What is P3P?

The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. Have a look at the list of P3P software.

What is new in P3P 1.1

A number of changes were made in P3P version 1.1. Those are supposed to be backwards compatible with P3P 1.0. The way to achieve compatibility is described in the P3P 1.1 Specification. The most significant changes are summarized here:

  • All the errata from P3P 1.0 have been incorporated into this specification.
  • In Section 1.3, definitions are now provided for identified, identifiable, linked, and linkable data
  • In Section 2.3.2.9 an optional OUR-HOST element has been added for declaring domain relationships, allowing user agents to recognize when hosts in different domains are owned by the same entity or entities acting as agents for one another.
  • In Section 2.5 a new P3P generic attribute for XML applications has been added. This is a new mechanism for binding P3P policies to XML elements that describe interfaces, for example, in XForms or WSDL.
  • In Section 3.2.3 and Section 3.3.2 a mechanism has been added for naming P3P STATEMENT elements and grouping STATEMENT elements together. This allows user agents to better organize the summary display of P3P policies.
  • In Section 3.2.7 and Section 3.2.8 new definitions are provided for the DISPUTES and REMEDIES elements and their sub-elements.
  • In Section 3.36 a new definition is provided for the RECIPIENT element.
  • In Section 3.4 a new definition is provided for the demographic element.
  • In Section 3.3.5.1 an optional ppurpose element has been added added to allow user agents to determine the primary reason why the data recipient is collecting data.
  • In Section 3.3.6.1 an optional JURSIDICTION element has been added for declaring the jurisdiction of data recipients.
  • In Section 4 language was added to explain the use of compact policies as a performance optimization, and to emphasize their optional nature and non-authoritative status.
  • In Section 4.2.10 new syntax has been added to provide a compact version of the STATEMENT element for use in compact policies. This allows for the creation of compact policies that make more granular statements about data practices than is possible with the P3P 1.0 syntax.
  • In Section 5, the format for specifying P3P data schemas has been changed substantially so that it is now simpler and more standardized than the format used in P3P 1.0. The new format uses the XML Schema Definition Standard (XSD) format, which can be validated against an XML schema. In Appendix 3 the P3P base data schema definition has been updated to reflect this change.
  • In Section 6 new user agent guidelines have been added to assist user agent implementers. These guidelines include a set of plain language translations of P3P vocabulary elements.
  • The XML DTD definition for P3P has been removed from the Specification.

Status

P3P is part of W3C's Privacy Activity. It currently has one active Group, the public P3P 1.1 Specification Working Group. The Working Group is chartered until 30 September 2006 to finish the P3P 1.1 Last Call and work towards Candidate Recommendation.

Future

P3P 1.1 is a direct consequence of the first Privacy Workshop that took place 2002 in Dulles/Virginia and targets short term improvements like the User Agent Guidelines.
Discussions about longer term goals were held in Kiel during the second Workshop on the long-term future of Web Privacy.Those were more focused on privacy in the back end.
Most research activities around privacy enhancing technologies today are based on P3P. They advance the general idea to express privacy practices in a machine readable way. But they add a lot of missing features. W3C staff is involved in two projects worth mentioning:

PRIME is a European IST research project that explores the future of privacy enabled Identity Management. The PRIME project addresses the widening gap between privacy laws on the one hand and the 'real life' in networks on the other hand through an integrative approach of the legal, social, economic and technical areas.

TAMI is a project of the Decentralized Information Group that is part of MIT's Computer Science and Artificial Intelligence Laboratory. The TAMI Project is creating technical, legal, and policy foundations for transparency and accountability in large-scale aggregation and inferencing across heterogeneous information systems. The incorporation of transparency and accountability into decentralized systems such as the Web is critical to help society manage the privacy risks arising from the explosive progress in communications, storage, and search technology.

W3C is exploring the possibility of a third Privacy Workshop, bringing together the communities around privacy enhancing technologies to inquire about the level of consensus around those new approaches. This involves semantically driven privacy management of data records via metadata and an effective format to express the obligations that come with the compliance management in the back end.