The Platform for Privacy Preference Project is an activity of the The World Wide Web Consortium. For brevity, we often refer to the Platform for Privacy Preferences project, activity, products, or specifications as "P3P."* The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.
The aim of P3P is to increase user trust and confidence in the Web. The ideas behind the design of this technology were written down in an annex to the Specification called "Guiding Principles".
The Harmonized Vocabulary Working Group specified a vocabulary used for describing Web privacy practices. It was designed to be reflective of a diversity of privacy laws, self-regulatory norms, and cultural notions about privacy. This vocabulary can be used to express policies as diverse as anonymous browsing to the provision of personalized Web content and services.
The P3P Harmonized Vocabulary Specification Public Working Draft was made available on 30 March 98. The Protocol and Data Transport White Paper will be publicly released in May '98, concurrent with the publication of the P3P1.0 Working Draft (from the Syntax and Encoding Working Group) since much of the protocol has been simplified by the latter group.
After the patent-issue, the P3P-Activity had to cross some troubled water. P3P has a special position within the work of W3C, as it had some unattended problems and treats a particularly complex area.(see the related question I.6) Finding a solution was hardened by the complex transatlantic struggle over privacy values. On 11-November 1999, the group issued his Last-Call Draft. In the W3C-Process, this means, that the group is checking dependencies with other W3C-technologies and looks for feedback from the public. Taking the extraordinary situation of P3P into account, W3C decided to extend the period of Last-Call from normally 6 weeks to 6 months to permit a maximum feedback from all stakeholders. After the release of the first public Last-Call-Draft, the Specification-Group had strong feedback from the public. In October 1999, the Policy-Outreach-Working-Group was added to the Activity to treat with the multiple policy implications and to help in the deployment of P3P. Due to the strong feedback, the Working-Draft has known major changes. The latest Draft is from 4-April 2000 and the next Draft is expected around 24-April 2000.
After checking dependencies and input from the public during the last-call period and having cleared all remaining issues, the P3P-Specification will be moved to Candidate Recommandation. In this state, W3C is solliciting implementations of this Specification. There will be workshops, where implementers can test the interoperability of their products and prototypes. The first interop-workshop will be on 21-June 2000 in Manhattan. A second interop-workshop will take place in Venice at the end of September during the world meeting of data commissioners. A third interop in Asia is not excluded.
There is interest in future versions of P3P. Much of the current Activities within W3C have to address privacy. There are other initiatives within W3C, like CC/PP, the protocol to address the Device dependent services for mobile phones and PDA's or W3C's work on Position-dependent services, which will need negotiation and other features in the future to be able to address privacy. There are also a lot of features left out in P3P 1.0 for faster implementation, that could be addressed in a renewed Activity. When the work on XML Signature is finished, this will also enable P3P, as it is written in XML, to address the issue of authentication of a policy-issuer. This work would have to be chartered and instantiated according to W3C process.
The negotiation was removed from the P3P 1.0 Specification. The P3P-Specification Working-Group felt, that the protocol for negotiation and data-transfer is far to complex to implement and would hinder a first rapid and widespread implementation and deployment of P3P-Technology. At the time of the decision, there was not that much interest from the industry to implement the data-transfer mechanism. The favor was given to electronic wallets and there was no initiative to standardize this kind of application. Also, there was a lot of critique in the US about the data-transfer-protocol and negotiation while in Europe, the Data Commissioners still want to see negotiation in P3P. The Specification-Group therefor decided to postpone the further work on negotiation and data-transfer to a future version of P3P. See the also the page from Daniel La Liberte on the removal of data-transfer.
The P3P Activity had more to bear than just the policy implications, which was rather new to a body like W3C. It had also to face the problem, that participants of early Working-Groups were working on a patent on the same technology. When Intermind Inc. announced it's patent claims on P3P-Technology, the Activity stalled for a moment. W3C has spend ressources and ordered an expertise on the patent claims from a major patent-law firm. In his outline on the result, Barry Rein explained, why implementing P3P does not infringe the patent of Intermind Inc. As P3P 1.0 contains neither negotiation nor data-transfer, there is nearly no risk of Infringement of US Patent 5,862,325.
The P3P-Activity suffered from multiple struggles, that reinforced each other.
