XML.com: XML From the Inside Out
oreilly.comSafari Bookshelf.Conferences.

advertisement

P3P: An Emerging Privacy Standard

May 05, 1999

The first week of April, 1999, the W3C released its 4th working draft of P3P (Platform for Privacy Preferences), a work in progress whose goal is to make us all feel safer about doing commerce on the Web.

Originally chartered in 1997, the P3P Working Group has been diligently researching and exploring all the issues surrounding the development of the privacy preference-enabling standard, which was designed to express both web site privacy practices and end-user requirements for the disclosure of personal information.

Web site owners will be able to implement P3P in a variety of ways. Many will only use P3P to provide a machine-readible version of their sites' privacy policies. Others will want to enjoy the advantages of using P3P's syntax for the expression of end-user preferences to enable a "seamless" transfer of personal information in exchange for web-based goods and services.

End-users can use the protocol to indicate their privacy preferences, and those preferences will determine which content to highlight, filter, feature, censor, accept, or reject through a series of (eventually) automated negotiations between a server and an end user's browser client.

So what will P3P software enable exactly? Agent actions have the potential to be as simple as receiving a P3P proposal and then presenting it to an end user, prompting them to make a decision. Other agents might take the process a step further, making a decision on behalf of the end-user, and transferring that data automatically, when appropriate. As more and more types of online transactions and preference variables are defined, the agents will be able to perform more detailed, well-informed decisions a user's behalf.

The terms of an agreement could range from a simple exchange of information contained on a registration form to complex financial and legal transactions. P3P will support future digital certificate and digital signature capabilities, however P3P does not address security issues.

Member companies of the working group include America Online, Microsoft, AT&T, the Direct Marketing Association, MatchLogic, and Narrowline, as well as privacy interest groups such as the Center for Democracy and Technology in Washington, D.C., the Information and Privacy Commission in Ontario, Canada, and the Privacy Commissioners from Germany and Hong Kong.

Microsoft and Trust-E's New Privacy Wizard

Microsoft's first P3P application will be a web-based privacy wizard to help site owners create their own privacy statements. Microsoft's privacy wizard (which, according to the Microsoft site, should be available any day now), is largely based on Trust-E's existing privacy wizard, which does not currently generate P3P, but rather a human-readable privacy statement. The new wizard, developed by Trust-E and Microsoft, generates the resulting privacy statement in human readable and a P3P-based machine readable form, and the system can remember your information so you can go back and generate an updated privacy statement when necessary.

Why might such an update be necessary? Perhaps things have changed in your business, or in the way you collect information on your site. Or if the technical specifications should change externally (which is highly probably at this point, since P3P is still completely a work-in-progress in draft form over at the W3C), in theory, such changes would be incorporated into the wizard immediately, so that everyone could go back to the site and get a machine readable policy which uses the updated syntax.

"The reasoning behind the partnership between Microsoft and Trust-E is to allow Trust-E to focus on what they're best at (the human readable content of the wizard), and let Microsoft concentrate on what they're best at (the technological end)," explains Upendra Shardanand, Web Platforms Program Manager, for Microsoft. "Due to the structure of the new design, as Trust-E provides new updates to the content, we can easily incorporate these changes into the Wizard."

The Privacy Wizard consists of a series of forms asking "yes" or "no" questions about a site's privacy practices. The answers for many of which translate directly into P3P syntax. For other, more complex issues, such as the sometimes complex details of "powered by" partners or co-branded sites, express the details of such relationships explicitly (see Special Relations section).

Although the Privacy Wizard can create a machine-readible statement explaining that there are "powered by" or "other partnerships" taking place on a Web site, presently, it can only point to the human-readable description of such practices. Said another way, often it would seem that the machine readable version of the policy statement does nothing more than point to its human readable counterpart. The human readable version, of course, will need to be edited according to each site's specific practices by the site owners themselves.

In a nutshell, here are the issues that you will need to address in your privacy statement:

  • Does your web server log any information such as browser type or IP address (used for system administration, to identify visitors, to provide persistent shopping carts, to gather demographics, or for other reasons)?
  • Do you use cookies on your site (to hold session info, for advertisement delegation, visitor preferences, or visitor passwords)?
  • Do you use an advertising aggregator (such as DoubleClick or MatchLogic)?
  • Do you share any of your server logs, customer data, or personal information with the companies that advertise with you?
  • Does your site link to other sites whose content you cannot control? (This one's usually a given.)
  • Does your organization or company have any "special relationships" such as "Powered By" partners, other busines partners, or co-branded sites?
  • Does your site offer chat rooms, forums, message boards, and/or news groups?
  • Do you collect any personal information at your site (contact information, financial information, unique identifiers, or demographic information)?
  • Do you have security measures in place to protect the loss, misuse, or alteration of information under your control?
  • Is your web site, or portions of your web site, directed at children under the age of 13?
  • Does your site collect the birth date or age of the visitors of your site?
Here is an example Privacy Policy that was generated by the Privacy Wizard.

This privacy policy was conconcted to provide examples of the different kinds of subjects that can be covered in a site's privacy policy, and explain which kinds of subjects will require further information and customization from the company posting it (not to provide in any way a cohesive example of a model policy).

Example of a more simple Privacy Policy Expressed in P3P

The below example merely provides the Web URL for the human readable description of the site's privacy policy.

