The Platform for Privacy Preferences Project (P3P) is an emerging industry standard that enables web sites to express their privacy practices in a standardized format that can be automatically retrieved and interpreted by user agents. The goal is to help users be informed about web site practices by simplifying the process of reading privacy policies. With P3P, users need not read the privacy policies at every site they visit; instead, key information about what data is collected by a web site can be automatically conveyed to a user, and discrepencies between a site's practices and the user's preferences can be automatically flagged. The goal of P3P is to increase user trust and confidence in the Web.
Although P3P provides a technical mechanism for helping inform users about privacy policies before they release personal information, it does not provide a mechanism for ensuring sites act according to their policies. Products implementing the P3P specification may provide assistance in that regard, but that is up to specific implementations and beyond the scope of the specification. P3P is intended to be complementary to both legislative and self-regulatory programs that can help enforce web site policies. In addition, while P3P does not include mechanisms for transferring or securing personal data, it can be built into tools designed to facilitate data transfer.
P3P is an activity of the World Wide Web Consortium (W3C). For brevity, we often refer to activities, specifications, and products related to the Platform for Privacy Preferences Project as "P3P."*
The P3P specification is currently a W3C proposed recommendation. The W3C membership has until February 25 to vote on this specification.
A large number of W3C member organizations have been involved with P3P efforts, including: Akamai, America Online, AT&T, Center for Democracy and Technology, Citigroup, Crystaliz, Direct Marketing Association, Electronic Network Consortium, GMD, Hewlett Packard, IBM, IDcide, Independent Centre for Privacy Protection Schleswig-Holstein, International Security, Trust, and Privacy Alliance, Internet Alliance, Jotter Technologies Inc., Microsoft, NCR, NEC, Netscape, Nokia, Phone.com, TRUSTe. In addition, a number of parties from outside the consortium have been involved in P3P. Several data commissioner offices have contributed time and energy to the P3P project, including the Office of the Information and Privacy Commissioner of Ontario. A list of participants can be found in the contributors section of P3P specification. In addition, many individuals provided feedback on the P3P public mailing-list.
A list of known implementations and services related to P3P is available at the W3C web site.
In the summer of 1998, the P3P working groups were informed that Intermind, Inc., claimed to hold a patent that directly related to P3P. At that time, Intermind proposed licensing terms that would have required users of P3P-related technolgies to pay royalties to the company. Work on P3P slowed during this period while the merits of Intermind's claim was investigated. W3C asked a major patent-law firm to analyze the claim. On 27 October 1999, Barry Rein et al. from Pennie & Edmonds law firm released their assessment of the patent claim. Their analysis concluded that there was no risk of patent infringement. Since then, Intermind, which has changed its name to OneName, has indicated that even if P3P-related technologies were to overlap with their patent, no royalties would be assessed. In a letter to Lorrie Cranor, chair of the P3P specification WG, OneName wrote:
As a result of these changes [to our business plan], we can now assure you that, in spite of positions that Intermind may have taken in the past, OneName has no intention of charging a royalty or preventing the use of this technology by the P3P project.
Thus, no patent conflicts are currently faced by or expected for P3P.
It is true that P3P has taken an unusually long time to reach its current status. There are several reasons for this delay, but the main reason has been the need to include a wide range of players. From its inception P3P was envisioned as a specification with a social purpose. The P3P process has been deliberative and thoughtful. W3C and the P3P working groups have actively solicited comments from all interested parties and have even proactively contacted others from across the spectrum and across the globe. We have sought out and engaged critics on all sides. We believe that doing so is critical to P3P's success, and will continue to do so in the next stages of P3P. This outreach has taken time and effort.
Other major causes for delay were dependencies on other technical developments. The P3P specification had to be reworked to properly use or interact with RDF, XML Schemas, and other specification that were developed in parallel with P3P. The patent concerns around P3P also caused implementers and participants to be hesitant about the process.
