The World Wide Web Consortium’s goal is to "realize the full potential of the Web." We see the Web as a critical piece of global infrastructure and work to make sure that its overall architecture is flexible and will support long-term evolution as well as short-term goals. The protection of personal privacy is critical in any communications medium, and the P3 Project is intended to address this particular need.

The term "privacy" covers a very wide range of concerns, and it is important that we understand from the outset the precise scope of the P3 work. P3 is intended to allow the implementation of a range of policies centering around the controlled release of personally identifying information. The goal is to create a framework that allows end users to trust the infrastructure by allowing verifiable control of this information -- both its initial release and, most importantly, subsequent use of that information. Based on discussions with the German government, the European Commission (DGXIII and DGXV), and the U.S. Federal Trade Commission, we believe that the key ideas are:

• Disclosure of site privacy practices.
• Informed consent to the release of particular information for a particular purposes (either explicitly at the time of release or more generally in advance, under well-understood conditions).
• Integration with traditional enforcement mechanisms to guarantee that the practices are actually followed.
• The ability to negotiate over the terms of the release of information.

The general framework, proposed to the W3C membership as well as to representatives of the direct marketing industry and government regulatory authorities is straightforward:

• Servers that collect personally identifying information must state, using metadata "labels" on their Web pages, the uses to which they will put the information that is collected. These policies should be subject to appropriate third party inspection and validation (e.g. by independent auditors). Third parties who perform this validation may identify themselves by digitally signing the metadata labels. At least one standard language for expressing these policies should be defined.
• Users may configure their clients to specify their privacy preferences, and grant consent to the release of personally identifying information subject to agreement by the server that it will be protected as stated by the user. A user’s decision to release information may be related to the server’s stated practices and/or the third parties willing to vouch for these practices. User's policies may be transportable.
• Under user control, personally identifiable information may be released either automatically (if the server’s practices match the users’ preferences) or through explicit informed consent.

It is important to bear in mind that the P3 Project is only one facet of the W3C’s work on the Web infrastructure, and that the Project must collaborate closely with other work that also affects the infrastructure. In particular, W3C has active work on metadata for providing machine-understandable information about the contents of the Web (sites, parts of sites, or individual pages). It also has a separate group working on digitally signing this metadata. The P3 Project is seen as a source of requirements and deadlines for these other activities; but the autonomy of all three activities must be mutually respected. It is the job of the W3C staff to coordinate these activities.

The P3 Project is expected to last approximately 18 months. During that time, it should deliver four major products:

1.A detailed architecture illustrating the various various components of the P3 infrastructure and how they integrate into the Web infrastructure.

2. A set of technical specifications specifically relevant to privacy protection. This can include, but is not limited to, interoperability protocols, recommended vocabularies, minimum implementation requirements, required default values of parameters, and requirements on behavior under adverse circumstances (e.g., requested release of information from unlabelled sites).

3. Products available to the marketplace that adhere to the architecture and technical specifications. These are expected to be proprietary to the vendors involved, but tested for compliance and interoperability. They should meet the minimum specifications, but may have limitations imposed by engineering or time-to-market constraints.

4. A demonstration to government regulators of the capabilities of a complete implementation of the specifications. This may be based in part on proprietary products and in part on W3C sample code. This demonstration is intended to show that the technical solutions are complete, even if not yet fully deployed.

jmiller@w3.org 25 June, 1997