Minutes of the P3P Specification Working Group Face to Face Meeting 6-7 March 2003 Cambridge, MA

(thanks to Rigo Wenning and Ari Schwartz for contributing their notes)

Present

1. Lorrie Cranor, AT&T Labs-Research
2. Jack Humphrey, Coremetrics
3. Brooks Dobbs, Doubleclick
4. Ari Schwartz, CDT
5. Jeremy Epling, Microsoft
6. Mathias Schunter, IBM
7. Brian Zwit, Integrity Insurance, AOL
8. Danny Weitzner, T-and-S Domain Leader, W3C
9. Rigo Wenning, Privacy Activity Lead, W3C
10. Helena Lindskog, Ericsson

March 6

INTRODUCTIONS AND DISCUSSION OF THE AGENDA

All present introduced themselves. As part of his introduction, Mathias Schunter made the following announcement: We are pleased to announce the first public version of the IBM Enterprise Privacy Authorization Language (EPAL). You can find the language specification and XML schema at http://www.zurich.ibm.com/security/enterprise-privacy/epal We are working on WS-Privacy together with Microsoft, want to keep P3P out the B2B area. Want to have some enterprise language that should be compatible to P3P.

Danny gave some history related to the Liberty Alliance in preparation for our discussion with them later.

• Liberty has notion of rights expression language, they have a gap and need something to fill it
• attribute sharing
• packages of privacy practices/profiles? high/medium/low
• looking for something easier to implement than P3P
• P3P gives them a level of policy legitimacy in Europe

CHARTER AND TASKFORCES

The P3P 1.1 charter is being voted on by the membership. We hope to hear that it is approved in the next few weeks. We are currently operating under the assumption that it is likely to be approved with minor changes.

The deliverables in the charter are based on the discussion at the workshop last fall. They include items that reflect a strong consensus that these are things we should do as well as items with less support where someone just said he would do it.

We will have task-forces. Those TF will bring up the first draft and it will be discussed in the WG. Timeline in the deliverable session: Lorrie announced that she will enforce the timeline strictly. Everything that doesn't make it in the timeline will be considered for P3P 2.0 (pending charter of that working group).

The W3C's public Bugzilla will be the thing to be used for for tracking issues instead of our old issues list. Please register with Bugzilla at http://www.w3.org/Bugs/

Spec clarifications and items not covered by a specific taskforce will be covered by the working group as a whole. An individual should raise the issue and make a specific proposal.

Brian was interested in working on clarifying what a P3P policy means in the spec. He and Danny volunteered to draft a proposal.

ACTION: Brian & Danny: Create a proposal for clarification of what a P3P policy means

If we have a lot of clarifications and corrections before we are ready to put out the p3p 1.1 spec we may put out a corrected version of the p3p 1.0 spec. In the mean time we will update the errata page.

P3P Beyond HTTP taskforce:

• volunteers: Danny Weitzner, Marc Langheinrich, John Morris (volunteered by Ari), Matthias Schunter
• this taskforce still needs a chair... Danny suggested that Joseph Reagle may be a possible chair
• TF will look at SOAP and WS, also independent P3P binding and other things like jabber, IRC, mail, etc.
• Matthias is concerned about P3P turning into an enforcement language, wants to distinguish between consumer notice and enterprise enforcement

ACTION: Danny to ask Joseph Reagle if he will chair this taskforce

ACTION: Matthias to draft proposed modification to P3P Beyond HTTP taskforce description in draft charter and submit it with IBM ballot

User Agent Behavior taskforce

• volunteers: Brian Zwit, Ari Schwartz, Jeremy Epling, Brooks Dobbs, Lorrie Cranor, Diana Alonso-Blas (volunteered by Rigo), David Stampley (volunteered by Lorrie)
• nobody has volunteered to chair, Lorrie may chair this TF
• TF may propose guidelines or requirements
• Microsoft is opposed to this TF coming up with mandatory spec components but supports guidelines
• will work on guidelines for wording of P3P vocab elements as well as other aspects of UA behavior (for example, allow policies to be saved and printed)

ACTION: Jeremy and Brian: deliver wording for P3P vocab elements from IE and Netscape

Compact Policies taskforce

• Brian Zwit volunteered to chair
• volunteers: Brooks Dobbs, Jack Humphrey, Jeremy Epling, Helena Linkskog
• first step is to get empirical data on performance issues related to CPs and do evaluation of tradeoffs

Article 10 taskforce

• Giles Hogben volunteered to chair
• volunteers: Jeremy Epling, Diana Alonso-Blas, Rigo Wenning
• Casper Bowden (Microsoft) had previously expressed interest in participating

Agent and Domain Relationships taskforce

• Jack Humphrey volunteered to chair
• volunteers: Brian Zwit, Brooks Dobbs, Matthias Schunter
• Rigo suggested asking Mark Nottingham to participate
• will look at how to deal with third parties.. How to say: I am the agent working for this site...
• closely tied to compact policies

Consent Choices taskforce

• Matthias Schunter volunteered to chair
• Lorrie will participate
• Have more statements and group them and opt-out opt-in in a package It is pretty similar to naming statements.