Let's begin with technology. When P3P began, there was also the beginning of RDF. PICS as a format was not rich enough to express the complex statements about privacy that were needed. But with PICS W3C had a first experience with a so called "social protocol". RDF offered the opportunity to allow a much richer vocabulary. But RDF had not yet Schemas, so the data-format of P3P was invented from scratch in an own format. At the moment, when everybody was feeling, that P3P will be in it's final stage, the patent claim of Intermind was a shock for the Working-Groups around P3P and for W3C too. Many active participants stopped their work on P3P, because they considered it too risky to continue the project and face claims for royalties or denial of license afterwards. The Activity around P3P stalled for a while. But not all Members stepped out of the project. IBM, AT&T, NEC, CDT, Truste, Microsoft and American Express continued to support P3P. As W3C is a relativly young standards body, it was the first time, that it had to face this kind of issue. It took some time to determine, how to handle this issue. In the meantime, XML was invented and became a hype. Due to the patent-issue, the WG was not fast enough to finish before the XML-hype. So P3P had also to accomodate this new format and reinvent a lot of things, that were already done. (The future will show whether this was good or bad for P3P)
Additionally, the W3C-staff responsible for the activity kept on changing. After Joseph Reagle had left P3P to work on XML Signature, Rolf Nelson worked on P3P. As he left W3C, Daniel La Liberte took over. With the help of Lorrie Cranor as a very active chair, remaining active members and participants, and the strong support from Danny Weitzner, the T-and-S Domain Lead, La Liberte was able to steer the Activity back to a new vitality. He left W3C at the beginning of 2000 to join Crystalize, a W3C-Member, and continues to be part of the P3P-Specification-Group. New Team-Member Rigo Wenning took over and continued his work with two very active Working-Groups.
As one can see in the policy-section of this FAQ, P3P was in the middle of several political struggles over privacy. First, there was a strong influence of the US-battle over the question, whether privacy should be regulated by law or industry-driven self-regulation. By some stakeholders, P3P was presented as the technology, that solves this conflict of interests. Despite several expressions of the P3P-Developpers, that P3P is only a complementary tool, this was held as a strong critique against P3P. At the same time, P3P was also hit by the conflict between the EU and the US over transatlantic flow of personal data. The EU Directive on the protection of personal data required adequate protection to let the data flow. "Safe Harbour" is one of the buzzwords in this ongoing struggle. In the changing political environment, the needs expressed to P3P-Developpers changed also.
It is very difficult to answer this question shortly. At the beginning, P3P was more oriented towards e-commerce. Over time and with a lot of feedback from outside, P3P changed and was enhanced by contributions from all over the world. From the beginning on, the P3P-Developpers came from three continents: America, Europe and Asia. The aim was to provide a platform, which would be able to express values of very different legal and social environments. The first very ambitious approach to provide a privacy-tool with negotiation and automated data-transfer was too complicated for a rapid deployment. It was removed. The language for policies was rewritten in XML to provide a simpler interface for people writing policies and to follow the main stream in e-commerce. Also, at the beginning the idea of better service to users seemed to be of a major concern. Following the feedback from Privacy Activists and from the European Commission, there was a shift towards a more balanced vocabulary. In October 1999, the Policy Outreach Group started and gave a lot of feedback on the vocabulary. New features, like the physical address of the service, remedies and retention and other useful features were added. The active debate of Data Commissioners and Privacy Activists with people from Industry gave us a good result and provided a viable solution. The Developers had also a careful eye, that P3P, especially the data schema, could also be of use for business-to-business applications.
After the end of the Last-Call period, the specification is stable, but not yet recommended. When the P3P-Specification goes to Candidate Recommendation, W3C is encouraging implementations. There are already some test-implementations based on older Working-Drafts and ongoing work on implementing P3P: See Implementation References for a list of known implementations and services related to P3P..
We encourage every interested implementer to contact the P3P-Team to participate in one of the planned interop's. The first interop will be held on 21-June 2000 in New York. There will be a second interop in Venice in September. We expect implementations from the US, Europe and Japan. We do not believe an incomplete implementation of P3P will satisfy the privacy requirements of the Web community.
A model to have in mind when examining P3P is that it leverages much existing work, and that many products and services can be built upon the Platform for Privacy Preferences. P3P is based on RDF/XML.. Other products and services can then be built upon P3P. For instance, on top of the Platform, others can offer assurance, auditing services, arbitration or mediation to ensure such privacy statements are valid or provide help in different models of privacy protection.
APPEL specifies a language for describing collections of preferences regarding P3P proposals between P3P agents. Using this language, a user can express her preferences in a set of preference-rules (called ruleset), which can then be used by her user-agent to make automated or semi-automated decisions regarding the exchange of data with P3P enabled Web sites.
Note: This language is intended as a transmission format; individual implementations must be able to read and write their specifications in this language, but need not use this format internally.
