18-p3p-workshop-report.html 32.3 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <title>Summary Report - W3C Workshop on the Future of P3P</title>
  <style type="text/css">
.center { text-align: center; }
h1, h2, h3, h4 { background: #fff; color: #005a9c; }</style>
  <link href="http://www.w3.org/StyleSheets/base.css" rel="stylesheet"
  type="text/css" />
  <style type="text/css">
 blockquote.c2 {font-style: italic}
 p.c1 {font-style: italic}</style>
  <link href="http://www.w3.org/StyleSheets/base.css" rel="stylesheet"
  type="text/css" />
</head>

<body xml:lang="en" lang="en">
<p>Nearby: <a href="http://www.w3.org/2002/p3p-ws/Overview.html">Workshop
home page</a> | <a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/">Workshop mailing
list</a></p>

<div class="center">
<h1><a href="/TandS"><img src="http://www.w3.org/Icons/w3c_home" alt="W3C" />
<img src="http://www.w3.org/Icons/tands" alt="Technology and Society Domain"
/></a></h1>

<h1>Summary Report - W3C Workshop on the Future of P3P</h1>

<h3>Lorrie Cranor and Daniel Weitzner, Workshop Co-Chairs</h3>
</div>

<p>On November 12-13, 2002, W3C held a Workshop on the Future of P3P at the
AOL campus in Dulles, VA. <a
href="http://www.w3.org/2002/p3p-ws/registrants.html">Fifty-six participants
registered</a> from the following organizations: AOL, AT&amp;T, BITS, CDT,
Citigroup, Coremetrics, DoubleClick, European Commission, EPIC, Ericsson,
Ernst and Young, Federal Trade Commission, Fidelity, Hogan &amp; Hartson,
Hunton and Williams, IBM, Information and Privacy Commission/Ontario,
Internet Education Foundation, Microsoft, Netscape Communications, NeuStar,
Office of the New York Attorney General, Privacy Regulation Report,
PricewaterhouseCoopers, Siemens, Sun Microsystems, Technische Universit�
Mnchen, TRUSTe, University of California Berkeley, Catholic University
Leuven, Wilmer Culter and Pickering, and W3C.</p>

<p>The workshop program included eight panel discussions on specific topics
related to the future of P3P, and a closing discussion about next steps. In
the sections below we provide a summary of each discussion and
recommendations on how to proceed. We also include links to detailed notes
that have been provided by workshop participants. The <a
href="http://www.w3.org/2002/p3p-ws/pp/">position papers</a> submitted by the
workshop participants also provide further details on these issues.</p>

<h2>Vocabulary Issues</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/vocabulary.html">Detailed
Notes</a>]</p>

<p>Panelists: Brian Zwit (AOL), Andrew Bybee (Microsoft), Matthias Schunter
(IBM), Giles Hogben (JRC), Cheryl Charles (BITS); Moderator: Lorrie Cranor
(AT&amp;T)</p>

<p>The focus of this panel was on identifying specific issues with the P3P
vocabulary that are causing problems in practice.</p>

<h3>Primary vs. secondary data use</h3>

<p>The PURPOSE elements in P3P vocabulary focus on describing secondary data
uses. Primary data uses, for the most part, get covered by the "current"
purpose. As a result, web sites cannot explain what their primary data uses
are, except in the CONSEQUENCE field. Sites might want to explain, for
example, that a cookie is being used to authenticate a user to a web site.</p>

<h3>Disclosures necessary for compliance with EU Directive</h3>

<p>There are some disclosures required by the EU Directive that are not
accommodated by the P3P vocabulary. For example, there is no element to
explain what jurisdiction data is going to, no element to explain a company's
security practices, and no element to describe maximum data retention period.
There may be ways to accommodate some of these disclosures using the
human-readable fields in the P3P vocabulary or the extension mechanism. The
security disclosure was not included in the P3P vocabulary because of
concerns that it was not a meaningful disclosure.</p>

