Minutes of the P3P Specification Working Group Face to Face Meeting 6-7
March 2003 Cambridge, MA
(thanks to Rigo Wenning and Ari Schwartz for contributing their notes)
Present
- Lorrie Cranor, AT&T Labs-Research
- Jack Humphrey, Coremetrics
- Brooks Dobbs, Doubleclick
- Ari Schwartz, CDT
- Jeremy Epling, Microsoft
- Mathias Schunter, IBM
- Brian Zwit, Integrity Insurance, AOL
- Danny Weitzner, T-and-S Domain Leader, W3C
- Rigo Wenning, Privacy Activity Lead, W3C
- Helena Lindskog, Ericsson
March 6
INTRODUCTIONS AND DISCUSSION OF THE AGENDA
All present introduced themselves. As part of his introduction, Mathias
Schunter made the following announcement: We are pleased to announce the
first public version of the IBM Enterprise Privacy Authorization Language
(EPAL). You can find the language specification and XML schema at http://www.zurich.ibm.com/security/enterprise-privacy/epal
We are working on WS-Privacy together with Microsoft, want to keep P3P out
the B2B area. Want to have some enterprise language that should be compatible
to P3P.
Danny gave some history related to the Liberty Alliance in preparation for
our discussion with them later.
- Liberty has notion of rights expression language, they have a gap and
need something to fill it
- attribute sharing
- packages of privacy practices/profiles? high/medium/low
- looking for something easier to implement than P3P
- P3P gives them a level of policy legitimacy in Europe
CHARTER AND TASKFORCES
The
P3P 1.1 charter is being voted on by the membership. We hope to hear that
it is approved in the next few weeks. We are currently operating under the
assumption that it is likely to be approved with minor changes.
The deliverables in the charter are based on the discussion at the
workshop last fall. They include items that reflect a strong consensus that
these are things we should do as well as items with less support where
someone just said he would do it.
We will have task-forces. Those TF will bring up the first draft and it
will be discussed in the WG. Timeline in the deliverable session: Lorrie
announced that she will enforce the timeline strictly. Everything that
doesn't make it in the timeline will be considered for P3P 2.0 (pending
charter of that working group).
The W3C's public Bugzilla will be the thing to be used for for tracking
issues instead of our old issues list. Please register with Bugzilla at
http://www.w3.org/Bugs/
Spec clarifications and items not covered by a specific taskforce will be
covered by the working group as a whole. An individual should raise the issue
and make a specific proposal.
Brian was interested in working on clarifying what a P3P policy means in
the spec. He and Danny volunteered to draft a proposal.
ACTION: Brian & Danny: Create a proposal for clarification of what a
P3P policy means
If we have a lot of clarifications and corrections before we are ready to
put out the p3p 1.1 spec we may put out a corrected version of the p3p 1.0
spec. In the mean time we will update the errata page.
P3P Beyond HTTP taskforce:
- volunteers: Danny Weitzner, Marc Langheinrich, John Morris (volunteered
by Ari), Matthias Schunter
- this taskforce still needs a chair... Danny suggested that Joseph
Reagle may be a possible chair
- TF will look at SOAP and WS, also independent P3P binding and other
things like jabber, IRC, mail, etc.