Goals of A P3P Preference Exchange Language
The P3P1.0 specification provides a syntax for specifying proposals and a protocol and associated syntax for exchanging information between the Web site and user agent. It does not not specify requirements upon the graphical user interface (GUI) or trust engines. However, there are benefits to being able to express the preferences as captured by the GUI and processed by the trust engine:
This document provides a proposal for options to be considered in the development of a privacy and profiling specification. This document delineates a number of architectural options for the P3P project.
No. W3C is working on P3P. At the start, a part of it was influenced by the OPS submission.
As of the date of this document, the following members have been publicly involved with P3P efforts: American Express, America Online, Art Technology Group, AT&T Labs, Center for Democracy and Technology, Citigroup, Digital Equipment Corporation, DISA, DoubleClick, Engage Technologies, Ernst & Young LLP, Firefly Network Inc, IBM, Intermind Corporation, MatchLogic, Microsoft, MIT, Narrowline, NEC, Netscape Communications, Open Market Inc., Open Sesame, Oracle Corporation, Sony, The DMA, TRUSTe, VeriSign and GMD.
Other parties beyond W3C members (invited experts) have been involved in the work of P3P. These participants can be found in the Contributor section of P3P working group deliverables. It is worth noting the efforts given to the P3P-project by the Office of the Information Privacy Commissioner of Ontario and the Schleswig-Holstein Data Commissioner. who are invited experts.
The Working Group would also like to thank the many contributors, which gave feedback on the P3P public mailing-list.
While P3P and OPS are somewhat similar, the focus and originating requirement of each technology is different. P3P was initially focussed on enabling the expression of privacy practices and preferences. OPS's focus was on the secure storage, transport, and control of user data. It has been clear to the developers of P3P from the beginning that "data exchange" is relevant to P3P. (If a site asks you for a piece of information, they might as well tell you what their practice is.) When OPS was submitted to P3P, P3P members decided to examine OPS and determine how to integrate P3P with data exchange. To put it simply, P3P originally allowed a service and user to reach an explicit understanding about the site's data privacy practices. OPS allows users to control the release of their data in a secure manner. Today, all the data-transfer protocol is removed from P3P, see also question I.4
Cookies have been contentious of late because of the way in which users are prompted to accept cookies, particularly cookies which come from "external" sites. (One site can embed a cookie from another site in its own page.)
The W3C is not working on cookies. However, P3P does include a mechanism that will support some of the functionality sites derive from cookies. This functionality is then under explicit P3P control and has privacy disclosures associated with it. Additionally, the P3P contains a "Safe Zone", which doesn't allow P3P-compliant servers to set a cookie before the client has fetched the privacy-policy. User-agents could block cookies in the "Safe Zone". See also the question about the "Safe Zone".
A number of efforts are underway at the IETF to give cookies a greater privacy framework. Including a new version of the cookie protocol, and a proposal for labeling cookies with privacy disclosures.
Embedded content are all the images and things, that are loaded together with a document (e.g. an HTML-page). Normally, the embedded content comes from the same server, as the main document. This content can easily be addressed by the so called "realm", to which a certain policy applies. Things get much more complicated, when an author embedd's content from a site, where he has no control over the privacy policy. A perfect example to this issue are banner-ads, which come from a different server than the one serving the HTML-page. The policy-reference file would allow also to make a statement about this embedded content, if there is control of the author of a page over the privacy policy, which applies to the embedded content. In absence of control over the embedded content, the user agent will first verify the privacy-policy attached to this embedded content by a head request, before requesting the content itself. For this (Head-) request, the "Safe Zone" applies.
P3P 1.0 uses the normal http 1.1 protocol for the exchange of policies. The matching of the policies to the preferences takes place on the client. So P3P could be installed on major Server implementations like Apache, Jigsaw, Netscape-Server or Internet Informations Server from Microsoft. The Specification Working Group has developed some guidelines for configuration.
In a distributed system like the World Wide Web, with high network latencies and never enough bandwidth, caching is very important to give acceptable performance to users. In this light, it is important to consider the interaction of P3P with caches in the network. The P3P-Specification contains a whole subtree on the subject of caching policies and references. But already in the design of P3P, the group spent a lot of effort to improve performance. With the policy-reference file, a server can define for a whole site, which policy applies to which "realm" or page. The link to this file can be given by a Head-request or by a LINK-tag within the header of a HTML-page. The use of LINK-tag/Header in conjunction with a policy reference file reduces the amount of transfered data and spares additional roundtrips.