<h3>Mismatch between users' and companies' needs</h3>

<p>Users want privacy policies to be relatively simple; however, corporations
often want to convey very detailed information in their privacy policies in
order to comply with laws and explain the motivation behind some of their
data practices. The P3P vocabulary probably provides more information than
most users really want, but good user agent implementations can hide much of
the extra complexity from users. Some people want to see even more detail
added to the P3P vocabulary, regardless of whether or not user agents make
use of it.</p>

<h3>Financial industry concerns</h3>

<p>BITS raised concerns that P3P user agents raise warning flags about some
financial web sites, even though those sites are in full compliance with
GLBA. For example, P3P user agents may draw attention to the fact that users
may not be offered opt-outs. In the discussion that followed people said that
while GLBA may permit a financial institution to use data in certain ways
without offering an opt-out, there was no reason that a P3P user agent should
not be able to alert users to this practice. There was a general consensus
that the concerns raised were more about specific user agent implementations
rather than the P3P vocabulary. In addition, part of BITS concerns are due to
questions they have about legal standing of P3P policies and how regulators
would be likely to view differences between a P3P policy and human-readable
privacy policy.</p>

<h3>Other issues</h3>

<p>Some concerns were raised about the difficulty in describing agent or
partner relationships. The need to specify how to use P3P with web services
was also raised as an important issue.</p>

<h2>User and Implementer Issues</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/experiences.html">Detailed
Notes</a>]</p>

<p>Panelists: Brian Tretick (Ernst and Young), Brooks Dobbs (DoubleClick),
Jack Humphrey (Coremetrics), Lorrie Cranor (AT&amp;T), Steven B. Adler (IBM
Tivoli Security and Privacy)</p>

<p>This session included a review of some surveys on P3P adoption rate and
use of the AT&amp;T Privacy Bird P3P user agent. Current indications are that
a significant fraction of web sites have adopted P3P (about 25% of top 100),
but adoption rate has slowed. The reasons for the slow down likely have to do
with the general state of the economy and privacy officer teams being
downsized. Legal uncertainty may also play a role. Feedback on AT&amp;T
Privacy Bird has been positive, and users say they would like to be able to
take privacy policies into consideration in their buying decisions. More work
is needed to improve policy summary format. Besides web site adoption and P3P
user agents, we are also seeing companies building P3P into back-end
products, for example the IBM Tivoli Privacy Manager.</p>

<p>Web sites have encountered some problems in describing agent relationships
with P3P. Sites would like to be able to explain who they are acting as an
agent for, and also to explain when cookies that appear to be third-party by
domain name are not really third-party. Sites would also like to setup P3P
policies for their agents or companies that they are acting as an agent for,
however, besides the technical limitations of P3P, there are concerns about
companies declaring policies for other companies.</p>

<p>Going forward there is a need to specify how P3P can be used without
binding it to HTTP and/or URIs so that it can be used with web services and
other emerging standards and applications.</p>

<h2>Compact Policies, Cookies, and Performance Issues</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/compact.html">Detailed
Notes</a>]</p>

<p>Panelists: Bill Duserick (Fidelity), Giles Hogben (JRC), Brooks Dobbs
(DoubleClick), Andrew Bybee (Microsoft); Moderator: Lorrie Cranor
(AT&amp;T)</p>

<p>Many sites are finding P3P compact policies to be problematic. While not
required by the specification, sites must implement them to avoid third-party
cookie blocking, so they are turning out to be fairly important. The main
problems people have with compact policies are a) there are concerns that the
semantics of what a compact policy means are not fully understood, b) because
there is no grouping mechanism in the compact policy, there is no way to
indicate that a particular purpose applies only to a particular type of data
rather than to all types of data referenced in the CP, c) there is no way to
convey agent relationships in a CP (as discussed in the previous session). A
short term fix for b may be to add a grouping token to the CP</p>

<p>Questions were raised about why CPs are needed at all. They were
originally introduced as a performance optimization. Some participants felt
that user agent performance would not suffer if CPs were eliminated. It was
also suggested that user agents should fall back on full policies if CPs are
not available, even if there is a performance penalty -- then it could be up
to a web site whether it wanted to risk incurring a performance penalty. It
would be useful to have actual performance numbers to discuss.</p>