- Matthias is concerned about P3P turning into an enforcement language,
wants to distinguish between consumer notice and enterprise
enforcement
ACTION: Danny to ask Joseph Reagle if he will chair this taskforce
ACTION: Matthias to draft proposed modification to P3P Beyond HTTP
taskforce description in draft charter and submit it with IBM ballot
User Agent Behavior taskforce
- volunteers: Brian Zwit, Ari Schwartz, Jeremy Epling, Brooks Dobbs,
Lorrie Cranor, Diana Alonso-Blas (volunteered by Rigo), David Stampley
(volunteered by Lorrie)
- nobody has volunteered to chair, Lorrie may chair this TF
- TF may propose guidelines or requirements
- Microsoft is opposed to this TF coming up with mandatory spec
components but supports guidelines
- will work on guidelines for wording of P3P vocab elements as well as
other aspects of UA behavior (for example, allow policies to be saved and
printed)
ACTION: Jeremy and Brian: deliver wording for P3P vocab elements from IE
and Netscape
Compact Policies taskforce
- Brian Zwit volunteered to chair
- volunteers: Brooks Dobbs, Jack Humphrey, Jeremy Epling, Helena
Linkskog
- first step is to get empirical data on performance issues related to
CPs and do evaluation of tradeoffs
Article 10 taskforce
- Giles Hogben volunteered to chair
- volunteers: Jeremy Epling, Diana Alonso-Blas, Rigo Wenning
- Casper Bowden (Microsoft) had previously expressed interest in
participating
Agent and Domain Relationships taskforce
- Jack Humphrey volunteered to chair
- volunteers: Brian Zwit, Brooks Dobbs, Matthias Schunter
- Rigo suggested asking Mark Nottingham to participate
- will look at how to deal with third parties.. How to say: I am the
agent working for this site...
- closely tied to compact policies
Consent Choices taskforce
- Matthias Schunter volunteered to chair
- Lorrie will participate
- Have more statements and group them and opt-out opt-in in a package It
is pretty similar to naming statements.
XML Schema taskforce
- Giles Hogben volunteered to chair
- Jack volunteered to review
- Rigo suggested that Massimo should be involved
Signed P3P Policies taksforce
- Giles Hogben volunteered to chair
- some people unclear on why signed policies are need.
ACTION: Danny and Rigo, modify charter for this taskforce to require that
TF first provide explanation of why signed policies are needed and motivation
for this work
APPEL
APPEL is not mentioned in charter despite strong interest from some. There
was no consensus on how to move forward for P3P1.1... We don't have a TF but
we will accept proposals, otherwise can be considered in P3P2.0 timeframe.
Regularly scheduled teleconference will be 11 am on Wednesdays. We
probably will use this time slot every other week, but people are encouraged
to reserve this time in their schedules every week and use it for taskforce
meetings, etc. Conference calls will start in two weeks.
There will public mailing-list and public group-page. Contact info etc
will be on the member-only page.
P3P BEYOND HTTP
What do we want to discuss with Web Services Architecture Group
tomorrow?
Lorrie gave an overview and history of our attempts to get the WS folks to
pay attention to P3P.
- key points to discuss at meeting:
- binding problem
- traveling problem (data may travel through multiple services with
differing policies
- where to put policy? soap, WSDL, etc.
- need liasons
P3P on other things than Web Services..
Lorrie explained the issue identified with XForms that we have not
sufficient granularity like xml:lang
COMPACT POLICIES
Accuracy/Expressiveness problems
- what do we mean by accurate?
- could clarify meaning of compact policy in the spec
- problem may not be best called accuracy, but precision
- decisions are being made about risk management
- companies often use worst case scenario
- may still be a problem with full policies
- problem is more difficult with sensitive information (Article 8 in EU
directive -- health, financial, political, race, sex, trade union
membership)
- trying to make P3P understandable has been difficult to date, making it
more granular would make it worse
- general discussion on how user agents handle these issues
- concern about the fact that individuals that individuals choose strong
privacy rules without realizing the loss of functionality
- this is why P3P focuses on use and specifically secondary use
- discussion about the term "linked" in the spec. Meant to be based on
the intention. We need to clarify this in the spec
*** Agreement if compact policies were as expressive as full policies, it
would still not be expressive as some may like, but this should be expressive
enough for our needs (Brian reserved the right to question this again down
the road)... assuming that we want to keep compact policies
Required attributes
- I, A & O - cookie may be necessary for functionality
- user can't tell the difference between different secondary purposes
- discussion of ways to set different preference to be accepted within
the same cookie
- discussion of issues with contractors that have access to cookies
- most privacy issues come on the cookie replay not at cookie
collection
ACTION: Lorrie: add issue to Bugzilla to consider modifications to 2.3.2.7
-- could be changed "MAY" to "SHOULD" in order to cover importance of replay
-- this should be brought up with the whole group. It is larger than just a
compact policy question.