Negotiation has been removed from the P3P 1.0 Specification. Following a face-to-face meeting in October 1999, the P3P working group felt that negotiation and data-transfer would be too complex to implement in this version of P3P and would hinder widespread deployment of the standard. At the time of the decision there was not much interest from the industry in implementing the data-transfer mechanism. In addition, there was disagreement about the desirability of including data-transfer protocols. See also Daniel LaLiberte's notes on the removal of data-transfer.
No, there is interest in future versions of P3P. Many activities within the W3C touch on privacy in some way; for example, initiatives such as CC/PP and XML Signatures will likely have close ties to P3P in the future.
Also, the P3P Specification Working Group removed significant sections from earlier drafts of the P3P 1.0 specification in order to facilitate rapid implementation and deployment of this first version of P3P. The group envisions the release of future versions of the specification after P3P 1.0 is deployed. These revisions would likely include improvements based on feedback from implementation and deployment experience as well as four major components that were part of the original P3P vision but not included in P3P 1.0:
XML stands for the Extensible Markup Langauge. XML is a language for encoding information in a format that is easy to transfer across the World Wide Web. Web sites that use P3P encode their privacy policies in an XML format.
RDF stands for Resource Description Framework. RDF is an application of XML that is used for encoding metadata. Previous versions of the P3P specification used RDF to encode privacy policy information; however, the current version of the P3P specification does not.
APPEL (A P3P Preferences Exchange Language) is a W3C working draft that specifies a language for describing sets of preferences about P3P policies. Using this language, a user can express her preferences in a set of preference-rules (called a ruleset), which can then be used by her user-agent to make automated or semi-automated decisions regarding the exchange of data with P3P-enabled web sites. Primarily, we envision this language will be used to allow users to import preference rulesets created by other parties and to transport their own rulesets files between multiple user agents. We do not expect end users to learn the APPEL language or use it to create rulesets directly.
HTML pages often contain links to other resources that are directly embedded in the page, such as images, sounds, layers or frames. Thus, in order to render the page, user agents need to make additional requests that might or might not be covered by the policy in effect for the page that is currently laid out. It is usually not apparent to users when Web pages may be covered by multiple privacy policies. However, a P3P user agent can detect when different policies apply to different objects on a page, and can fetch and review each of these policies.
No. P3P 1.0 uses the normal HTTP 1.1 protocol for the exchange of policies, and the matching of policies to user preferences takes place on the client-side. Thus, P3P can be enabled on Web sites that use any HTTP server. Web sites can implement P3P 1.0 on their servers by translating their human-readable privacy policies into P3P syntax and configuring their servers to identify the location of the P3P policy.
P3P policies can be referenced in three different ways. It is expected that many server administrators will employ policy reference files in a well-known location to simplify web site administration. To do this, a policy reference file (p3p.xml) would need to be placed in a directory called /w3c, where /w3c is located under the root directory. A user agent could then request this file by using an HTTP GET request for the resource /w3c/p3p.xml. Alternatively, servers may be configured to insert a P3P header into an HTTP response to indicate the location of a site's P3P policy, or they can be configured to insert this information into HTML content as a LINK tag.
In most cases, the first time a user visits a Web site, their browser will have to make one or two additional requests in order to locate and fetch the P3P policy. These requests may impose some minimal latency; however, the delay caused by this should usually be less than the delay from fetching a single image in a Web page. Subsequent requests to the same site will usually not incur any additional latency due to P3P, as long as the site's policy has not expired.
Yes, P3P-enabled Web sites use thair policy reference files to indicate the parts of their site to which each P3P policy applies. They may create one policy for their entire site, or multiple policies that each apply to different parts of their site. Companies that have many Web servers may also create a single P3P policy that applies to some or all of their servers.
P3P can be used by Web sites that have opt-in or opt-out policies. The P3P vocabulary allows Web sites to label their data practices according to whether they are mandatory or apply only on an opt-in or opt-out basis.
P3P contains a mandatory ACCESS element, which discloses how users can access personal data held by a web site. The level of access may range from all to none. While P3P cannot force web sites to allow users access to their personal data, it can provide clear notice about what level of access (if any) is provided, and in this way allow for more informed user choices.
