The following is a proposal for future work on P3P submitted following the November 2002 Workshop on the Future of P3P
A serious problem for P3P is that if a company's practices contravene its stated privacy policy, there is little technical or legal framework to prove that a company made the statements, which existed on its server at a given time. I.e. it is too easy for a company to repudiate its policy statements. While P3P does increase the level of trust felt by consumers by providing more transparent and unambiguous information, it does not however provide any assurance as to the authenticity and integrity of this information. The aim of this item is to provide a watertight route of legal recourse and thereby to increase trust in consumers.
Probably the biggest obstacle in achieving these objectives is in driving the adoption of any measures taken. However, a prerequisite to this is to provide hooks within the P3P standard by which signed policies may be referenced, validated and later used as legal evidence.
Joseph Reagle of W3C has already gone some way towards outlining the detail of this solution and the solution would build on the document "A P3P Assurance Signature Profile".
Building on this, the requirements for the P3P specification are as follows:
The JRC has already developed a prototype specification for this functionality. This specification will be used to create a demonstrator module to be integrated within the JRC proxy architecture. Further resources for integrating this into the P3P specification can also be provided by the JRC.
t is expected that the development of the architecture, specification and demonstrator will be finished by January 2004.
Last update $Date: 2003/03/17 09:50:38 $ by $Author: rigo $