<p>Concerns were also raised about cookie policies (regardless of CPs). There
is confusion about exactly where to draw the line about what data is linked
to a cookie.</p>

<h2>Identity Management and Negotiation</h2>

<p>[<a
href="http://www.w3.org/2002/p3p-ws/minutes/identitymanagement.html">Detailed
Notes</a>]</p>

<p>Panelists: Ari Schwartz (CDT), Conor Cahill (AOL/Liberty Alliance), Bill
Duserick (Fidelity), Matthias Schunter (IBM), Wolfgang Woerndl (Technische
Universit� Mnchen), Giles Hogben (JRC), Christine Varney (Hogan &amp;
Hartson/Liberty Alliance); Moderator: Lorrie Cranor (AT&amp;T)</p>

<p>Early versions of P3P specifications included some concepts of identity
management and negotiation that were eventually removed. Some people have
suggested adding some of this back in. Others have suggested focusing on
working with other groups that are working on these things and making sure
they have hooks to P3P.</p>

<p>We spent a good part of this session discussing the work of the Liberty
Alliance and how it might relate to P3P. The next Liberty Alliance
specification will include the notion of a "container" for expressing privacy
rights. P3P and other languages might be plugged into this containers. The
spec will allow service providers to make requests for specific data elements
that will be used in specific ways. A simple negotiation can then take place.
Guidelines are needed for exactly how to plug P3P in. Currently the Liberty
draft is not public and W3C working groups cannot work under NDA, so the P3P
working group cannot get involved until the Liberty draft is made public,
probably some time first quarter next year. This will not be the final draft,
so there is still an opportunity to comment. There is also the possibility
that in December or January Liberty group may make a pre-release of the
relevant specs available to experts without an NDA.</p>

<p>While the discussion was focused on single-sign-on systems such as
Liberty, there was recognition of the need to accomodate emerging
technologies using multiple identities for a single individual to regain some
degree of pseudonymity.</p>

<p>There was also some discussion about adding a basic consent mechanism to
P3P that would allow users to signal that they agree to a policy.</p>

<h2>Perspectives on P3P Goals</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/P3PGoals.html">Detailed
Notes</a>]</p>

<p>Panelists: Christine Varney (Hogan &amp; Hartson), Ruchika Agrawal (EPIC),
Deirdre Mulligan (University of California, Berkeley), Diana Alonso Blas
(European Commission), Michael Waidner (IBM); Moderator: Lorrie Cranor
(AT&amp;T)</p>

<p>Christine Varney (former FTC commissioner) expressed her view that
original goal of P3P was to let technology take a lead in addressing online
privacy issues and identify areas for regulation where technology fails. She
said she views P3P as a success. In response to questions throughout the day
about legal consequences of P3P policies, she stated that she believes P3P
policies have legal consequences and that sites that misrepresent themselves
in either their P3P policies or their human-readable policies might be
prosecuted for deception.</p>

<p>Ruchika Agrawal presented a detailed definition of Privacy Enhancing
Technologies (PETs) and concluded that P3P is not a PET because it does not
address all of the Fair Information Principles. She said it needs to be made
more clear what P3P does and what it doesn't do. Several people responded
that they felt P3P has clearly been presented as a tool for notice and choice
/ transparency, and that it would be difficult to make progress on every FIP
with a single tool. There were some suggestions that future work might
explore increasing emphasis on the choice and control aspect of P3P through
negotiation, consent, or feedback mechanisms, or new P3P applications that
would go beyond simply giving users notice to giving them some actual
controls.</p>

<p>Deirdre Mulligan said that P3P had the very modest goal of giving people
an automated way of figuring out what web sites were going to do with their
information. She suggested that going forward we may want to look at some
domain-specific extensions to P3P and also find ways of bundling P3P with
other privacy tools. She also stated that while there was room for
improvements and further work, she did not feel that privacy policies had
gotten any more confusing as a result of P3P.</p>