Categories are attributes of data elements that provide hints to users and user agents as to the intended uses of the data. Categories are vital to making P3P user agents easier to implement and use; they allow users to express more generalized preferences and rules over the exchange of their data. Categories are often included when defining a new element or when referring to data that the user is prompted to type in (as opposed to data stored in the user data repository). Categories themselves are not data-elements, but are a more generalized description of a set of single data-elements, which belong to this category. A single data-element like user.name.personname can belong to multiple categories at the same time. See the Chapter in the Specification for more information.
By it's policy-reference-file, by defining "realms" in the header of the answer, servers can not only define different policies on the same server, but also a same policy for different servers. To define different policies on the same server can be useful, when there are pages, that can be browsed and where the service doesn't collect any data and other pages for shopping or feedback, where data is collected and a certain purpose would be addressed. One could also imagine, that in parts of the server the purpose of data collection is different from another part. All this can be addressed. If there is huge service with different servers where only one policy applies, this can also be addressed by the reference-mechanism provided by P3P 1.0. For more detail, see the reference-section in the P3P-Specification.
As we have seen in question II.13 P3P has very flexible means to address the range of pages and servers which are addressed by a policy. In addition, policies identify the data recipients, and make a variety of other disclosures including information about dispute resolution, and the address of a site's human-readable privacy policy. P3P policies must cover all relevant data elements and practices (but note that legal issues regarding law enforcement demands for information are not addressed by this specification; it is possible that a site that otherwise abides by its policy of not redistributing data to others may be required to do so by force of law). P3P declarations are positive, meaning that sites state what they do, rather than what they do not do.
The P3P specificatiion does not directly address opt-out. We do have a change_preferences field in our public working draft. In general, many companies offer individuals an opportunity to opt-out of certain types of uses of their data. For example, a company may allow you to opt-out of having your name included on their mailing list. Whether your name is actually erased entirely from their database depends on the company. If you are a customer, they will probably keep your name so that they have a record of whatever transactions you have done with them. You may find additional information about opt out on the Online Privacy Alliance web site at http://www.privacyalliance.org/
There is already existing software, which is designed to minimize the data your client transfers to a server. They also fake wrong information and pass it to a server. Another approach is to have different pseudonyms for the purpose of surfing. P3P addresses only a minor part by specifying a "Safe Zone" in which a P3P-compliant server should only gather a minimum of information about a client, e.g. the IP-Address to prevent malicious attacks, and that also there shouldn't be a long retention of that IP-Address.
By reducing complexity of human readable privacy - policies into a machine-readable format, P3P allows experts like self-regulation bodies and data commissioners to transport their knowledge as a software or as policies and preferences over the net. Ideally, the complexity for businesses to comply and follow fair privacy practices will decrease too by the use of P3P.
By specifying a common format for data and vocabulary, a user agent could trace, where a user has left data for what purpose, which increases the possibility for data self-determination. At the same time, the common extensible XML-based data-format will decrease transformation-costs for business. By specifying a machine-readable privacy-language, privacy-values and -preferences can be included into databases, thus enabeling business to better respect user's preferences or law-requirements. In order to deploy P3P-based technology, it is useful to create a model for a win/win situation for users and business.
P3P is definitly not a technology that replaces all current Privacy Enhancing Technologies (PET's). But the scope and way of addressing privacy is different from the currently known software, which tries to limit the amount of data, or fake's data, that a server can retrieve. These blocking tools, as they could be called, are only addressing the issue of hidden and unnotified collection of data. P3P goes far beyond that. When doing e-commerce, especially in the business-to-consumer area, sometimes a user must give his data to receive a service or a good. One could also imagine cases, where the user want's to give his data away for better service. But must this be the end of privacy? Can this data then be used freely, because it is out? A blocking tools doesn't help in this context. With P3P, it is possible to express the further use of this data and naturally the limitations of that use. But remember, P3P doesn't guarantee that the service behind the policy does what it announced to do with your data. Blocking tools are still very useful to prevent unnoticed collection of data. This could be combined in an P3P-enabled user-agent.
While the following questions is often cast from the perspective of Europe, they could equally apply to any jurisdiction.Use of P3P on its own does not constitute compliance with the Data Directive, however P3P can be an important part of directive compliance for Web services.
__
* In the past the Platform for Privacy Preference Project was referred to as "P3." Due to alleged trademark infringement we decided to move to P3PTM. P3P is free of competing claims and MIT is filing an application for US registration.We advise members and the press who reference the project to use the acronym P3P in their press releases or literature.