October 13, 1999 Jason Catlett President JunkBusters Corp. Dear Jason, Thank you for your recent letter detailing your concerns with the P3P specification. We hope to dispel the misconceptions that you have of P3P and to clarify the intent and actions of the project. Most of your concerns stem from the assumption that P3P is intended to replace existing or future privacy protections and become the only form of privacy protection worldwide. As is clear from the P3P Guiding Principles, public statements of W3C and the activity on the www-p3p-public-comments@w3.org list, this is not at all the case. * P3P, by itself, does not protect individual privacy - P3P is a standard that can help users protect their privacy in accordance with existing public policy by promoting openness about data practices and facilitating decisions by individuals. The W3C is merely a standard setting organization; it does not have the ability to determine public policy. While different members of the W3C may have different reasons for engaging in the process - some of which were mentioned in your letter and some of which were not - nothing in the P3P Specification or the P3P Guiding Principles presumes that P3P is designed to replace public policy or a public policy process. In fact, the Guiding Principles specifically state that P3P "has been designed to be flexible and support a diverse set of user preferences, public policies, service provider polices, and applications." Working group members support a range of policy solutions. Some of the designers openly support the creation of new U.S. privacy laws. Accordingly, P3P is designed to allow for statements about data points, which are in turn directed by law, regulatory procedures, self-regulation or other policies. Your letter also suggests that P3P may be slowing down the political process in the U.S. However, the Internet is a global, decentralized medium. The standard is not, and should not be designed, to fit any single country's public policies. We do not believe that the citizens of Sweden, for example, should be denied the ability to map their privacy laws onto the Internet until the U.S. has finished its political process. Therefore, it is essential that P3P implementations and other privacy enhancing technologies move forward. We also do not believe that P3P is slowing down the political process. In fact, we believe that P3P is helping policy makers understand that the solutions that are created will be more effective and enforceable if compatible with technology. Technologies should support not just anonymity and access, as your statement implies, but all eight OECD principles on the Protection of Privacy and Transborder Flows of Personal Data. Therefore, we foresee P3P inter-working with other privacy tools to offer a framework that supports public policies and enhances individuals ability to protect their privacy that within that framework. A P3P compliant technology can be designed by implementers to allow individuals to choose to surf only sites provide them with anonymity. But we also realize that not all interactions are best served by anonymity. For example, while there are limited contexts in which health care is sought anonymously, generally it is an identity-based relationship. Accordingly, we set out to provide a framework to support a range of interactions not just anonymous ones. * Products designed to enhance privacy are being created. Many products to protect privacy are being created by the private sector with or without the P3P standard (please see the partial list at http://www.w3.org/P3P/implementations). Therefore, it seems that a standard to allow these programs to interact plays a useful role outside of the political process. While there is a question as to whether all of these products will accomplish the goal of protecting privacy, it is obvious that many software companies believe that consumers would like tools that protect privacy. In fact, your company, the JunkBusters® Corporation, provides such tools and solutions. We believe that a standard may serve to speed deployment and diversity of products. * The P3P Process is a deliberative and thoughtful process. As you suggest in your letter, P3P process has indeed been slow in comparison with many other Internet standards. There are several reasons for the rate at which the P3P process has progressed. Mainly, however, this is because the process has been more inclusive than other standard setting processes. This is the reason that P3P has sought input from the Article 29 Working Group, world wide data protection commissioners, as well as soliciting public comments. These meetings have led to a further discussion of issues with the P3P vocabulary, which will be addressed. We do agree that the process does need to meet its upcoming deadlines http://www.w3.org/P3P/schedule.html in order to maintain credibility. More importantly, it will be essential for companies to follow up with high-quality implementations of P3P so consumers can use the technology rather than the standard simply existing for rhetorical discussion. We also agree that the working group is lacking a comprehensive deployment plan and we plan to address this issue. In the end, we are optimistic that companies will indeed build useful products that meet the final P3P recommendation. As you can see from the public information available at the P3P site the recommendation is expected to be finalized before the end of January 2000. Therefore, your company still has time to join the W3C and engage in the P3P process in order to help build it into a better standard. Your continued input on the www-p3p-public-comments@w3.org list is of course useful, but your participation in the working group could help to ensure that P3P becomes a successful standard. We hope that you will seriously consider this option. Sincerely, Lorrie Cranor, AT&T Ari Schwartz, CDT on behalf of the P3P Specification Working Group Copy to: Ulf Brühann, DG XV, European Commission Ann Cavoukian, Information and Privacy Commission, Ontario Peter Hustinx, Netherlands Data Protection Commission David Medine, Federal Trade Commission Peter Swire, Office of Management and Budget ------------------------------------ Ari Schwartz Policy Analyst Center for Democracy and Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 202 637 9800 fax 202 637 0968 ari@cdt.org http://www.cdt.org/ ------------------------------------