P3P Workshop Position Paper
5/28/2003
Authors: Jeremy Epling (Microsoft Corp)
In order to address the growing software industry investments in privacy and looking ahead to new applications of privacy, P3P needs to solve expression problems in the language and scope the of transactions it covers.
As the software industry as a whole increases its investments in privacy, they need a verbose language that will cover a large set of scenarios while allowing for poignant disclosure. These scenarios should not be limited to the web or just business to consumer disclosure. The P3P vocabulary also needs to be expanded upon to support this larger scope as well as have addressed issues around offering «adequate» disclose that is currently preventing adoption from corporations.
Service providers want the ability to express what they need or want from the user with finely worded policies that can stand up to legal scrutiny and minimize liability. Users want to express what they don't want to happen in clear, simple language. Addressing both of these needs requires a greater level of granularity in both vocabulary and format. This paper will address possible solutions for correcting the policy granularity issues while considering the performance and serialization requirements of web navigation, state management, and web service interactions.
Currently, P3P policies are only scoped to cover business to consumer disclosure for websites. We would like to explore expanding this scope to cover privacy at a larger scale, including B2B transactions, mobile scenarios, and disclosure beyond that of just websites and web services.
P3P is just a means of disclosure yet has no way to bind to specific pieces of data and mark them with the user's privacy preferences that can be respected as the data is used and transferred onward. By binding the policy to the data being transferred and not just disclosing practices gives P3P an enforcement mechanism that establishes a higher degree of trust in the entity collecting the data. This could also increase the use of P3P in B2B scenarios and dealing with onward transfer issues. As government and industry regulations increase around privacy P3P needs to be able to scale to protect the users data in a more active manor that just disclosure.