XML Schema taskforce

• Giles Hogben volunteered to chair
• Jack volunteered to review
• Rigo suggested that Massimo should be involved

Signed P3P Policies taksforce

• Giles Hogben volunteered to chair
• some people unclear on why signed policies are need.

ACTION: Danny and Rigo, modify charter for this taskforce to require that TF first provide explanation of why signed policies are needed and motivation for this work

APPEL

APPEL is not mentioned in charter despite strong interest from some. There was no consensus on how to move forward for P3P1.1... We don't have a TF but we will accept proposals, otherwise can be considered in P3P2.0 timeframe.

Regularly scheduled teleconference will be 11 am on Wednesdays. We probably will use this time slot every other week, but people are encouraged to reserve this time in their schedules every week and use it for taskforce meetings, etc. Conference calls will start in two weeks.

There will public mailing-list and public group-page. Contact info etc will be on the member-only page.

P3P BEYOND HTTP

What do we want to discuss with Web Services Architecture Group tomorrow?

Lorrie gave an overview and history of our attempts to get the WS folks to pay attention to P3P.

• key points to discuss at meeting:
• binding problem
• traveling problem (data may travel through multiple services with differing policies
• where to put policy? soap, WSDL, etc.
• need liasons

P3P on other things than Web Services..

Lorrie explained the issue identified with XForms that we have not sufficient granularity like xml:lang

COMPACT POLICIES

Accuracy/Expressiveness problems

• what do we mean by accurate?
• could clarify meaning of compact policy in the spec
• problem may not be best called accuracy, but precision
• decisions are being made about risk management
• companies often use worst case scenario
• may still be a problem with full policies
• problem is more difficult with sensitive information (Article 8 in EU directive -- health, financial, political, race, sex, trade union membership)
• trying to make P3P understandable has been difficult to date, making it more granular would make it worse
• general discussion on how user agents handle these issues
• concern about the fact that individuals that individuals choose strong privacy rules without realizing the loss of functionality
• this is why P3P focuses on use and specifically secondary use
• discussion about the term "linked" in the spec. Meant to be based on the intention. We need to clarify this in the spec

*** Agreement if compact policies were as expressive as full policies, it would still not be expressive as some may like, but this should be expressive enough for our needs (Brian reserved the right to question this again down the road)... assuming that we want to keep compact policies

Required attributes

• I, A & O - cookie may be necessary for functionality
• user can't tell the difference between different secondary purposes
• discussion of ways to set different preference to be accepted within the same cookie
• discussion of issues with contractors that have access to cookies
• most privacy issues come on the cookie replay not at cookie collection

ACTION: Lorrie: add issue to Bugzilla to consider modifications to 2.3.2.7 -- could be changed "MAY" to "SHOULD" in order to cover importance of replay -- this should be brought up with the whole group. It is larger than just a compact policy question.

ACTION: lorrie: add issue to Bugzilla on clarifying what we mean by data linked to a cookie

User Agent

• verifying that Web developers aren't just complying with IE6 and not doing full policy or proper compact policy, user agent behavior TF should discuss

ACTION: Lorrie: add Bugzilla issue for UA TF on guidelines for verification that CP site has full policy, complete CP, etc.

Performance issues

• measurement and understanding of where performance hits are taken

Scope problems

• discussions of problems with sites that only have one policy

OTHER DISCUSSION

ACTION: Lorrie: add Bugzilla issue to consider standardizing STATEMENT name attribute based on IBM extension

ACTION: Lorrie: Specify version #s in Bugzilla

Certification

• Can we get a seal program or logo for sites that are compliant?
• Agreement that adoption is the first issue

MEETING WITH LIBERTY ALLIANCE

We met with about a dozen representatives from the Liberty Alliance. They presented their LAP P3P Adaptation proposal V01.

• don't have time to invent from scratch -- need to use something with agreed upon semantics... use P3P as a starting point
• separate activity in parallel with next release but not tied to it

Use case

• service asks for attributes and indicates privacy policy
• attribute provider checks policy against users preferences for attribute in question
• if service provider's policy is equal or stricter than the one defined by user, data is released
• if service provider's policy is less restrictive user is prompted

Privacy policies based on P3P compact policies

Policies describe restrictions related to the use of attribute data

Five different policies that reflect different degrees of strictness

• strict
• cautious
• moderate
• flexible
• casual

Five elements

• purpose, recipient, retention, access, remedies
• mapped these to five policies

WSC = web services consumer

WSP = web services provider - previously collected information and user consent and privacy rules

privacy context = policy for a particular piece of data and transaction for a user = user privacy preference

Liberty folks think 5 levels are needed for interoperability, compact dataflows, etc.?

