Overview of P3P

November 3, 1999

Lisa Rein

"P3P" is actually the name for a group of technologies that work together to create a framework to allow users to exercise preferences over the privacy practices of web sites. Applications using P3P will keep users informed about web sites' privacy practices, and allow them to dictate the extent to which their personal information is revealed to the site.

Technically, P3P consists of an XML vocabulary, a strongly defined set of base data types, and a rule-based language that acts on a set of rules used to express a user's preferences.

Web sites express their privacy practices by means of a policy. Such policies consist of a static document, containing the identity of the organization responsible for the site, and a machine-readable text-based description of their privacy practices.

An example policy can be seen on the W3C's site.

When a site sends its P3P policy, the user-agent (a web browser, browser plug-in, or proxy server) will verify that policy against the user's expressed preferences. On that basis the policy may be accepted or the user prompted to reject it.

An additional element of the P3P work is APPEL, a Privacy Preferences Exchange Language. Although no such language is needed to support negotiation of P3P policies, the construction of a standard language for expressing users' preferences has the following advantages:

  • Pre-definition and sharing of rule sets, avoiding the need for users to construct complex preferences each time through a GUI
  • Communication of preferences to services, enabling web-based services to tailor their output to users' preferences
  • Portability, to enable sharing of P3P preferences across applications

The current APPEL work is somewhat old and not yet synchronized with the recent revision of the P3P working draft.