<p>Diana Alonso-Blas gave an EU perspective on P3P. She said that initially
the EU had many concerns about P3P. However, they have fewer concerns now and
believe P3P is on the right track, although some concerns still remain. P3P
should not be thought of as a classical PET, but a tool for transparency and
consumer awareness. Law in and of itself will not solve all the problems, and
P3P can play a role. More work is needed to explore how P3P can be used as a
tool box in various regulatory environments -- not just in one country's
context. In addition P3P and PETs need to be integrated into other
technologies. She expressed some specific concerns about the ability to
express EU Directive Article 10 requirements in P3P. She also said that
compliance with P3P policies needs to be addressed, and that auditing tools
may play a role.</p>

<p>Michael Waidner discussed the differences between privacy promises and
privacy practices. While P3P allows companies to make privacy promises,
additional tools are needed to help enforce these promises in practice in the
enterprise. More work is needed on bringing P3P into business-to-business
relationships and into back-end systems. Questions were raised about how to
make sure consumers were represented in future P3P work. There was also some
discussion about needing a more holistic approach to privacy, putting P3P in
the context of other PETs as well as legislation.Some time was spent
discussing the roll of transparency. Several people said that increased
transparency tends to motivate companies to improve their practices, and also
helps identify irregularities and problems. In addition, transparency has
some value to users in and of itself because it gives them more understanding
and is the first step towards allowing them to make choices and take
control.</p>

<p>Finally, Ruchika Agrawal voiced the concern that by offering users
increased technical options for protecting privacy P3P may be hampering
arguments to pass new privacy legislation, especially in the US.</p>

<h2>Legal Issues</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/legal.html">Detailed
Notes</a>]</p>

<p>Panelists: Diana Alonso Blas (European Commission), Jos Dumortier
(University of Leuven), Dan Schutzer (Citigroup), Ann Cavoukian (Ontario
IPC), David Stampley (Office of the Attorney General, State of New York);
Moderator: Daniel Weitzner (W3C)</p>

<p>The legal issues panel brought together business and international
regulatory perspectives on a few key issues that are raised by P3P deployment
in a commercial context:</p>
<ul>
  <li>What is the role of P3P technology in the larger privacy policy
    framework?</li>
  <li>What legal force do P3P policy statements have for site operators,
    users and regulators?</li>
  <li>Is the P3P vocabulary adequately expressive?</li>
  <li>What happens when a user agent renders a P3P statement incorrectly or
    contrary to the intent of the service operator?</li>
  <li>Can and should automatic consent mechanisms be built on top of the P3P
    infrastructure?</li>
</ul>

<h3>Openness and Transparency: P3P is necessary but not sufficient for online
privacy protection</h3>

<p>P3P occupies a unique role in the overall privacy policy and technology
landscape. Ontario Privacy Commissioner Ann Cavoukian stressed the critical
role that P3P plays in meeting consumer's notice and choice needs. "Openness
and transparency are absolutely essential for privacy," she said. "It is
where you begin." While P3P does not itself solve all privacy problems
online, it is a critical and even necessary part of addressing privacy needs
on the Web. Daniel Weitzner cited a remark by German Data protection
Commissioner Alexander Dix to explain this view. Dix has described P3P as
"necessary but not sufficient." It is necessary to have a standard,
machine-readable privacy vocabulary or the Web in order to satisfy the basic
Fair Information Practice requirements of notice and informed choice. Yet P3P
or any other such technical standard is not, by itself sufficient because it
does not address other fundamental privacy needs such as purpose limitation
or security, nor does it in and of itself provide for the enforcement of
privacy rights when they are breached.</p>

<p>For as much as P3P in necessary, it also introduces a novel third tier in
the generally bilateral privacy relationship that has existed between web
service and consumers. Whereas notice and consent without P3P have been
expressed in bilateral communications between service provide (data
collector) and consumer (data subject). P3P adds a third element to the
communication in that it depends on a user agent positioned between the user
and the service. The user agent has the new role of parsing and possible
taking action on the users behalf based on the contents of the
machine-readable P3P policy. The introduction of this third component raises
several issues discussed by the panel.</p>

