Platform for Privacy Preferences

1
Platform for Privacy Preferences

• World
• Wide
• Web
• Consortium

Sue Sproule
Q778
2
Outline

• Terms of Reference
• P3P, W3C, XML
• What is P3P?
• Status
• Implementation
• Discussion

3
Platform for Privacy Preferences(P3P)

• Developed by World Wide Web Consortium (W3C)
• Based on Extensible Mark-up Language (XML)

4
W3C

• Founded (1994) by Tim Berners-Lee to promote
  universal access and guide the Webs development
• Non-profit, industry supported consortium
  administered jointly by
• MIT Laboratory for Computer Sciences (USA)
• National Institute for Research in Computer
  Science and Control (France)
• Keio University (Japan)

5
XML

• Starts with SGML - a meta-language for defining
  markup languages
• document made up of entities (objects)
• entities contain elements
• elements have attributes that describe how they
  can be processed
• Document Type Definitions (DTD) define rules
  about types of entities, elements and attributes
  that are allowed in a particular type of document
• e.g. HTML is a DTD

6
XML

• XML is a SGML profile - a simplified subset of
  SGML
• XML applications can be developed by defining
  DTDs within this subset
• XML documents
• must be well-formed (e.g. cannot omit end tags)
• can be validated against DTD

7
XML Activity
HTML redefined as an XML DTD
P3P
Resource Description Framework
http//www.w3.org/XML/Activity
8
P3P

• Standard, machine-readable representation of
  privacy policies

Privacy Policy
XML encoding
Representation
9
P3P

• Does not set standards for privacy
• Does not monitor for compliance
• Does not address transfer or storage of data

10
P3P
Privacy Policy
XML encoding
Representation
Agent Negotiation
11
P3P Status

• Phase 1
• Architectural Overview
• reviewed RDF, Open Profiling Standard (OPS), and
  other submissions
• Grammatical Model
• vocabulary and grammar for the DTD
• Completed October 1997

12
P3P Status

• Phase 2
• Protocols and Data Transport
• Harmonized Vocabulary
• accommodate diverse policies
• Completed March 1998

13
P3P Status

• Phase 3
• Last-Call Draft issued November 1999
• to check dependencies with other W3C work
• to obtain public feedback
• 6 month deadline (versus normal 6 weeks)
• Completed April 2000
• 2nd Last-Call Draft issued October 18
• Response deadline October 31

14
P3P Status

• Phase 4
• Candidate Recommendations
• solicit implementations
• host interop workshops
• New York - June 2000
• Venice - September 2000
• Palo Alto - November 2000
• Asia - ?

15
P3P Status

• Major change
• removed negotiation and data transfer protocol
• Major delays
• Patent claim (Intermind Inc.)
• Coordinating P3P with XML development activity
• US and European political interest and activity

16
Privacy Aspects

• Data being tracked
• Who is collecting this data?
• Exactly what information is being collected?
• For what purposes?
• What information is being shared with others?
• Who are these data recipients?

17
Privacy Aspects

• Sites policies
• Can the user make changes in how their data is
  used?
• How are disputes resolved?
• What is the policy for retaining data
• Where can detailed policies be found in
  human-readable form?

18
Categories of Information

• ltPHYSICAL/gt Physical contact information
• ltONLINE/gt Online contact Information
• ltUNIQUEID/gt Unique identifiers
• ltPURCHASE/gt Purchase information
• ltFINANCIAL/gt Financial information
• ltCOMPUTER/gt Computer information
• ltNAVIGATION/gt Navigation and clickstream
  information
• ltINTERACTIVE/gt Interactive data
• ltDEMOGRAPHIC/gt Demographic Information
• ltCONTENT/gt Content
• ltSTATE/gt State management mechanisms
• ..etc.

19
Purposes

• ltCURRENT/gt Completion and support of current
  activity
• ltADMIN/gt Web site and system administration
• ltDEVELOP/gt Information may be used to enhance,
  evaluate, or other wise review the site, service,
  product, or market
• ltCUSTOMIZATION/gt Information may be used to
  tailor or modify the content or design of the
  site only to specifications affirmatively
  selected by the particular individual

20
Purposes

• ltTAILORING/gt Information may be used to tailor or
  modify the content of the site not affirmatively
  selected by the particular individual for a
  single visit to the site
• ltPROFILING/gt Information may be used to create or
  build a record of a particular individual or
  computer for the purpose of compliling habits or
  personally identifiable information of that
  individual or computer
• ltPSEUDONYM/gt Information may be used to create
  or build a record of a particular individual or
  computer that is tied to a pseudonymous
  identifier without tying personally-identifiable
  information... to the record
• etc.

