P3P: The Platform for Privacy Preferences

PLING - W3C Policy Languages Interest Group

3 October 2007: The Policy Languages Interest Group (PLING) was created. Chaired by Marco Casassa-Mont (HP Labs) and Renato Iannella (NICTA), the group is chartered to discuss interoperability, requirements and related needs for integrating and computing the results when different policy languages used together, for example, OASIS XACML (eXtensible Access Control Markup Language), IETF Common Policy, and P3P (W3C Platform for Privacy Preferences). Participation is open to W3C Members and the public.

Status: P3P Work suspended

After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.
The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.
On the other hand, P3P keeps being the basis of a number of research directions in the area of privacy world wide. One might cite the PRIME Project as well as the Policy aware Web. Many other approaches also follow the descriptive metadata approach started by P3P. Such projects are invited to send email to <rigo@w3.org> to be listed here.

What is P3P?

The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. Have a look at the list of P3P software.

Why is P3P useful?

P3P uses machine readable descriptions to describe the collection and use of data. Sites implementing such policies make their practises explicit and thus open them to public scrutiny. Browsers can help the user to understand those privacy practises with smart interfaces. Most importantly, Browsers can this way develop a predictable behavior when blocking content like cookies thus giving a real incentive to eCommerce sites to behave in a privacy friendly way. This avoids the current scattering of cookie-blocking behaviors based on individual heuristics imagined by the implementer of the blocking tool which will make the creation of stateful services on the web a pain because the state-retrievel will be unpredictable.

The P3P 1.1 Working Group Note

A number of changes were made in P3P version 1.1. Those are supposed to be backwards compatible with P3P 1.0. The way to achieve compatibility is described in the P3P 1.1 Specification. The most significant changes are summarized here:

  • All the errata from P3P 1.0 have been incorporated into this specification.
  • In Section 1.3, definitions are now provided for identified, identifiable, linked, and linkable data
  • In Section 2.3.2.9 an optional OUR-HOST element has been added for declaring domain relationships, allowing user agents to recognize when hosts in different domains are owned by the same entity or entities acting as agents for one another.
  • In Section 2.5 a new P3P generic attribute for XML applications has been added. This is a new mechanism for binding P3P policies to XML elements that describe interfaces, for example, in XForms or WSDL.
  • In Section 3.2.3 and Section 3.3.2 a mechanism has been added for naming P3P STATEMENT elements and grouping STATEMENT elements together. This allows user agents to better organize the summary display of P3P policies.
  • In Section 3.2.7 and Section 3.2.8 new definitions are provided for the DISPUTES and REMEDIES elements and their sub-elements.
  • In Section 3.36 a new definition is provided for the RECIPIENT element.
  • In Section 3.4 a new definition is provided for the demographic element.
  • In Section 3.3.5.1 an optional ppurpose element has been added added to allow user agents to determine the primary reason why the data recipient is collecting data.
  • In Section 3.3.6.1 an optional JURSIDICTION element has been added for declaring the jurisdiction of data recipients.
  • In Section 4 language was added to explain the use of compact policies as a performance optimization, and to emphasize their optional nature and non-authoritative status.
  • In Section 4.2.10 new syntax has been added to provide a compact version of the STATEMENT element for use in compact policies. This allows for the creation of compact policies that make more granular statements about data practices than is possible with the P3P 1.0 syntax.
  • In Section 5, the format for specifying P3P data schemas has been changed substantially so that it is now simpler and more standardized than the format used in P3P 1.0. The new format uses the XML Schema Definition Standard (XSD) format, which can be validated against an XML schema. In Appendix 3 the P3P base data schema definition has been updated to reflect this change.
  • In Section 6 new user agent guidelines have been added to assist user agent implementers. These guidelines include a set of plain language translations of P3P vocabulary elements.
  • The XML DTD definition for P3P has been removed from the Specification.

Background

P3P 1.1 is a direct consequence of the first Privacy Workshop that took place 2002 in Dulles/Virginia and targets short term improvements like the User Agent Guidelines.
Discussions about longer term goals were held in Kiel during the second Workshop on the long-term future of Web Privacy.Those were more focused on privacy in the back end.
Most research activities around privacy enhancing technologies today are based on P3P. They advance the general idea to express privacy practices in a machine readable way. But they add a lot of missing features. W3C staff is involved in two projects worth mentioning:

PRIME is a European IST research project that explores the future of privacy enabled Identity Management. The PRIME project addresses the widening gap between privacy laws on the one hand and the 'real life' in networks on the other hand through an integrative approach of the legal, social, economic and technical areas.

TAMI is a project of the Decentralized Information Group that is part of MIT's Computer Science and Artificial Intelligence Laboratory. The TAMI Project is creating technical, legal, and policy foundations for transparency and accountability in large-scale aggregation and inferencing across heterogeneous information systems. The incorporation of transparency and accountability into decentralized systems such as the Web is critical to help society manage the privacy risks arising from the explosive progress in communications, storage, and search technology.

Policy Aware Web (PAW) is a rule-based policy management system that can be deployed in the open and distributed milieu of the World Wide Web. It creates a system of a Policy Aware infrastructure for the Web using a Semantic Web rules language (N3) with a theorem prover designed for the Web (Cwm). This is designed to enable a scalable mechanism for the exchange of rules and, eventually proofs, for access control on the Web.