Lorrie argued that 5 levels are not needed and that idententy service providers could come up with whatever levels they want to offer their users

Joseph Reagle suggested that 5 levels help sites coalese and find a common level facilitating policy making in the market

There may be a potential collision problem when w3c gets around to defining P3P/soap bindings... this should be anticipated and design should avoid problems ... joint note on transferring P3P references with SOAP?

discussion of location vocabulary and privacy policies - work being done at OMA, 3GPP

• how to define location precisely
• how location data will be used

P3P group will continue to provide feedback to Liberty

March 7

The Article 10 issues and UA behavior issues were discussed on a phone conference. Dialing in were Giles Hogben, Marc Langheinrich, and Marty Abrams

ARTICLE 10 VOCABULARY ISSUES

Giles - plans to make detailed report with proposals before June Kiel meeting

ambiguity on cookie processing requirements - set or replay?

• storing a cookie on a users computer is an act of data processing
• maybe offer two choices to WG
• requirement
• EU guideline

notification of user before data processing - to satisfy EU law human-readable portion of policy should be displayed to user before data is processed

• lots of practical and usability issues
• maybe simultaneous display rather than consent
• probably EU guideline

ability to specify jurisdiction

• attribute of recipient element - EU, US safe harbor, non-EU
• concern about regime-specific data element that may need to change as laws change

preference language

• want to highlight as important issue, but are ok waiting to v2
• should discuss at Kiel meeting

USER AGENT BEHAVIOR

• work on user friendly language for P3P vocab elements
• work on other guidelines -- user agents should print P3P policies, etc.

Marty Abrams - layered notices

• highlights notices - convention on things you cover, convention on language
• financial institutions very interested
• short notice would hyperlink to long notice
• relationship between long notice, p3p notice, and highlights notice
• highlights notice has 5 or 6 categories you are capturing info about, context dependent
• more granularity and detail in P3P
• what happens with P3P notice when translating to language for consumers? statement don't always connect in logical way or include full context. No consistency between user agent translations.
• completeness and consumer communication aren't necessarily the same thing
• interested in having P3P user agents link to highlights notice instead of machine translation
• alternatively need to reach a convention on human-readable translation

brooks concerned about scope -- P3P does nice job of binding policies... layered notices are cya

brian - lawyers would get more legalistic in full policy with layered notices

Lorrie - use P3P human-readable fields to provide layered notice

Brooks - not that much legal uncertainty -- regulators say that whatever the users see first you have to live up to so they all have to be consistent

Everyone would benefit from more specific testing of language that makes sense to users

• user agent testing in Europe - Giles, can test our user agent strings, waiting for funding, hopefully will get funding by September
• Microsoft user agent testing - results within next few weeks
• AT&T probably testing in April or May

highlights notice glossary - go box by box and come up with vetted phrases and words that define an item - that group will convene in May

• not everyone will use these terms -- voluntary effort
• consensus that we would like notices group to try to come up with 1 to 1 mapping of highlights notices to p3p vocab elements -- Lorrie will work with them

Other areas for user agent guidelines

• EU-specific guidelines
• printing and saving policies

Microsoft beta 1 is planned for January... they would like guidelines ASAP so that it is possible for them to take them into account for that release... will be very difficult to incorporate changes from WG later

OTHER DISCUSSION

North American outreach: Ari

• US federal government to require P3P
• OMB will issue guidance in April
• workshops for federal agencies
• FTC privacy workshops

WS Policy

Microsoft/IBM/BEA effort (not affiliated with W3C) - still underspecified, but eventually should define bindings that may be helpful in our efforts to define P3P beyond HTTP... political problems due to this work taking place outside W3C

Jeremy had a long list of suggestions

• show the user the difference between a consequence and a value proposition
• maybe two fields?
• maybe structured consequence field?
• add a statement grouping mechanism so that user agents can display related statements together - grouping element is one mechanism to do this, another is to add a group name attribute to the existing STATEMENT element (ebay and windows media player examples)
• add human readable intro section ? not much interest in this
• consider adding human readable explanation strings to all elements that don't currently have them ... generalize long description
• note explaining why we did identified/identifiable, what it means, what linking means, include some examples
• access method or opt-in/opt-out method? we probably don't need that

Jeremy said it is likely that we will see preview of new IE P3P functionality in October when Microsoft shows preview at developer conference

ACTION: Lorrie, add Bugzilla issue to consider expanding definition of consequence field in spec and/or adding structure to consequence field

ACTION: Lorrie, add Bugzilla issue to consider adding a statement grouping mechanism, possible through statement grouping element or group name attribute

ACTION: Lorrie, add Bugzilla issue to consider adding human-readable explanation strings to all elements that don't currently have them, perhaps generalizing LONG-DESCRIPTION

ACTION: Lorrie, add Bugzilla issue to draft statement (perhaps Note) on identified/identifiable, linked, etc.

ACTION: Ari, write first draft of note on identified/identifiable/linked

MEETING WITH WEB SERVICES ARCHITECTURE GROUP

Mike Champion, co-chair WSAG

• focus on big picture ... no specifications, no specifics
• little discussion on privacy

Multiple places where P3P policy (reference) might live

• soap header, discovery, or description layer?
• WSDL? choreography? WS Policy?
• web services may be service to service rather than user to service, does that change anything with respect to P3P?

working together going forward -- first step: collaboration on use cases