21
Recipients

• Only ourselves and our agents
• Organizations following our practices
• Organizations following different practices
• Unrelated third parties or public fora

22
Disclosure

• Assurance
• Other Disclosures
• Change agreement
• Retention

23
Steves Store makes the following statement for
the web pages at http//www.stevestore.com. You
can find our privacy policy at http//stevestore.c
om/privacy.html. You may contact us to review the
contact information for you that is stored in our
records. We do not disclose a data retention
policy. We collect clickstream data and user
agent information stored in HTTP log files. We
use this information for Web site and system
administration. We do not disclose this
information or use it in a way that would
identify you. We also collect your first name
and last name, postal address, credit card
information, and information about your order. We
use this to process your order and for Web site
administration. We do not distribute this
information
Steves Store
Cranor, Agents of Choice
24
Steves Store

• ltPROP entitySteves Store
• ltREALM urihttp//www.stevestore.com//gt
• ltVOCDISCLOSURE discURIHTTP//www.stevestore.com
  /privacy.html accesscontact retentionno /gt
• ltUSESgtltSTATEMENT VOCidnonidgt
• ltVOCRECPNT vour /gt
• ltVOCPURPOSE vadmin /gt
• ltDATAREF nameDynamic.Clickstream.Server /gt
• ltDATAREF nameDynamic.HTTP.UserAgent /gt
• lt/STATEMENTgtlt/USESgt
• ltUSESgtltSTATEMENTgt VOCididgt
• ltVOCRECPNT vours /gt
• ltVOCPURPOSE vcurrent /gt
• ltVOCPURPOSE vadmin /gt
• ltDATAREF nameUser.Name.First /gt
• ltDATAREF nameUser.Name Last /gt
• ltDATAREF nameUser.Home.Postal /gt
• ltDATAREF nameDynamic.MiscData
  VOCcategoryinteractive /gt

Cranor, Agents of Choice
25
Agent Demos
http//www.w3.org/P3P/
26
Defaults and Templates

• What will be the default settings?
• Leave unconfigured features turned off
• Prompt user to configure before use
• Assign default values
• Personas
• Recommended or canned APPEL files
• Almost Anonymous
• Privacy and Commerce

27
Implementation

• Step 1
• Create a written policy
• Step 2
• Determine what policies apply to what pages on
  the site

28
Implementation

• Step 3
• Select a P3P Policy Generator
• IBM P3P Policy Editor
• PrivacyBot.com
• YouPowereds Smart Sense Consumer Trust

29
P3P Generators
http//www.w3.org/P3P/
30
Implementation

• Step 4
• Enter information into generator
• get policy files (e.g. policy1.xml)
• get policy reference file (p3p.xml)
• Step 4
• Upload policy and policy reference files to server

31
Implementation

• Step 5
• Check installation at P3P validator,
  http//www.w3.org/P3P/validator.html
• Add site to list of P3P enabled sites

NOTE The P3P specification will likely change
over the next few months. As a result, you may
have to update the P3P policy that you are
creating now
32
P3P enabled sites

• www.aol.com
• www.att.com
• www.cdt.org
• www.engage.com
• www.hp.com
• www.ibm.com
• www.idcide.com

• www.microsoft.com
• www.pg.com
• www.ttuhsc.edu
• www.youpowered.com
• www.vineyard.net
• www.w3.org
• www.whitehouse.gov
• .

33
A simple HTTP transaction
WebServer
http//www.w3.org/P3P/
34
with P3P 1.0 added
WebServer
http//www.w3.org/P3P/
35
Discussion

• Admitted omissions
• Negotiation
• Pretty poor privacy?
• Incentives for Adoption

36
Admitted omissions

• Mechanism to allow sites to offer a choice of
  policies to visitors
• Mechanism to allow visitors to explicitly agree
  to a P3P policy
• Mechanism to allow for non-repudiation of
  agreements between visitors and web sites

37
Negotiation

• Current process is an ultimatum from the Web
  server to the browser
• like it or leave it and unwanted behaviour
• Negotiation issues are complex
• anonymity
• price discrimination

38
Pretty Poor Privacy?

• Not designed to protect privacy, but to
  facilitate gathering of data by Web sites
• Oversimplifies the trust interaction
• Creates an air of privacy while sites gather
  data
• One-sided in information exchange
• Nothing to enforce or aid in enforcement

Coyle, 1999
39
Drivers for Implementation

• P3P has been invented. Now will it be adopted?
• No user base and no user demand
• The cookies experience
• Potential drivers?
• Political motivation
• Economic incentives and disincentives

40
http//www.w3.org/P3P/