<h3>Legal force of P3P policies</h3>

<p>All of the regulators (Canadian, European and United States) represented
on the panel expressed the opinion that P3P policy statements (in XML) are
equally as binding on service operators as are the human-readable policies
that web sites generally post. Whether a policy is in a machine-readable code
that is translated by a user agent, or simply in HTML on a web site, the
policy constitutes a representation to consumers on which they can be
expected to rely.</p>

<h3>Expressiveness of P3P policies: The proper relationship between P3P
statements and human-readable policies</h3>

<p>Recognizing that sites may be held accountable for the contents of their
P3P policies, some expressed a variety of concerns</p>
<ul>
  <li>that the P3P vocabulary is not sufficiently expressive to capture the
    nuances in their natural language policy statements,</li>
  <li>that conflicts between the P3P statements and the privacy policies
    expressed in natural language would create unmanageable liability for
    sites, and</li>
  <li>that user agents much render policies in a manner not consistent with
    the service providers intention or the P3P Recommendation.</li>
</ul>

<p>Citibank and BITS expressed the view that because of these concerns, P3P
policy statements should be considered informative but not legally binding.
The P3P Recommendation <a
href="http://www.w3.org/TR/P3P/#Policies">states</a> that</p>

<blockquote>
  <p>In cases where the P3P vocabulary is not precise enough to describe a
  Web site's practices, sites should use the vocabulary terms that most
  closely match their practices and provide further explanation in the
  CONSEQUENCE field and/or their human-readable policy. However, policies
  MUST NOT make false or misleading statements.</p>
</blockquote>

<p>Beyond that, most of the panel felt that it is not appropriate for W3C to
attempt to define the precise legal or regulatory significant of P3P or any
other technical specification. Moreover, the regulators suggested that even
if the P3P Recommendation contained a disclaimer of the legal significance of
P3P statements, regulators would draw their own conclusions and likely
determine that P3P statements do, in fact, bind those who make them in a
consumer context. Professor Jos Dumortier pointed out that P3P ought to be
considered similar to any other type of commercial communication. Though
commercial web sites do exercise care in making commercial communications
online, they have become comfortable with the practice. Prof. Dumortier
suggests that the same degree of comfort will develop with P3P as deployment
levels increase. Panelists notes that strong link between this issue and the
request from a number of workshop participants to further specify user agent
behavior (including standard natural language expressions associated with
statement elements).</p>

<h3>Predictability of User Agent Behavior</h3>

<p>Throughout the workshop, various participants have sought mechanisms by
which it would be possible to specify user agent behavior more precisely,
especially in the rendering of P3P statements to the user. This requirement
was strengthened somewhat on this panel with the suggestion from regulators
that to the extent user agents render policies incorrectly, or at variance
from the expectations of the service provider, that users cannot be expected
to bear the burden or risk from any resulting confusion.</p>

<h3>Prospects for machine-assisted consent mechanisms in the background</h3>

<p>Among the possible future work items considered in the workshop is a
mechanism to enter into binding agreements on privacy policies expressed in
P3P. Under this proposal, P3P vocabulary would be used to express the terms
of a proposed agreement under which personal information would be exchanged
(an offer), and some combination of audit and signature technology would be
used to record the agreement (acceptance) of the policy. Though the panel did
not have the chance to consider specific implementation details, regulators
and other panelists agreed the under such a system it would be possible to
achieve legally-sufficient consent to data collection policies.</p>

<h2>User Agent Guidelines and Conformance</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/conformance.html">Detailed
Notes</a>]</p>

<p>Panelists: Lorrie Cranor (AT&amp;T), Brian Zwit (AOL), Matthias Schunter
(IBM), Giles Hogben (JRC), Marty Abrams (Hunton &amp; Williams), Ian Jacobs
(W3C); Moderator: Daniel Weitzner (W3C)</p>