ACTION: lorrie: add issue to Bugzilla on clarifying what we mean by data
linked to a cookie
User Agent
- verifying that Web developers aren't just complying with IE6 and not
doing full policy or proper compact policy, user agent behavior TF should
discuss
ACTION: Lorrie: add Bugzilla issue for UA TF on guidelines for
verification that CP site has full policy, complete CP, etc.
Performance issues
- measurement and understanding of where performance hits are taken
Scope problems
- discussions of problems with sites that only have one policy
OTHER DISCUSSION
ACTION: Lorrie: add Bugzilla issue to consider standardizing STATEMENT
name attribute based on IBM extension
ACTION: Lorrie: Specify version #s in Bugzilla
Certification
- Can we get a seal program or logo for sites that are compliant?
- Agreement that adoption is the first issue
MEETING WITH LIBERTY ALLIANCE
We met with about a dozen representatives from the Liberty Alliance. They
presented their LAP P3P Adaptation proposal V01.
- don't have time to invent from scratch -- need to use something with
agreed upon semantics... use P3P as a starting point
- separate activity in parallel with next release but not tied to it
Use case
- service asks for attributes and indicates privacy policy
- attribute provider checks policy against users preferences for
attribute in question
- if service provider's policy is equal or stricter than the one defined
by user, data is released
- if service provider's policy is less restrictive user is prompted
Privacy policies based on P3P compact policies
Policies describe restrictions related to the use of attribute data
Five different policies that reflect different degrees of strictness
- strict
- cautious
- moderate
- flexible
- casual
Five elements
- purpose, recipient, retention, access, remedies
- mapped these to five policies
WSC = web services consumer
WSP = web services provider - previously collected information and user
consent and privacy rules
privacy context = policy for a particular piece of data and transaction
for a user = user privacy preference
Liberty folks think 5 levels are needed for interoperability, compact
dataflows, etc.?
Lorrie argued that 5 levels are not needed and that idententy service
providers could come up with whatever levels they want to offer their
users
Joseph Reagle suggested that 5 levels help sites coalese and find a common
level facilitating policy making in the market
There may be a potential collision problem when w3c gets around to
defining P3P/soap bindings... this should be anticipated and design should
avoid problems ... joint note on transferring P3P references with SOAP?
discussion of location vocabulary and privacy policies - work being done
at OMA, 3GPP
- how to define location precisely
- how location data will be used
P3P group will continue to provide feedback to Liberty
March 7
The Article 10 issues and UA behavior issues were discussed on a phone
conference. Dialing in were Giles Hogben, Marc Langheinrich, and Marty
Abrams
ARTICLE 10 VOCABULARY ISSUES
Giles - plans to make detailed report with proposals before June Kiel
meeting
ambiguity on cookie processing requirements - set or replay?
- storing a cookie on a users computer is an act of data processing
- maybe offer two choices to WG
- requirement
- EU guideline
notification of user before data processing - to satisfy EU law
human-readable portion of policy should be displayed to user before data is
processed
- lots of practical and usability issues
- maybe simultaneous display rather than consent
- probably EU guideline
ability to specify jurisdiction
- attribute of recipient element - EU, US safe harbor, non-EU
- concern about regime-specific data element that may need to change as
laws change
preference language
- want to highlight as important issue, but are ok waiting to v2
- should discuss at Kiel meeting
USER AGENT BEHAVIOR
- work on user friendly language for P3P vocab elements
- work on other guidelines -- user agents should print P3P policies,
etc.
