What is P3P?
The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. Have a look at the list of P3P software.
What is new in P3P 1.1
A number of changes were made in P3P version 1.1. Those are supposed to be backwards compatible with P3P 1.0. The way to achieve compatibility is described in the P3P 1.1 Specification. The most significant changes are summarized here:
- All the errata from P3P 1.0 have been incorporated into this specification.
- In Section 1.3, definitions are now provided for identified, identifiable, linked, and linkable data
- In Section 2.3.2.9 an optional
OUR-HOST
element has been added for declaring domain relationships, allowing user agents to recognize when hosts in different domains are owned by the same entity or entities acting as agents for one another. - In Section 2.5 a new P3P generic attribute for XML applications has been added. This is a new mechanism for binding P3P policies to XML elements that describe interfaces, for example, in XForms or WSDL.
- In Section 3.2.3 and
Section 3.3.2 a mechanism has
been added for naming P3P
STATEMENT
elements and groupingSTATEMENT
elements together. This allows user agents to better organize the summary display of P3P policies. - In Section 3.2.7 and
Section 3.2.8 new definitions
are provided for the
DISPUTES
andREMEDIES
elements and their sub-elements. - In Section 3.36 a new definition is
provided for the
RECIPIENT
element. - In Section 3.4 a new definition is
provided for the
demographic
element. - In Section 3.3.5.1 an optional
ppurpose
element has been added added to allow user agents to determine the primary reason why the data recipient is collecting data. - In Section 3.3.6.1 an optional
JURSIDICTION
element has been added for declaring the jurisdiction of data recipients. - In Section 4 language was added to explain the use of compact policies as a performance optimization, and to emphasize their optional nature and non-authoritative status.
- In Section 4.2.10 new
syntax has been added to provide a compact version of the
STATEMENT
element for use in compact policies. This allows for the creation of compact policies that make more granular statements about data practices than is possible with the P3P 1.0 syntax. - In Section 5, the format for specifying P3P data schemas has been changed substantially so that it is now simpler and more standardized than the format used in P3P 1.0. The new format uses the XML Schema Definition Standard (XSD) format, which can be validated against an XML schema. In Appendix 3 the P3P base data schema definition has been updated to reflect this change.
- In Section 6 new user agent guidelines have been added to assist user agent implementers. These guidelines include a set of plain language translations of P3P vocabulary elements.
- The XML DTD definition for P3P has been removed from the Specification.
Status
P3P is part of W3C's Privacy Activity. It currently has one active Group, the public P3P 1.1 Specification Working Group. The Working Group is chartered until 30 September 2006 to finish the P3P 1.1 Last Call and work towards Candidate Recommendation.
Future
P3P 1.1 is a direct consequence of the first
Privacy
Workshop that took place 2002 in Dulles/Virginia and targets
short term improvements like the
User Agent Guidelines.
Discussions about longer term goals were held in Kiel during the
second Workshop on the
long-term future of Web Privacy.Those were more focused on
privacy in the back end.
Most research activities around privacy enhancing technologies today
are based on P3P. They advance the general idea to express privacy
practices in a machine readable way. But they add a lot of missing
features. W3C staff is involved in two projects worth mentioning:
PRIME is a European IST research project that explores the future of privacy enabled Identity Management. The PRIME project addresses the widening gap between privacy laws on the one hand and the 'real life' in networks on the other hand through an integrative approach of the legal, social, economic and technical areas.
TAMI is a project of the Decentralized Information Group that is part of MIT's Computer Science and Artificial Intelligence Laboratory. The TAMI Project is creating technical, legal, and policy foundations for transparency and accountability in large-scale aggregation and inferencing across heterogeneous information systems. The incorporation of transparency and accountability into decentralized systems such as the Web is critical to help society manage the privacy risks arising from the explosive progress in communications, storage, and search technology.
W3C is exploring the possibility of a third Privacy Workshop, bringing together the communities around privacy enhancing technologies to inquire about the level of consensus around those new approaches. This involves semantically driven privacy management of data records via metadata and an effective format to express the obligations that come with the compliance management in the back end.