<p>Concerns have been raised about the accuracy of P3P user agents and about
the fact that user agents, not web sites, control the presentation of
P3P-related information to end users. The P3P specification places few
requirements on and offers limited guidance to user agent implementers. As a
result we are seeing inconsistent interpretations of P3P policies and some
errors by well-intentioned implementers. We might imagine more severe
problems caused by less well-intentioned implementers. While working group
members have been reluctant to constrain implementers in ways that do not
impact interoperability, there seems to be interest in the development of
some guidelines for implementers, especially in the area of how to present
the P3P vocabulary elements to end users. Such guidelines would ease some of
the concerns web sites have and some of the implementers indicated they would
welcome guidelines because they would remove some of the burden they have of
trying to make judgment calls about how to present the P3P vocabulary to end
users. Whether any of these guidelines might turn into requirements and what
their official status might be is a question for further discussion.</p>

<p>Marty Abrams discussed a project to develop "short notices" versions of
privacy policies. He said short notices should have at most seven elements.
He was interested in exploring the idea of expressing P3P policies as short
notices.</p>

<h2>Mobile Devices and Location Privacy</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/mobile.html">Detailed
Notes</a>]</p>

<p>Panelists: John Morris (CDT), Helena Lindskog (Ericsson), Jorge Cueller
(Siemens), Becky Richards (TRUSTe), Yirong Xu (IBM); Moderator: Daniel
Weitzner (W3C)</p>

<p>New mobile web services bring privacy challenges both in the types of
applications they seek to offer and in the architectural constraints unique
to the mobile environment. Unlike the traditional applications context of the
web (personal computers with large screens and relatively high-bandwidth
connections to the Net), mobile appliances will tend to rely on server-side
processing of much information (including privacy preference data) and will
have severe bandwidth constraints. Hence solutions to respect user privacy
must be developed that meet these new requirements. Lindskog has <a
href="http://www.w3.org/2002/p3p-ws/pp/ericsson.pdf">suggested</a> that it is
possible to use P3P together with CC/PP to accomplish efficient transfer of
personal information at the same time as full consent is obtained for data
collection. Xu offers an <a
href="http://www.w3.org/2002/p3p-ws/pp/ibm-server-centric.pdf">architecture</a>
for server-side processing of P3P preference data. Reactions to sever-side
processing noted various privacy risks associated with transporting user
privacy preferences to untrusted servers, however.</p>

<p>Mobile services will offer a wide range of applications based on the
location of the user. Location data is clearly quite sensitive from a privacy
perspective and all agree that these applications must extend meaningful
control over the use of user's location data. P3P is seen as a valuable
component to both mobile web applications as well as services that are not
based on http. Morris noted that abstracting the P3P vocabulary from it's
implicit http binding would be important if P3P is to meet the privacy needs
identified by the IETF GEOPRIV working group for services such as SIP, SIMPLE
and JABBER. Cueller points out that privacy statements must be able to make
reference not just to a users location data, but also to other state and
presence information that is important but privacy sensitive.</p>

<h2>Next Steps</h2>

<p>[<a href="http://www.w3.org/2002/p3p-ws/minutes/next-steps.html">Detailed
Notes</a>]</p>

<p>Workshop participants identified a list of areas for possible further work
on P3P. Participants were then divided into small groups to discuss and
prioritize the list. Individuals volunteered to write-up one-page proposals
on how to proceed with the items they were most interested in. The areas we
identified as well as links to the writeups produced since the workshop are
as follows:</p>

<p>1. Vocabulary issues (high priority - mostly for P3P1.1, maybe some for
P3P2.0)</p>

<blockquote>
  <p>a. EU Directive Article 10 issues [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0003.html">Alonso-Blas/Hogben</a>]</p>

  <p>b. primary data uses [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0002.html">Cranor</a>]</p>

  <p>c. general vocab review [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0002.html">Cranor</a>]
  (maybe long term)</p>
</blockquote>

<p>2. Add element to indicate agent status, multiple domains owned by same
company, etc.[<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0009.html">Zwit</a>]
(high priority - possibly for P3P 1.1, otherwise for P3P 2.0)</p>

<p>3. Clarify spec ambiguities [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0007.html">Schunter</a>]
(short term high priority)</p>

