A call for papers has been issued in connection with the upcoming W3C Workshop on the Long Term Future of P3P and Enterprise Privacy Languages. The Workshop is hosted by the Independent Center for Privacy Protection and will be held in Kiel, Schleswig-Holstein, Germany on June 18-20, 2003. The organizers have invited position papers that "discuss either technology or policy considerations for the long-term future of P3P; papers may be based on the current P3P specification, but may also go beyond backwards compatibility to P3P 1.0. The results of this workshop will inform W3C's decision making on future P3P strategy, stimulate discussions of new developments and directions for the long-term future of P3P and privacy metadata based solutions in general and facilitate coordination with organizations engaged in related efforts." W3C also wishes to evaluate interest in enterprise privacy policy enforcement languages and to consider the relationship and/or integration of such a language with respect to P3P. The first two days of the workshop will consider any "technical problems with P3P1.0, policy goals that P3P may help address, requirements unmet by P3P1.0, and legal or policy questions that have arisen as a result of P3P implementation with a perspective on the long-term future. On the third day an EPAL session will "explore various industry use case scenarios and regulatory templates for EPAL policies and enforcement scenarios. The goal is to present EPAL capabilities in a public forum and to collect interest and feedback on the idea of a more fine grained Enterprise Privacy Language" such as the Enterprise Privacy Authorization Language developed by IBM. The P3P/Privacy Workshop has been organized under the W3C Technology and Society Domain.

W3C Workshop Goals and Background

"The World Wide Web Consortium is sponsoring a workshop to discuss future applications of P3P and the Enterprise Privacy Languages, and get feedback on what additional specifications or coordination efforts might be necessary to support them. We are inviting position papers that discuss either technology or policy considerations (or both) for the long-term future of P3P. Papers can be based on the current P3P specification, but also go beyond backwards compatibility to P3P 1.0. The results of this workshop will inform W3C's decision making on future P3P strategy, stimulate discussions of new developments and directions for the long-term future of P3P and privacy metadata based solutions in general and facilitate coordination with organizations engaged in related efforts."

"We also want to evaluate the interest in enterprise privacy policy enforcement languages and to consider the relationship and/or integration of such a language with respect to P3P... The goals for the Enterprise Privacy Languages area are: (1) Evaluate EPAL as a basis for industry consensus in this area; (2) Discuss other alternatives for enterprise privacy policy languages based on position papers; (3) Discuss next steps concerning a fine-grained privacy/authorization language."

[Among the existing languages,] "the Platform for Privacy Preferences 1.0 (P3P1.0) was released as a W3C Recommendation on 16 April 2002. Already, P3P1.0 has been implemented in two major browsers, a proxy service, a browser add-on, and other user agent software. In addition, several P3P policy generator and editor tools are available, and tools to track P3P usage are being integrated into Web site privacy policy management systems. Besides the existing P3P tools, a variety of other P3P tools and services have been proposed. As Web sites adopt P3P, limitations have been discovered and new features are being suggested for possible inclusion in P3P1.x or P3P2.0."

"One proposal for Enterprise Privacy languages that has come to the attention of the Workshop co-chairs is the Enterprise Privacy Authorization Language (EPAL). It is a formal rules language for writing enterprise privacy policies to control data handling practices in IT systems according to purpose specification, IT actions, fine-grained positive and negative authorization rights, and complex conditions. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication. An EPAL policy defines lists of hierarchies of data-categories, data-users, and purposes, and sets of (privacy) actions, obligations, and conditions. Data-users are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes). These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by data-users for certain purposes under certain conditions while mandating certain obligations. EPAL policies can be used as templates, exchanged with business partners, ported to different applications within and between enterprises for complex purpose-based data authorization and privacy policy enforcement. As such, EPAL is not only for web-based application policy enforcement, but can be used in a wide range of enterprise application and database systems for systemic privacy policy and data authorization enforcement, template creation, and policy exchange." [adapted from the CFP]