No. Although earlier on the P3P working group did consider including automated data-transfer mechanisms in the specification, this proposal has since been dropped. (See also question 7.) Even if P3P were to be built into a tool that has an automatic data transfer mechanism, the P3P guiding principles state that P3P user agents should "not be configured by default to transfer personal information to a service provider without the user's consent."
The P3P specification does not specify default settings for P3P user agents. However it does say that user agents should present configuration options to users in a way that is neutral or biased towards privacy and not be configured by default to transfer personal information without the user's consent. We expect that the APPEL language, will allow privacy advocates and others to create "canned" configuration files that users can plug into their user agents if they do not want to use the settings specified by software manufacturers.
P3P addresses this in the DISPUTES element. In this element, there is a mandatory attribute, called "service", which is defined as the URI of the customer service web page or independent organization, or URI for information about the relevant court or applicable law. There can also be a short or long description included in the DISPUTES element, providing a human readable description of the name of the appropriate legal forum, applicable law, or third party organization; or contact information for customer service if not already provided at the service UR
The Open Profiling Standard (OPS) was a proposal co-authored by Netscape, Firefly, and VeriSign and submitted to the W3C for review by the P3P working groups. This specification proposed a means for the exchange of user profile information -- how to store and release, under the user's permission, data which is often requested or required by a Web site. Eventually, the P3P working groups decided not to include a data transfer protocol as part of P3Pv1. Since the data transfer protocol was removed from P3P, OPS is no longer relevant to the P3P specification.
No, P3P is complementary to cookie blocking software and anonymity tools. In fact, some of these tool vendors are building P3P into their products. P3P can offer users who want to selectively block cookies an opportunity to learn more about how each cookie will be used and direct their software to automatically block cookies that will be used for certain purposes while accepting cookies that will be used for other purposes. Anonymity tools are useful at sites where users have no reason to supply any personal information. However, when users wish to supply this information in order to complete a transaction, P3P is useful for informing users about how their data will be used. This is not a function performed by cookie blocking software or anonymity tools.
No, P3P is designed to inform users about any secondary use of their data so they can make informed choices about whether or not to provide data that might be used for these purposes. Of course, P3P does not by itself prevent sites from making secondary uses of data that they do not disclose.
Laws confer rights on people, but laws don't ensure the transparency necessary to ensure that individuals can be informed about data practices in a meaningful way. Similarly, while technologies such as P3P can extend users' capabilities to learn about web sites' privacy practices, these capabilities are of limited use in the absense of some sort of legal framework.
Rather than talk about law versus technology, the designers of P3P prefer to talk about law and technology: P3P is meant to work in a variety of legal frameworks, but is certainly not meant to replace legal frameworks. As Alexander Dix (Data Commissioner of the state of Brandenburg, Germany) said at CFP 2000: "P3P is a necessary but not sufficient condition for privacy, but regulation is also necessary but not sufficient. I see a good privacy framework in the conjunction of both." From the very beginning, P3P-Developers saw their work as a tool for privacy within various frameworks.
No, P3P is designed to work in a variety of regulatory environments. P3P is not meant to replace law, but rather to work with it. In an unregulated environment, P3P can help users see what personal information is being collected -- this in itself would be an improvement over the current state of affairs in the U.S., for example. In a more regulated environment (such as that found in EU countries), P3P can help make users aware of data practices in a meaningful way.
P3P does not cover all 8 principles of the OECD Guidelines on the Protection of Privacy. Instead, P3P focuses on notice and choice (i.e., the purpose specification principle). When combined with other legal and technical tools, P3P can help address all eight OECD principles.
P3P by itself does not enforce anything, but it does allow web sites to indicate mechanisms by which enforcement can take place. The DISPUTES-GROUP element allows sites to describe what dispute resolution procedures will be followed if a user feels the site has not followed its own privacy practices. Sites may also describe remedies available to users who feel their privacy has been violated.
