Published on: Friday 14th August 1998 By: Janus Boye
"Browsers that use P3P look out for the user," said Tim Berners-Lee, W3C Director and inventor of the World Wide Web, when the 1st public working draft of P3P 1.0 was released on May 19th, 1998.
Users today must grapple with sites that provide little information about privacy practices, repeated requests for the same information, and an extremely coarse control over technology. For example, current implementations of cookies cause privacy concerns (when accepting all cookies), are a hindrance (disabling cookies can cause difficulties at sophisticated sites), or a nuisance (the user must "swat away" numerous dialogue boxes).
P3P - The Platform for Privacy Preferences Project - addresses the twin goals of meeting the data privacy expectations of consumers on the Web while assuring that the medium remains available and productive for electronic commerce.
Not only, will P3P enable individuals to make informed decisions about the collection and use of their personal information, but it'll also make more spohisticated content and services on the Web possible, by addressing the increasing concern regarding potential abuses of users' privacy.
The term "privacy" covers a wide range of concerns, and it is important that one understands from the outset the precise scope of the P3P work. P3P will enable sites to express privacy practices and the user to express their preferences about those practices and have their agent (e.g. their browser) act on it accordingly. The user agent can then provide the user a safe and seamless experience.
P3P gives users the ability to make informed decisions regarding their Web experience and their ability to control the use of their information. Sites can use P3P to increase the level of confidence users place in their services, as well as improve the quality of the services offered, the customization of content, and simplify site access.
A P3P interaction will result in an agreement between the service and the user agent regarding the practices with a user's implicit (i.e., click stream) or explicit (i.e., user-answered) data. The agreement may include service side permissions regarding the storage and release of data written by the service and accepted by the user agent. Allowing client side storage of user data in a data repository increases the user's access to and control of data, while providing a mechanism so that the user need not repeatedly enter solicited information. This architecture enhances personal privacy while providing richer, easier access to Web services.
It's also important to point out, that P3P does not limit the need for other privacy technologies like encryption or Web anonymizers. In fact, in order to "do one thing, and do it well" P3P has been focused on its mission of establishing privacy disclosure and defer to other privacy technologies for communications and storage confidentiality. For instance, users must be able to express preferences such that, "I will only give my credit card information to sites over a secured communication channel such as SSL or SET." The aim of P3P is not to reinvent anonymizers, encryption or payment protocols within P3P, but it will be able to work with all of these things.
A model to have in mind when examining P3P is that it leverages much existing work, and that many products and services can be built upon the Platform for Privacy Preferences. P3P is based on RDF/XML and DSig.
At the completion of the first phase of working groups in October 1997, the W3C publicly released the the Architectural Overview and Grammatical Model Drafts. The Architecture Working Group synthesized W3C work (the RDF "meta-data" work stemming from W3C's PICS activity), the Open Profiling Standard (OPS), the Profiling and Privacy submission, and work from other W3C members to create a general architecture for privacy notice. The Vocabulary/Grammar Working Group focussed on how one makes meaningful statements about privacy in a way that is understandable by humans and computers.
The second phase, that ended in March, 1998, consisted of two working groups. The Protocols and Data Transport group specified the communication primitives necessary for sending P3P requests and practices across the Web. The protocol works over HTTP1.0+.
The Harmonized Vocabulary Working Group specified a vocabulary used for describing Web privacy practices. It was designed to be reflective of a diversity of privacy laws, self-regulatory norms, and cultural notions about privacy. This vocabulary can be used to express policies as diverse as anonymous browsing to the provision of personalized Web content and services.
The P3P Harmonized Vocabulary Specification Public Working Draft was then made available on March 30th 1998, and the P3P1.0 Working Draft (from the Syntax and Encoding Working Group) was publically released on July 2nd, 1998.
Even though P3P has been designed to promote privacy and trust, and enable individuals to make informed decisions about the collection and use of their personal information, P3P alone does not guarantee privacy or trust. Trust is built upon the mutual understanding that each party will respect the agreement reached. In order to preserve trust and protect privacy, organizations should only collect personal information with the knowledge and agreement of the person whom it relates, and inform that person about the way information will be used and with whom it may be shared.
Those who use P3P can preserve trust and protect privacy by applying recognized principles of data protection and privacy to their information practices:
In addition, service providers and P3P implementers should recognize and address the special concerns surrounding children's privacy.
Service providers should also provide timely and effective notices of their information practices; and user agents should provide effective tools for users to access these notices and make decisions based on them.
Last, but not least, users should be given the ability to make meaningful choices about the collection, use, and disclosure of personal information. Users should retain control over their personal information and decide the conditions under which they will share it.