<?xml VERSION="1.0" ?>
<!DOCTYPE PROPOSAL SYSTEM "http://privacy.linkexchange.com/xml/syntax.dtd"
<PROPOSAL
  xmlns:VOC="http://privacy.linkexchange.com/xml/vocab.dtd"
  xmlns:DATA="http://privacy.linkexchange.com/xml/basedata.dtd"
  realm="http://www.finetuning.com/Site1/"
  entity="Site1"
>

<VOC:DISCLOSURE discURI="http://www.finetuning.com/Site1/policy.html"
 access="0 " other=""/>
</PROPOSAL>
<?xml VERSION="1.0" ?>
<!DOCTYPE PROPOSAL SYSTEM "http://privacy.linkexchange.com/xml/syntax.dtd"
<PROPOSAL
  xmlns:VOC="http://privacy.linkexchange.com/xml/vocab.dtd"
  xmlns:DATA="http://privacy.linkexchange.com/xml/basedata.dtd"
  realm="http://www.finetuning.com/Site2/"
  entity="Site2"
>
<USES>
  <STATEMENT VOC:purp="0 "
   VOC:recpnt="0 "
   VOC:id="1"
   >
    <DATA:REF category="2"/>
  </STATEMENT>
  <STATEMENT VOC:purp="0 "
   VOC:recpnt="0 "
   VOC:id="0"
   >
    <DATA:REF category="4"/>
    <DATA:REF category="5"/>
  </STATEMENT>
</USES>
<VOC:DISCLOSURE discURI="http://www.finetuning.com/Site2/policy.html"
 access="0 " other=""/>
</PROPOSAL>

Intermind's Patent Complaint

For the first time in a W3C Working Draft, the following disclaimer was included (in the P3P Working Draft):

Attention is called to the possibility that implementation of this Technical Report may require use of subject matter covered by patent rights. By publication of this Technical Report, no position is taken with respect to the existence or validity of any patent rights in connection therewith. The W3C shall not be responsible for identifying patent rights for which a license may be required to implement a W3C Technical Report or for conducting inquiries into the existence, legal validity or scope of those patent rights that are brought to its attention.

The disclaimer is a direct result of patent claims by Intermind, a former member of the W3C's P3P Working Group that has since dropped out of the group over this patent dispute.

"Intermind has asserted that implementations of P3P would constitute patent infringement," explains Daniel Weitzner, Leader of the W3C's Technology and Society Domain under which the P3P charter resides.

Although P3P's disclaimer explains that "the W3C shall not be responsible for identifying patent rights for which a license may be required to implement a W3C Technical Report", Weitzner assures that the W3C is preparing to defend what amounts to more than two years of work at this point that has gone into P3P.

"We have hired a very distinguished patent attorney, and are looking into these patent and prior art issues. We will defend the openness of this process in order to make sure that the technology is available for implementation without royalty."

Tech Details

P3P transactions consist of proposals that are made to a browser-client when it reaches a web page via an HTTP GET. The client application then either accepts or rejects the proposal, or it can make a counter-proposal or alternative proposal back to the server. Such actions can be initiated either seamlessly or while notifying the user. When all goes well, the ultimate end-user experience will consist of a pre-approved personalization of content and services, as well as a constant influx of proposals and offers for consideration.

The information "required" in a P3P transaction is very application-specific. All P3P policy statements much identify the site making the proposal by specifying the URI for the human-readible version of the site's privacy policy. If personal information is collected on that site, it must be clearly explained how the information will be used, and specifically whether or not the information will be made available to third parties.

P3P agents deemed capable of making decisions on the user's behalf and transfering data automatically must include a user-configurable "trust engine". There is nothing inherently secure about a trust engine, the term only implies that a P3P processor that is capable of importing a proposal defined in P3P syntax, along with a set of user-defined preferences (recorded as a set of rules), and negotiating between the two to determine what action should be taken.

Some agents will come initially unconfigured, while others might have a default rule set. But they are not allowed to be preconfigured to automatically transmit a user's information. (Like the way most browsers are preconfigured to automatically accept cookies.) The user must specify ahead of time exactly which personal information elements of their profile are allowed to be automatically transferred to which sites, and under what circumstances. The user preferences and personal information will need to be encrypted, whether it is being stored on the end-user's machine on a network-based location.

Possible actions include:

  • seamless accept,
  • seamless reject,
  • informational prompt, and
  • warning prompt.

The "core" P3P specification is made up of three smaller pieces: the P3P Syntax Specification, the P3P Harmonized Vocabulary Specification, and the P3P Base Data Set Specification.

The Harmonized Vocabulary provides the machine-readible syntax for expressing the categories of a site, as well as the purposes and intents of the site in the handling of any personal information that it collects, and any other general disclosures. The Base Data Set defines an official P3P Base Data Set schema that can be referenced for strong datatyping from within P3P applications.

A fourth specification, APPEL, is a language to be used optionally to specify these user preferences as "rule sets". APPEL is one language currently being defined by the W3C for expressing these user preferences. Other languages can be used, but any language used must be either very well documented or able to be used via a user-interfaced wizard or other tool.

P3P uses the IETF's HTTP extension framework to send and receive messages via HTTP headers. It can also be referencing using the HTML LINK element.

A purpose statement is stated clearly as such in that site's P3P statement using the STATEMENT element. The REALM element and its corresponding URI are used to specify the "scope" of an agreement made between a site and a visitor. There is an optional ASSURANCE element containing information about how the site uses the information collected on the site.

Ready to Go Public With Privacy?

Soon all major Web sites will be expected to post both a human and machine-readable description of their privacy practices online. Hopefully, the checklist we've provided will help you start thinking about what your sites practices are going to be.

Widespread implementation of the P3P standard may still be a long way off, but most likely, tools such as the soon-to-be-released Microsoft/Trust-E Privacy Wizard, and others, have the potential to bring us a little closer to its realization.

We'll be covering any tools or developments in this area as they begin to manifest.