P3P can also help self-regulatory bodies and/or data commissioners. As P3P is a machine-readable way of talking about privacy, such bodies could set up programs to automatically check web site policies. Additionally, P3P could allow users to keep track of where they have left data, thus providing a better basis to articulate complaints about secondary use of data.
In most jurisdictions, a false statement in a Web site's privacy policy would violate privacy and/or anti-fraud laws.
Merely using P3P does not excuse a service from any legal obligations it may have. It could be used in any jurisdiction if it is used in a way that complies with the laws of that jurisdiction. P3P is a method of making informed decisions on the basis of web sites' privacy practice disclosures. Informed choice is an important component of privacy protection. In addition, some jurisdictions may have specific data collection, access, and retention prohibitions or requirements. Or they may have additional enforcement and reporting requirements. The flexibility to solicit information and make a wide range of disclosures does not necessarily mean that all solicitations and privacy practices are permissible. Rather, the flexibility enables P3P to be used in conjunction with various laws and policies the world over.
While many of the member companies that worked on P3P are based in the U.S., the specification itself is meant to be international. The P3P vocabulary, for instance, was created with the input of many people both in and outside of the U.S. Nearly half of the members of the working group that worked on the vocabulary were invited experts and staff from international data commissioners' offices, many of which were from Europe. In addition, there has been considerable input from Japan.
In a regulated environment like the EU, users have certain rights. This includes not only the right to be notified when data is collected but also the right to access data under reasonable conditions, requirements for informed consent, and so on. To put these rights into effect it would be useful to have software that could help manage flows of information. P3P can help because it is an open standard, and as such could allow many different types of software to interoperate with each other on the web.
A second benefit of P3P is that data commissioners in Europe, along with other privacy groups, could come up with recommended privacy preferences that could be shared easily and used by anyone with a P3P-enabled browser. Also, by expressing privacy statements in a simplified, structured format, P3P could assist companies in complying with the EU Data Directive, as well as help data commissioners keep tabs on companies' practices.
This question was of particular concern when automated data-transfer protocols were being considered in earlier drafts of the P3P specification. Some privacy advocates feared that by creating a standardized vocabulary to describe data-transfer, and a protocol for automating data transfer, P3P might make it easier for companies to collect personal data. This is much less of a concern now that P3P 1.0 does not have automated data-transfer.
In a related issue, Karen Coyle raised a question about the design of the specification. In a critique of P3P, Coyle noted that the data-schema concerning the web surfer was very rich while the data-schema concerning the web site was very sparse. She asked whether P3P was geared towards revealing information about the user much more than disclosing information about web sites. The Working Group has taken these concerns into account and changed the data-schema, so that it also is used to identify the web site making the statement.
Some critics have feared P3P is too complicated to enable users to build their own preferences, and also too complicated for small web sites to write their policies down. This would hinder deployment of P3P. While the P3P specification is complicated, the P3P working groups expect that a wide range of P3P tools will soon become available. These might include pre-built preference files for users and policy generator tools for web sites. Self regulatory bodies, privacy advocates, and data commissioners from different countries will be able to lend their expertise to web sites about creating policies and preferences. Just as tools exist to help people design Web pages without knowledge of HTML, we expect there to be tools to help people write privacy policies and preference files, without knowing all the details about P3P.
Some privacy advocates have argued that P3P distracts from efforts to develop privacy legislation in the U.S. The concern is that legislators may look to P3P as a complete solution to privacy problems, and consequently fail to pursue legislative approaches to data protection. However, the P3P working group has always maintained that P3P is one tool among many, and not a "magic bullet" for privacy problems on the Web. There is no reason why P3P and legislation should be exclusionary of each other.
* In the past the Platform for Privacy Preference Project was referred to as "P3." Due to alleged trademark infringement we decided to move to P3PTM. P3P is free of competing claims and MIT is filing an application for US registration. We advise members and the press who reference the project to use the acronym P3P in their press releases or literature.
last revised $Date: 2002/01/29 02:28:00 $ by $Author: lorrie $