I'm not here to tell you, what you're user policy should be. Instead of addressing where you should leave your email address, who you should tell your real name, and what information should be encrypted, I'll instead try to define such a user policy.
Users may specify their preferences using a variety of interfaces (determined by the implementation of the user agent they use). At some point these preferences might be stored using a standard language. They might be stored as purpose-specific practices (e.g., PICSRules for PICS labels, another language for P3P privacy preferences) or in a more general language. The set of all stored preferences is a user's policy.
A user's policy might include preferences regarding P3P statements, signer credentials, RSACi labels, digital signature algorithms, safe-coded labels, domain name restrictions (the server is in *.domain.com or *.edu), or locally defined statements/labels. For example, a user might restrict interest to the domains *.irt.org or *.dk. As another example, the user might keep a database of sites she's visited and generate personally meaningful labels for them. Or if a site presents no statements or labels, the user might fetch the page and generate one for it ("contains no profanity" or "does not include Java applets.") The user's policy might also include rules for identifying how all of the practices should interact.
Users may also have a different set of preferences based upon type of sites, time of day, perhaps even the weather. Such policies combine P3P preferences with preferences about other input statements and credentials. Together, P3P statements and preferences are part of a larger picture. The trust engine, which I'll describe in a moment, will evaluate many types of incoming data, including P3P statements.
To make things easier, I've tried to provide two examples below, where P3P would help lead the Web to its full potential.
Users evaluate Web services on the basis of many criteria in addition to privacy considerations. These "trust" criteria may include, among other issues, content, authority, cost, and governmental regulations. A user might decide whether to look at a specific Web page because it contains sports, was authored by someone at the Boston Globe, and costs less than five cents. Users' evaluations are complex and based upon many personal nuances.
Click here for full size image (15Kb, 1024x560)
User agent implementations, then, may need to check for the existence of a variety of inputs: statements from services, labels on content, credentials, and other environmental information (IP address, time of day etc.). These user agents will react to these statements. For instance, the user agent might restrict access to a site, control information flow to the service, or allow the execution of active content. The user would act according to a broad set of preferences (rules) a user has established with that agent. (Some or all of these preferences may have been obtained from a third-party, such as a government sanctioned preference bureau, a social or religious affiliated service, or other trusted source.) Furthermore, these statements may be acted on individually or in combination.
User agents, will then serve as proxies in the evaluation process by users. Within the user agent, there will be some type of trust engine that makes this evaluation on behalf of the user. A variety of mechanisms may be employed by trust engine implementations. For example, one might implement such a trust engine using expert system rules or a neural network.
In the P3P architecture, it is presumed that the user agent has access to any data that the user wishes to safeguard. This data is within the data repository.
In the data repository users can store information they don't mind sharing with certain Web sites. If they reach an agreement that calls for the collection of certain pieces of information, they can have that information transferred automatically if it is stored in the repository. In addition, the repository can be used to store site-specific IDs that allow for pseudonymous interactions with Web sites that cannot be tracked across multiple sites. Web sites may request to store data in the user's repository as well. These requests are also governed by the P3P agreement with the user.
In the case of a hand-held device with little onboard memory and storage, the user agent may act through another agent to obtain access to the data repository located on a third-party. Data would be read from the data repository to provide personal information to a service. Services might also write information to the data repository; this would allow the capabilities provided by "cookies" in HTTP today.
The data repository may include data elements written by both user agents and services. The user agent can help the user evaluate whether to allow reads from or writes to the data repository. Note that the reading and writing of data are always under the control (implicitly or explicitly) of the user.
Just to give you a sneak peak at how P3P proposals and statements might look like, I've provided an example below.
When P3P gets implemented it's going to be machine-readable encoded in XML, according to the RDF data model.
The general form of a proposal is:
Using schema (for some experience space) (you will enter an agreement with this entity) (Statement) + They will offer: (this access) (and this qualifier) (Accepting will give you this consequence) (for more information, contact) (Signature)
In other words this could be:
(irt.org) applies the
practice ("system administration")
to (User.Name, System.Click_stream/)
consequence ("optimized user experience")
] signatures and vouchers ("TRUSTe")
The definitions and more examples are provided in the W3C P3P Vocabulary Working Draft.
A number of services have been launched to provide consumers with some assurance up front that a Web site's policies accurately reflect their practices. These services generally require Web sites to pay a fee, enter into certain contractual agreements, and possibly undergo an audit in exchange for the ability ro display some seal of approval. So far, these seals have manifested themselves as visual labels displayed on Web sites. However, these seals could also come in the form of PICS labels or digitally certificates that could be transmitted as part of a P3P proposal. Users could then instruct their browsers to look for such certificates.
