Platform for Privacy Preferences (P3) Project
Previous Project Update
22 September, 1997
Let's begin with the project name. We will begin using the abbreviation "P3P" to reference the Platform for Privacy Preferences Project. The W3C received notice of alleged trademark infringement and after considering a number of options and alternative acronyms we settled on moving to P3P. P3P is free of competing claims and MIT will be filing an application for US registration.
We advise members who reference the project to use the acronym P3P in their press releases or literature. If you have any questions, please feel free to contact Joseph Reagle or myself.
Now, on to the project details. The Vocabulary and Architecture working groups have completed their design work and are working on final drafts of their respective documents. These documents are complementary: The architecture document provides a general framework for the P3P project, defining terms and concepts. The Vocabulary working group has developed a grammar for P3P service practice proposal, in essence 'how a service states its intended privacy practice and where that practice holds true.' Finally, for the specifics of 'what' a service says, we are expecting the Internet Privacy Working Group to submit a note with its recommended privacy practice vocabulary on October 1.
Please review the architecture and vocabulary working drafts and send your comments in as soon as possible.
With the first phase of P3P almost complete, it is time to start the next set of working groups. Four working groups will be formed (details below). At the highest level, it is the task of these working groups to take the broad recommendations of the initial working groups and develop them into detailed specifications. These working groups will complete the bulk of their work before the new year. A call for participation will go out early next week for these working groups.
If you have any questions, please do not hesitate to contact me.
Philip DesAutels, P3P Project Manager
This working group will develop specifications for the negotiation framework for user-agent/service interaction. In this interaction, a service will express its privacy practices which a user agent will evaluate to determine if the practice fits within a user's preferences. If a suitable practice is found the user agent can enter into a binding agreement with the service to govern the user agent's interaction with the service.
The Vocabulary and the Architecture Working Groups have developed documents which form a basis from which this conversational framework will be drawn. This working group will base its work off of these results.
The WG deliverables include:
The working group will hold a one day face-to-face meeting to kick-off the effort in the week of 13 October in Denver, CO USA. The working group will complete their work by the first week in January 1998 (in time for the T&S January Interest Group Meetings and the next Advisory Committee Meeting).
Participants must commit to investing at least 4 hours per week for working on this project as well as one, one-hour weekly teleconference. This will be a technical working group and participants should have an understanding of web protocols and a familiarity with the P3P working documents. At least one additional in-person meeting of this working group will take place.
This working group is concerned with the encoding of the P3P conversational elements in PICS and RDF. They will take the semantics developed by the Protocols and Data Transport Working Group and develop specifications for their syntax. Specifically the working group will:
Deliverables include 2 specifications matching the two items above.
This working group will begin its work with a teleconference in the week of 26 October and will complete its work by 23 January 1998.
Participants must commit to investing at least 4 hours per week for working on this project as well as one, one-hour weekly teleconference. This will be a technical working group and participants should have an understanding of web protocols, syntactic design and a familiarity with the P3P working documents. At least one additional in-person meeting of this working group will take place.
The setting of user preferences is a complex task which is integral to the success of P3P. A common interchange language for specifying user preferences which is understood by all P3P implementations is imperative to user's acceptance and adoption of this technology. Several other efforts have addressed a similar problem for other communities, PICS Rules, and Profiles 0.94 for example.
This working group will evaluate the current policy expression languages for their applicability to P3P and evaluate the alternative of developing a P3P specific user preference language.
This working group will deliver either a recommendation for using an existing language or the specification of a P3P specific one.
This working group will begin its work with a teleconference in the week of 6 October and will complete its work by 23 January 1998.
Participants must commit to investing at least 2 hours per week for working on this project as well as one, one-hour weekly teleconference. This will be a technical working group and participants should have an understanding of trust, user policies and a familiarity with the P3 working documents. At least one additional in-person meeting of this working group will take place.
The Internet Privacy Working Group (IPWG) is due to submit a recommended site practices vocabulary by 1 October 1997 to the P3P project. This working group will review the IPWG vocabulary and vet it in a global forum. A goal of the working group is to reach consensus on a globally uniform vocabulary as the single set of specific practice statements which are encodable as P3P. (Please see The Importance of a Uniform Vocabulary below.)
If a globally uniform vocabulary can be agreed to, this working group will document the vocabulary and its usage rules.
If a globally uniform vocabulary can not be agreed to, this working group will document the issues encountered and document one or more (as appropriate) standard vocabularies
This working group will also recommend the role a harmonized vocabulary should play in the P3P specification (required, recommended, one of many, etc.)
The Working Group will work with the appropriate international bodies to come to consensus.
This working group will begin its work with a teleconference in the week of 6 October and will complete its work by 1 March 1998.
Participants must commit to investing at least 2 hours per week for working on this project as well as one, one-hour every other week for teleconferences. Participants in this working group should have an understanding of privacy practices and a familiarity with the P3 working documents. At least one additional in-person meeting of this working group will take place.
The Importance of a Uniform Vocabulary
by Joseph Reagle
P3P is a global technology. While this technology, like PICS, has the capability to support multiple privacy vocabularies global commerce and privacy protection would benefit from a uniform privacy vocabulary that is useable around the globe.
A benefit of a platform that supports multiple vocabularies is that the technology need not be dependent on the resolution of related policy contentions. PICS is available today while issues related to illegal or harmful content and civil rights continue to be debated. A detriment of multiple rating systems is that while everyone can use the same mechanism (PICS or P3P), each vocabulary may be inappropriate or meaningless in other cultures and jurisdictions. A vocabulary that is sufficient for describing the practices as required by Asian regulations may not be so for the US or Europe, and vice-versa.
The potential benefits of the Web are severely limited if either of the following occur:
- each jurisdiction blocks their users from accessing sites in other jurisdictions, or
- the concept of privacy becomes moot, or non-sustainable
Consequently, the W3C will endeavor to offer a vocabulary that is sufficient for the majority of global regulatory concerns. The W3C acknowledges that it cannot single handedly harmonize international data protection concerns. However, the resulting work will promote -- and certainly not preclude -- the ability for users to participate in a global Web space while providing users the maximum amount of control over their privacy.
The degree to which the vocabulary offered by P3P is considered "required" for P3P compliance will be determined by the P3P project manager, in consultation with P3P participants and subject to W3C process. This decision will be based on how successful the vocabulary is in addressing data protection concerns in the Americas, Asia, and Europe. Even as we hope to achieve global acceptance, a possible outcome is that the resulting W3C "sample code" will be non-binding. In the end, the adoption of a uniform vocabulary is dependent on users', developers', and regulators' desire to
encourage a global Web.
firstname.lastname@example.org, 22 September 1997