under higher level headings, which then form the basis of a standardized end-user preference scheme. This would need to be discussed with the Working Group.

Resources

The European Commission's JRC Cybersecurity team has already carried out much of the work necessary to develop a new version of APPEL and resources are available to complete this within the JRC. Resources are also available within the JRC for the development of a higher level ontology which is part of the proposals for the RAPID initiative.

Further resources required are commitments to discussion on standardization of user agent interfaces by Microsoft, Netscape, Opera and other user agent implementers.

Time Frame

The development of an improved version of APPEL should be possible within 9 months to a year including the consensus process. As Internet Explorer is the most important user agent, account should be taken of the time frames for development of new versions of IE.

The development, agreement and integration of a higher level ontology is possible within 2 years and is therefore a process which should be assigned to the P3P 2.0 specification.

Last update $Date: 2003/03/17 09:50:38 $ by $Author: rigo $