Marty Abrams - layered notices
- highlights notices - convention on things you cover, convention on
language
- financial institutions very interested
- short notice would hyperlink to long notice
- relationship between long notice, p3p notice, and highlights notice
- highlights notice has 5 or 6 categories you are capturing info about,
context dependent
- more granularity and detail in P3P
- what happens with P3P notice when translating to language for
consumers? statement don't always connect in logical way or include full
context. No consistency between user agent translations.
- completeness and consumer communication aren't necessarily the same
thing
- interested in having P3P user agents link to highlights notice instead
of machine translation
- alternatively need to reach a convention on human-readable
translation
brooks concerned about scope -- P3P does nice job of binding policies...
layered notices are cya
brian - lawyers would get more legalistic in full policy with layered
notices
Lorrie - use P3P human-readable fields to provide layered notice
Brooks - not that much legal uncertainty -- regulators say that whatever
the users see first you have to live up to so they all have to be
consistent
Everyone would benefit from more specific testing of language that makes
sense to users
- user agent testing in Europe - Giles, can test our user agent strings,
waiting for funding, hopefully will get funding by September
- Microsoft user agent testing - results within next few weeks
- AT&T probably testing in April or May
highlights notice glossary - go box by box and come up with vetted phrases
and words that define an item - that group will convene in May
- not everyone will use these terms -- voluntary effort
- consensus that we would like notices group to try to come up with 1 to
1 mapping of highlights notices to p3p vocab elements -- Lorrie will work
with them
Other areas for user agent guidelines
- EU-specific guidelines
- printing and saving policies
Microsoft beta 1 is planned for January... they would like guidelines ASAP
so that it is possible for them to take them into account for that release...
will be very difficult to incorporate changes from WG later
OTHER DISCUSSION
North American outreach: Ari
- US federal government to require P3P
- OMB will issue guidance in April
- workshops for federal agencies
- FTC privacy workshops
WS Policy
Microsoft/IBM/BEA effort (not affiliated with W3C) - still underspecified,
but eventually should define bindings that may be helpful in our efforts to
define P3P beyond HTTP... political problems due to this work taking place
outside W3C
Jeremy had a long list of suggestions
- show the user the difference between a consequence and a value
proposition
- maybe two fields?
- maybe structured consequence field?
- add a statement grouping mechanism so that user agents can display
related statements together - grouping element is one mechanism to do
this, another is to add a group name attribute to the existing STATEMENT
element (ebay and windows media player examples)
- add human readable intro section ? not much interest in this
- consider adding human readable explanation strings to all elements that
don't currently have them ... generalize long description
- note explaining why we did identified/identifiable, what it means, what
linking means, include some examples
- access method or opt-in/opt-out method? we probably don't need that
Jeremy said it is likely that we will see preview of new IE P3P
functionality in October when Microsoft shows preview at developer
conference
ACTION: Lorrie, add Bugzilla issue to consider expanding definition of
consequence field in spec and/or adding structure to consequence field
ACTION: Lorrie, add Bugzilla issue to consider adding a statement grouping
mechanism, possible through statement grouping element or group name
attribute
ACTION: Lorrie, add Bugzilla issue to consider adding human-readable
explanation strings to all elements that don't currently have them, perhaps
generalizing LONG-DESCRIPTION
ACTION: Lorrie, add Bugzilla issue to draft statement (perhaps Note) on
identified/identifiable, linked, etc.
ACTION: Ari, write first draft of note on
identified/identifiable/linked
MEETING WITH WEB SERVICES ARCHITECTURE GROUP
Mike Champion, co-chair WSAG
- focus on big picture ... no specifications, no specifics
- little discussion on privacy
Multiple places where P3P policy (reference) might live
- soap header, discovery, or description layer?
- WSDL? choreography? WS Policy?
- web services may be service to service rather than user to service,
does that change anything with respect to P3P?
working together going forward -- first step: collaboration on use
cases
Author: Lorrie Cranor
Last update $Date: 2003/03/14 19:53:14 $ by $Author: rigo $