- From: Christopher D. Hunter <chunter@asc.upenn.edu>
- Date: Thu, 17 Feb 2000 00:38:22 -0400
- To: www-p3p-public-comments@w3.org
P3P Development Team, I appreciate your response to the issues I raised in an earlier message. However I still have a few critical points to make, particularly in regards to data categories. > > - Under the POLICY entity or the DISCLOSURE element, why not require > > sites to also list a contact person and the address of the company? > > This type of addition would go a long way towards ameliorating the > > information asymmetry critique. I also believe that it will become a > > necessity if governments eventually set up "privacy clearinghouses" > > which certify company privacy practices. Perhaps all of this can > > already be done with APPEL? > > Please see our new and improved "entity" attribute. Let me say that I think that the mandatory "entity" attribute is a big step forward. This certainly speaks to the accountability principle of OECD. However, why not go even further, and as Karen Coyle suggests, include a number of other "entity" attributes such as public/private company, subsidiary of, nation incorporated in, etc. ? I know that this would make things more complicated, but my guess is that the EU is going to want a fuller set of disclosure elements about companies. I'd just make sure that you have an extension element to the entity attribute that would allow for additional disclosure statements that legislatures may want. As a starting point, maybe look at what identifying and accountability attributes the Securities and Exchange Commission (and its European counterpart?) requires for publicly traded companies. > We don't have any good proposals on the table about how to resolve the > category problems. If you have any specific suggestions we would be > happy to consider them. In the mean time, we believe things like health > information are not well represented by any category and thus would > require the use of the "other" category where a human-readable explanation > is required. Not to be mean, but this is a pretty weak response given that categories are essential to end user "informed consent." If you can not come up with clear and informative categories, end users will be left guessing about what types of data companies are collecting. I don't mean to be too harsh, because I'm not particularly sure about how to delineate categories myself, but I do know that leaving the tough decisions to a company defined "other" category is not the way to go. The reason being that companies will put everything in vaguely worded "other" categories that will be very difficult for an APPEL rule set to deal with. Do you prompt end users to read every "other" category collection request, thus inundating users with pop up windows, and therefore defeating the point of P3P? Or do you have the APPEL rule say accept all "other" categories collection requests, thus defeating the whole point of human-readable explanations? I also don't think that your response has adequately addressed the reasons why you have agreed on the current set of categories, why health information shouldn't be its own category, and why you are not disaggregating the Demographic and Socio-economic Data category. These issues, and your decisions regarding them need to be made explicit and public. There's no question that this is a thorny and difficult area, but relegating these issues to an "other" category seems to be a bit of a cop out. How to go about defining useful categories? I would start by conducting an international privacy survey that would be composed of a series of likert scales that would ask people to value a whole range of personal information items. Through factor/cluster analysis you could come up with the most highly valued categories, and then put them into P3P. This is by no means the answer to the problem, but at the very least it's a starting point that would allow you to justify certain default categories. Generally speaking, I think the latest P3P Working Draft is heading in the right direction, particularly on the information asymmetry issue. Nevertheless, as my comments above note, a number of issues (some seemingly intractable) remain which I feel will prevent P3P from becoming a true tool for end user privacy protection. This is certainly not due to a lack of effort, expertise, or dialogue on the part of the P3P development team. Rather, I would argue that certain complex social issues, like privacy and content appropriateness (PICS), simply can not be reduced to lines of code. I look forward to your comments. Best, Christopher D. Hunter Ph.D. Candidate Annenberg School for Communication University of Pennsylvania 215-732-4612 chunter@asc.upenn.edu http://www.asc.upenn.edu/usr/chunter/
Received on Thursday, 17 February 2000 00:30:11 UTC