W3CTechnology and Society

[Workshop Homepage]

Minutes of the W3C - Event on P3P and Enterprise Privacy Languages

General Note:

These minutes only take account of discussions after the presentations. The presentations are linked from the agenda.

Paul Ashley:

asked about cookies in Europe and whether a new regulation will prohibit cookies.


There has been new legislation: the new european directive on privacy and electronic communications. It requires that the client must be informed about the cookie and that he has to agree prior to setting the cookie. The ok has to be explicit, which is not very practical. The directive must be transposed into national law which still may take some time.


Should web bugs be mentioned in the privacy policy?

Answer: Yes, they have to be mentioned as well as cookies. The US-perspective on P3P is a bit different from the European. They face the same technical details but the implementation approaches are slightly different.

John Borking:

Why are the requirements AC020 in the Web Services architecture requirements document important? Why not rather allow for anonymous searches? Consent is given to intermediaries is given one time only. After that the intermediary is free to do what it believes is required. Maybe one-time consent may not be good enough. Anonymity should be should be considered in the various steps of a transaction. My suggestion is to provide personal information only at the last moment when it is really required and avoid disclosing personal information and avoid a situation where info is already disclosed even when the transaction was abandoned.

Christine O'Keefe:

Consent may be packaged together with the data to deal with the one-time consent.

Ron Vandermeyden:

An option could be to be informed of who the third party is before consent is given to the data owner to share that data. This would require to go back to the user.

Steven Adler:

When relationsships exist between business partners, than consent is taken care off in this relationsship. When organisations do not know each other, we need a purpose engine to negociate the consent.

John Borking:

Purposes can or can not be standardized. This is an open question. Different views may lose flexibility if categorized in a standard way. How can we establish Trust and have proof that I can trust. Semantic issues for data categories and purposes, because otherwise there is no portability of policies. What we need is a worldwide standardization of processes so that data exchanged is used in the expected way.

Paul Ashley:

It would be useful to have APPEL templates. Attempts have been made, but we were unsuccessful.

Phil Fritz:

Is there value in linking EPAL to P3P?

Answer: Yes, they should be able to represent the same concepts.

John Borking:

Privacy should be structured or built-in like in a car. People trust that it works properly without knowing the details of how it works.

Phil Fritz:

It is too early to make these decisions. With use and experience the answers will become clearer.

Rigo Wenning:

Why is privacy important? It generates trust. To achieve that, we have to allow for compliance in different environments, e.g. encapsulate policies in Web Services to show how data handling is done.

Paul Greenfield:

Web Services are services and should not use the Policy Reference File to bind policies. A hierarchical structure does not fit with the flat structure of Web Services.

Adam Hergert:

How to attach an acceptable policy to a service?

Christine O'Keefe:

A Web Service may contain metadata and privacy link. This might also include business process data. It would be nice to have a feedback to determine why a service did not work. (Discussion about the IBM Paper at WWW10)

Answer: there is no adoption of this so far.

Phil Fritz:

In the future, more and more people will be making choices based on privacy practices of organisations.

Lawrence Lau:

Is Privacy a commodity? In the US it is linked to the first amendment. Can you sell it because underprivileged people will be without protection?

John Borking:

Privacy is a human right, therefor there are limitations to this approach.

Rigo Wenning (Privacy Activity Lead)

Last update: $Date: 2003/10/21 16:21:14 $ by $Author: rigo $