<p>4. Compact policies (high priority for 1.1)</p>

<blockquote>
  <p>a. What are performance issues that motivate CP and what are alternative
  approaches? Where exactly is the problem? [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0010.html">Dobbs</a>]</p>

  <p>b. Semantic issues [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0011.html">Dobbs</a>]</p>

  <p>c. Cross-product problem -- need for grouping mechanism [<a
  href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0012.html">Dobbs</a>]</p>
</blockquote>

<p>5. User agent behavior [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0009.html">Zwit</a>]
(high priority, either short term or long term)</p>

<blockquote>
  <p>Human readable notices</p>
  <ul>
    <li>user friendly version in spec (must, should, or reference
    examples)</li>
    <li>coordinate with short notices</li>
  </ul>
</blockquote>

<p>6. Statements in the spec to better articulate what P3P is and isn't [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0009.html">Zwit</a>]
(short term high priority)</p>

<p>7. How to use P3P independently of HTTP binding and possibly with
references to objects that have no URIs [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2003Jan/0003.html">Weitzner</a>]
(quick win)</p>

<p>8. Consent recording mechanism [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0008.html">Schunter</a>]
(long term high priority, not a priority short term)</p>

<p>9. Feedback channel (little interest)</p>

<p>10. User preference language -- APPEL, etc. [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0006.html">Hogben</a>]
(high priority)</p>

<blockquote>
  <p>a. ontology - default languages</p>
</blockquote>

<p>11. Convert P3P data schema to XML schema [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0005.html">Hogben</a>]
(low priority but might be quick win)</p>

<p>12. Coordination with other efforts [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2003Jan/0004.html">Weitzner</a>]
(high priority for both short term and long term)</p>
<ul>
  <li>Liberty Alliance</li>
  <li>Other authentication efforts</li>
  <li>Web services/SOAP</li>
  <li>Geopriv</li>
  <li>Short notices</li>
  <li>DAML</li>
</ul>

<p>13. Add XML signatures to P3P [<a
href="http://lists.w3.org/Archives/Public/public-p3p-ws/2002Dec/0004.html">Hogben</a>]
(low priority but might be quick win)</p>

<p>14. P3P in backend databases (little interest -- can be done by individual
companies without W3C coordination)</p>

<p>15. Using P3P for identity management (independent of other efforts,
little interest)</p>

<p>16. Outreach - to be covered by POWG</p>

<h2>Recommendations</h2>

<p>A variety of areas of future work were identified for both the short-term
and long-term. The consensus was that the immediate next steps should be to
charter a working group with a duration of approximately one year to work on
the short-term priorities that can be addressed quickly and may impact
adoption, and to coordinate with other efforts. This working group would aim
to produce a P3P version 1.1 that is backwards compatible with P3P 1.0,
perhaps by using the existing extension mechanism. Workshop participants will
be supplying short proposals for work in the coming weeks. These will be
added to this report and they are received and evaluated.</p>

<p>Further discussions are needed about longer term work. We expect to hold a
second workshop in Summer 2003 to discuss longer term issues and make
recommendations about how to proceed in addressing them.</p>
<hr />

<p class="copyright"><a rel="Copyright"
href="/Consortium/Legal/ipr-notice#Copyright">Copyright</a>  2002-2003 <a
href="/"><acronym
title="World Wide Web Consortium">W3C</acronym></a><sup></sup> (<a
href="http://www.lcs.mit.edu/"><acronym
title="Massachusetts Institute of Technology">MIT</acronym></a>, <a
href="http://www.ercim.org/"><acronym
title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>,
<a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a
href="/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a
href="/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a>, <a
rel="Copyright" href="/Consortium/Legal/copyright-documents">document use</a>
and <a rel="Copyright" href="/Consortium/Legal/copyright-software">software
licensing</a> rules apply. Your interactions with this site are in accordance
with our <a href="/Consortium/Legal/privacy-statement#Public">public</a> and
<a href="/Consortium/Legal/privacy-statement#Members">Member</a> privacy
statements.</p>
</body>
</html>