Technology and Society Domain P3P

Removing Data Transfer from P3P

Draft version: 1999.09.21

The P3P Specification Working Group has recently decided to remove built-in support for a data transfer mechanism from working draft documents. Note that the public draft of Aug 26, 1999 still includes this mechanism. The data transfer mechanism would be invoked after a client accepts a P3P policy proposal sent by a server. The proposal lists the privacy policies that the server promises to keep regarding an explicit list of data types. At that time, the client would retrieve the requested data from a repository or request it from the user, and then this data would be sent to the server via a subsequent request by the client for a resource covered by the privacy policy.

The WG decided to remove this built-in data transfer mechanism, and thus leave the data transfer to external mechanisms not specified by P3P. Indeed, some form of data transfer will be needed, and such data transfer should be covered by privacy policies, hence the initial motivation for P3P.

The main disadvantage of removing this standardized data transfer mechanism is that users may be required to repeatedly enter the same data, once for each service that wants it. It was felt that providing a standardized mechanism for requesting data from a user, storing it in a local repository, and transferring it to servers who agree to the user's privacy preferences would be a huge benefit to users, both in time savings and privacy assurance. Consequently, services would benefit by having easier access to such data.

But recently the working group became aware that very few services which rely on obtaining user data for their business had planned to use the proposed P3P data transfer mechanism. Instead, they generally prefer to use the currently available HTML FORM fill-out or a proprietary mechanism such as "electronic wallets". The current specification allows P3P policies to cover such external data transfer mechanisms in any case, although more work is needed to specify how such mechanisms would interface with P3P software components on the client and server. Since we must support this interface to external mechanisms, and since there is a lack of demand for a built-in mechanism, the working group felt we should spend our time on other issues.

Furthermore, the working group grew increasingly concerned over a number of technical issues. A general purpose mechanism should ideally support simple and structured data types, extensibility for new data types, internationalization of text data, security and non-repudability of data transfer, and the transfer of potentially large amounts of data. Another area of technical problems concerns when the data is transferred; the current protocol lacks the ability for the server to request data only when it needs it rather than when the proposal is sent to the client, or for the client to update data after having sent it the first time. Some data may need to be updated frequently, such as the physical location of a mobile user. Many of these technical issues are several steps removed from the central focus of the group on privacy policy, and thus it was felt these issues would be better addressed by other working groups.

Some critics of P3P have feared that a data transfer mechanism built-in to P3P could lead to breaches of privacy rights either: a) because of faulty implementations that allowed data transfers without adequate user agreement, or b) web services might cause data transfer to occur in a manner contrary to their stated privacy policies. Whether or not P3P includes a data transfer mechanism, it will be the responsibility of those who collect data to do so in a manner than complies with privacy policies declared through P3P and consistent with any other existing legal constraints.

Given all these reasons for removing the data transfer mechanism from P3P, and a lack of strong interest for keeping it, the P3P Specification Working Group has decided to proceed with the removal. The P3P specification drafts will also be augmented to further specify how external data transfer mechanisms may interface with P3P preference matching mechanisms.

Comments are invited regarding these issues and our decision. Please write to

Daniel LaLiberte
Last modified: Tue Sep 21 10:50:21 EDT 1999