W3C's P3P Specification Working Group has published a First Public Working Draft of The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. This document, along with its normative references, includes all the specification necessary for the implementation of interoperable P3P 1.1 applications. P3P simplifies and automates the process of reading Web site privacy policies, promoting trust and confidence in the Web. P3P version 1.1 is based on the P3P 1.0 Recommendation and adds some features using the P3P 1.0 Extension mechanism. It also contains a new binding mechanism that can be used to bind policies for XML Applications beyond HTTP transactions." New features in P3P 1.1 were developed from suggestions that emerged in a Workshop in Dulles/Virginia and a Workshop in Kiel/Germany. "All new features are built using P3P's own Extension mechanism, defined in version 1.0. Those extensions are contained in a new XML Schema in Appendix 5 and carry their own new namespace. All P3P 1.0 components preserve their old namespace; additionally, the version 1.1 Working Draft contains all the errata to P3P 1.0.

Bibliographic Information

The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C Working Draft 10-February-2004. Edited by Rigo Wenning W3C / ERCIM) Authors: Lorrie Cranor (CMU - P3P 1.0 and P3P 1.1), Marc Langheinrich (ETH Zurich - P3P 1.0), Massimo Marchiori (W3C / MIT / University of Venice - (P3P 1.0), Martin Presler-Marshall (IBM - P3P 1.0), Joseph Reagle (W3C/MIT - P3P 1.0), and Matthias Schunter (IBM - P3P 1.1). Version URL: http://www.w3.org/TR/2004/WD-P3P11-20040210/. Latest Version URL: http://www.w3.org/TR/P3P11/.

Overview

P3P version 1.1 departs from version 1.0 and adds some enhancements and some new constraints. It incorporates all the errata from P3P 1.0 into a new specification. It adds a mechanism to name and group statements together. This allows user agents to organize the summary display of those policies. New user-agent guidelines are provided in Section 6 to get to a common understanding of the interface. The specifiction adds a new generic way of binding P3P Policies to arbitrary XML to allow other XML Applications like XForms or WSDL to use P3P in a very flexible way...'

P3P version 1.0 is a protocol designed to inform Web users of the data-collection practices of Web sites. It provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines: (1) A standard schema for data a Web site may wish to collect, known as the 'P3P base data schema'; (2) A standard set of uses, recipients, data categories, and other privacy disclosures; (3) An XML format for expressing a privacy policy; (4) A means of associating privacy policies with Web pages or sites, and cookies; (5) A mechanism for transporting P3P policies over HTTP...

The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. [adapted from the Introduction]

Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.

The Platform for Privacy Preferences Project (P3P) has been designed to be flexible and support a diverse set of user preferences, public policies, service provider polices, and applications. This flexibility will provide opportunities for using P3P in a wide variety of innovative ways that its designers had not imagined. The P3P Guiding Principles were created in order to: express the intentions of the members of the P3P Working Groups when designing this technology and suggest how P3P can be used most effectively in order to maximize privacy and user confidence and trust on the Web. In keeping with our goal of flexibility, this document does not place requirements upon any party. Rather, it makes recommendations about 1) what should be done to be consistent with the intentions of the P3P designers and 2) how to maximize user confidence in P3P implementations and Web services. P3P was intended to help protect privacy on the Web. We encourage the organizations, individuals, policy-makers and companies who use P3P to embrace the guiding principles in order to reach this goal." [from Appendix 7: "P3P Guiding Principles"]