The first such privacy seal service was launched in 1996 by the Electronic Frontier Foundation and CommerceNet. Called TRUSTe, this service has undergone a number of major changes since its initial launch, in response to comments from TRUSTe members and the public. TRUSTe currently licenses its "trustmark" to companies that sign an agreement and pay a fee on a sliding scale according to their annual income. The agreement requires that sites follow the TRUSTe guidelines and submit to periodic reviews. TRUSTe has more than 100 licensees including IBM, Lands' End and The New York Times.
The Better Business Bureau sponsors the BBBOnline Seal program, which helps consumers recognize companies that have a satisfactory complaint-handling record with the BBB, participates in the BBB's advertising self-regulation program, and agree to binding arbitration in the case of disputes with consumers. This program could easily be extended into the privacy area as well.
Expect several other privacy seals and self-regulatory programs to be announced over the coming months.
Among the companies involved in P3P (AOL, HP (formerly Digital), Firefly Networks, IBM, Microsoft, Netscape, Oracle, TRUSTe, VeriSign), there is interest in future versions of P3P. Such work could include interoperability tests, the revisiting of negotiation protocols or privacy vocabularies, or the inclusion of certificate and digital signature capabilities.
One could also imagine P3P facilitating choice by allowing Web sites to offer visitors a selection of privacy policies. For example, a Web site with information on movies might allow users who wish to provide no personal information a generic site with an index of movie reviews. For visitors who are willing to provide their home address, the site would also offer movie timetables for theaters near the visitor's home. Visitors to the site could choose which P3P agreement best suits their purposes.
The P3P Project aims to issue its complete set of Recommendations in October 1998.
Even though big companies as Firefly, Microsoft, and Netscape have announced plans that they will implement the P3P protocol within their product, one should not believe that technology alone can address the many issues associated with privacy online.
A compelling feature of P3P is that it is based on privacy disclosures. Consequently, regardless of where a user goes, they have the capability to make informed decisions. This also allows users to ask for practices which match their own preferences or the governing law of their own jurisdiction.
The ultimate impact on users' privacy and Web commerce could be:
It's interesting, that it in fact, for the typical Web site operator, is easier to collect information about Web site visitors, than to figure out how to configure a Web server not to collect that information.
Furthermore, other external factors will have a significant impact on how technologies like P3P fare as they are implemented and adopted. Will expectations of higher-levels of privacy than are currently offered force a change in market practices? Will the tenacity of practices require people to modify their expectations? Or in practice, do people actually care about privacy to the degree that recent surveys would have us believe? The answers to these questions will not be determined by technology alone.
P3P is predicated on the assumption that IF sites and users wish to exchange information it should happen in the context of an explicit agreement. The technology should not preclude a mutually satisfactory balance from being achieved. Otherwise, this issue is an important policy debate for society at large. P3P is designed such that it is the individuals, markets, and regulatory frameworks that ultimately determine the balance -- as it should be.
There have been many false reports about cookies that caused some paranoia among Internet users. See http://www.cookiecentral.com for the facts on cookies.
The Federal Trade Commisions (FTC) privacy Web site @ http://www.ftc.gov/privacy includes information related to the FTC's privacy efforts.
A very good privacy article by Lorrie Faith Cranor titled: "Internet Privacy: A Public Concern", see http://www.acm.org/pubs/citations/journals/networker/1998-2-3/p13-cranor/
For more information on PICS, see http://www.w3.org/PICS/.
For more information on TRUSTe, see http://www.truste.com
For more information on BBBOnline, see http://www.bbbonline.org
The Platform for Privacy Preferences - P3P Note Draft July 31st, 1998, see http://www.w3.org/TR/1998/NOTE-P3P-CACM/
P3P Guiding Principles - W3C Note May 1st, 1998, see http://www.w3.org/TR/1998/NOTE-P3P10-principles-19980501.html
P3P Harmonized Vocabulary Specification - W3C Working Draft March 30th, 1998, see http://www.w3.org/TR/1998/WD-P3P10-harmonization
P3P Architecture Working Group - General Overview of the P3P Architecture - W3C Working Draft October 22nd, 1997, see http://www.w3.org/TR/WD-P3P-arch
P3P Vocabulary Working Group - Grammatical Model and Data Design Model - W3C Working Draft October 14th, 1997, see http://www.w3.org/TR/WD-P3P-grammar
W3C's Privacy P3P FAQ, see http://www.w3.org/P3P/P3FAQ.html