CP RSS Channel
About Our Sponsors
Articles & Papers
Technology and Society
|News: Cover Stories|
|W3C Releases Revised Platform for Privacy Preferences (P3P v1.1) Specification.|
An updated Working Draft of The Platform for Privacy Preferences 1.1 (P3P 1.1) Specification has been produced by members of the W3C P3P Specification Working Group. Work on this document has been managed as part of the Privacy Activity within the W3C Technology and Society Domain.
P3P is designed as a "standardized set of multiple-choice questions covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. The P3P specification brings ease and regularity to Web users wishing to decide whether and under what circumstances to disclose personal information. User confidence in online transactions increases as they are presented with meaningful information and choices about Web site privacy practices."
P3P is now emerging "as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. The privacy of an individual's personal data on the Internet is a top concern for business, government, media and the public. Opinion surveys consistently show that privacy concerns are a leading impediment to the further growth of Web-based commerce. Initial efforts by Web sites to publicly disclose their privacy policies have had some impact. But these policies are often difficult for users to locate and understand, too lengthy for users to read, and change frequently without notice."
P3P-enabled Web sites make privacy information available in a standard, machine-readable format, and P3P-enabled browsers can read the snapshot automatically, comparing it to the consumer's own set of privacy preferences.
The current P3P v1.1 document, along with its normative references, "includes all the specification necessary for the implementation of interoperable P3P 1.1 applications. P3P 1.1 is based on the P3P 1.0 Recommendation and adds some features using the P3P 1.0 Extension mechanism. It also contains a new binding mechanism that can be used to bind policies for XML Applications beyond HTTP transactions."
W3C has provided several developer tools and guidelines to assist website administrators. Web sites "can implement P3P 1.1 on their servers by translating their human-readable privacy policies into P3P syntax and then publishing the resulting files along with a policy reference file that indicates the parts of the site to which the policy applies. Automated tools can assist site operators in performing this translation. P3P 1.1 can be implemented on existing HTTP/1.1-compliant Web servers without requiring additional or upgraded software. Servers may publish their policy reference files at a well-known location, or they may reference their P3P policy reference files in HTML/XHTML content using a link tag. Alternatively, compatible servers may be configured to insert a P3P extension header into all HTTP responses that indicates the location of a site's P3P policy reference file."
Changes in P3P Version 1.1 have been based upon feedback provided at a Workshop in Dulles/Virginia and a Workshop in Kiel/Germany. "To the extent that suggestions have found sufficient support, they are now included in this new P3P 1.1 Working Draft. All new features are built using P3P's own Extension mechanism. Those extensions are contained in a new XML Schema in Appendix 5 and carry their own new namespace."
The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C Working Draft. 4-January-2005. Version URL: http://www.w3.org/TR/2005/WD-P3P11-20050104/. Edited by Rigo Wenning (W3C / ERCIM). Latest Version URL: http://www.w3.org/TR/P3P11/. Previous Version URL: http://www.w3.org/TR/2004/WD-P3P11-20040720/.
Working Draft Authors: Lorrie Cranor (CMU - P3P 1.0 and P3P 1.1), Brooks Dobbs (Doubleclick Inc. - P3P 1.1), Serge Egelman (CMU - P3P 1.1), Giles Hogben (Joint Research Center of the European Commission - P3P 1.1), Jack Humphrey (Coremetrics), Marc Langheinrich (ETH Zurich - P3P 1.0), Massimo Marchiori (W3C/MIT/University of Venice - P3P 1.0), Martin Presler-Marshall (IBM - P3P 1.0), Joseph Reagle (W3C/MIT - P3P 1.0), Matthias Schunter (IBM - P3P 1.1), David A. Stampley (Invited Expert), and Rigo Wenning (W3C). See also the Working Group Contributors in (non-normative) Appendix 8.
"The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.
The P3P1.1 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema — a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary.
P3P provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines:
- A standard schema for data a Web site may wish to collect, known as the 'P3P base data schema'
- A standard set of uses, recipients, data categories, and other privacy disclosures
- A means of associating privacy policies with Web pages or sites, and cookies
- A mechanism for transporting P3P policies over HTTP
The goal of P3P is twofold. First, it allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. Second, it enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may 'opt-out' of or 'opt-in' to...
P3P policies represent the practices of the site. Intermediaries such as telecommunication providers, Internet service providers, proxies and others may be privy to the exchange of data between a site and a user, but their practices may not be governed by the site's policies. In addition, note that each P3P policy is applied to specific Web resources (Web pages, images, cookies, etc.) listed in a policy reference file. By placing one or more P3P policies on a Web site, a company or organization does not make any statements about the privacy practices associated with other Web resources not mentioned in their policy reference file, with other online activities that do not involve data collected on Web sites covered by their P3P policy, or with offline activities that do not involve data collected on Web sites covered by their P3P policy..." [2005-01-04 spec Introduction]
Enterprise Privacy Authorization Language (EPAL)
In November 2003 W3C acknowledged receipt of IBM's Enterprise Privacy Authorization Language (EPAL) Version 1.2 as a Member Submission request. The specification includes two parts: a prose description of syntax and semantics, with formal definition of the EPAL syntax presented in an XML Schema. The EPAL technical specification defines a "formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication..."
Liberty Alliance Architecture Framework for Privacy Preference Expression Languages (PPELs)
Version 1.0 of the Liberty architecture framework for supporting Privacy Preference Expression Languages (PPELs) was released November 12, 2003. 15 pages. It provides the principles for a multi-leveled policy approach.
|Receive daily news updates from Managing Editor, Robin Cover.|