P3P: A Privacy module for Web-Technology
Rigo Wenning
W3C-Track, WWW-2002
Hawaii, 8 Mai 2002
Rigo Wenning <rigo@w3.org>
W3C/INRIA
Sophia Antipolis, France
Privacy is important for E-Commerce?
- Polls show, that e-commerce is losing more than 35% of their potential
clients because of the privacy issue
- Even in countries with privacy legislation, the fear and mistrust is
still high
- 60% of asked people in Europe did not know about their privacy
rights
- Conclusion: Transparency is key
P3P is key to transparency
- Policies can be easily found
- Machine readable language: no legalese anymore
- Software can help users interpret the policy
- Users know before they enter a site
P3P will provide the following Information:
- Who is collecting data?
- What data is collected?
- For what purpose will data be used?
- Is there an ability to opt-in or opt-out of some data uses?
- Who are the data recipients (anyone beyond the data collector)?
What else is provided?
- To what information does the data collector provide access?
- What is the data retention policy?
- How will disputes about the policy be resolved?
- Where is the human-readable privacy policy?
P3P: How it works
- A protocol, that finds the policy reference file
- A policy reference file to attach URI's to a privacy policy
- A standard XML language to express privacy practices
- An extensible dataschema to describe the object (data) of those
statements made with the language
- Sites can optionally provide a
compact policy
A simple HTTP-Transaction
A HTTP-Transaction with P3P
How to make your site P3P compliant
- Create a privacy policy
- Translate it to P3P
- Create a policy reference file for your site
- Configure your server for P3P
Help for Implementers
P3P is a module
Expected to work also with
- CC/PP
- SOAP
- XForms
- Web Services
We expect, that P3P is used to integrate privacy metadata into the whole
business process
P3P-Applications: User Agents
P3P-Applications: Authoring Tools
P3P-Applications: other Applications
- P3P Validator
- ENC-Client with Policy-verification
- Testsuite
See also the
Implementations Page
Future work
- Negotiation
- Multiple policies/ Identity Management
- Vocabulary
- XML Schema for Basedataschema
- Challenges from : Mobile Sector, Web Services, Soap Semantic Web to
help
I have to tell them, why laws alone are not sufficient. But I will say also, that P3P alone is not a sufficient condition for privacy