Privacy Law and Policy Reporter
(This paper is a revised version of notes prepared to accompany a panel presentation at WWW7 in Brisbane in April 1998. A copy is available at http://www.anu.edu.au/people/Roger.Clarke/DV/P3POview.html. Roger Clarke’s critique of P3P will follow in the next issue of PLPR — General Editor)
The Internet is a set of inter-connected networks, all of which use the same underlying standards or ‘protocols’ (TCP/IP, or, more generally, the Internet Protocol Suite — IPS). There are many service that are available over the Internet. Commonly-used services include email (using the SMTP and MIME protocols), file transfer (using the FTP protocol), and terminal emulation (using the telnet facility, whereby a remote PC behaves as though it were a terminal directly connected to a distant computer).
The most explosive growth in the history of the Internet was spawned by the world-wide web. Since 1993, this service, based on the HTTP protocol, has enabled the publication of documents as ‘web-pages’, making them available to anyone in the world with an Internet-connection and a piece of software called a ‘web-browser’. One of the strengths of the HTTP protocol is that it not only supports its own native document-format (HTML), but can also be used as a vehicle to transfer, process and display many other formats, including images, sounds and video. The web exploits the Internet to produce a virtual playground, a virtual library, and a virtual marketspace.
Any new technology that offers power brings with it risks. One of the risks inherent in the world wide web is that users will inadvertantly disclosure information that they would prefer not to. Another is that organisations may develop software which actively extracts personal data, and use it to exercise control over the behaviour of their clients. This paper describes a particular technology that has recently been specified, whose purpose is to establish a fair balance between the interests of web-marketers and web-consumers, and the following paper provides a critique.
Quite a lot of people are actively doing something about Internet privacy. Their actions range from assaults on privacy-invaders, through responsible net-activist activities, privacy-sensitive architectures and services, and privacy-enhancing technology development, to actions in legislatures. This Overview provides background to one particular initiative, the Platform for Privacy Preferences (P3P) protocol developed by the World Wide Web Consortium (W3C).
W3C is a foundation charged with maintenance and enhancement of the web. Despite being funded almost exclusively by IT providers, W3C retains a remarkably close affinity with the mainstream of the Internet-public. It seeks to enable web-based electronic commerce, without in the process undermining the web-based electronic community ethos. For the last couple of years, I’ve been cautiously optimistic about that aspiration being able to be sustained, and I continue to be positive about it.
In 1996-1997, the World Wide Web Consortium (W3C) recognised the importance of establishing a framework within which trust can be achieved between web services providers and consumers. It launched an initiative entitled Platform for Privacy Preferences (P3P) at http://www.w3c.org/P3P/. A Public Working Draft of the syntax specification was published on 19 May 1998.
Major providers, including Engage Technologies, Firefly, Microsoft, Netscape, Open Sesame and Microsystems Software have announced plans to implement the P3P protocol within their products.
This unofficial Overview of P3P is based on the information provided by W3C P3P pages, in particular the FAQ, a presentation, and the architecture, grammar, and harmonisation drafts. These will be revised and consolidated in the coming months.
The P3P protocol is intended to support negotiations in a wide variety of contexts, including the following:
P3P explicitly recognises the need to support multiple personae per web-user. Personae allow the web-user to create different views of themselves by changing the data given to a service. A persona may be based upon the service’s purpose (for example,business, gaming, home, etc), credentials (for example, level of associated trust), consequences and practices (for example, personalisation, shipping, mailing list), or any user defined rationale (for example, time-of-day, phase-of-moon, etc). Hence a web-user might decline to enter a web-site under their ‘normal’ persona, which might have a substantial amount of personal data associated with it; but might switch personae to a pseudonymous, or data-poor persona, and enter the site while making little about themselves available to it.
The purpose of the P3P specification is to enable:
In effect, it is to provide means whereby an individual can have sufficient information that he or she can make an informed decision on whether to permit further use of the data, or decline further use of the data. Moreover, that decision is to be able to be delegated to a software agent acting on behalf of the individual.
If the individual denies access to data, or denies the service-provider authority to use the data, the web-site operator might provide a degraded service, or might provide no service at all. In either case, this may be by choice (for example, because the web-site operator places a high value on collecting such data, or wishes to discourage the denial of data), or by necessity (for example, because it is not feasible to provide the service in the absence of the data, such as the delivery address for physical goods, or a means of ensuring receipt of payment).
P3P is also intended to make a major contribution (but not to provide a complete solution) to the following, more abstract objectives:
The elements of a P3P-enabled web-context are as follows:
A simplified description of the basic process is as follows:
The effect of the scheme is to achieve what W3C refers to as ‘informed consent through user choice’.
P3P assumes that some external mechanism exists to provide assurance that the practice will be conformed with. This assurance may come from the web-site or an independent assuring party. Ideally, the assuring party would digitally sign proposals, and would be financially liable for breach.
The manner of implementation in web-browsers and web-servers, including user-interface aspects, is not specified in the P3P protocol, because this is an appropriate domain for competitive marketplace behaviour.
To enable the uttering of privacy statements, and the exchange of data under user control, the P3P protocol is built over the emergent W3C standards for:
It is intended that P3P support future digital certificate and digital signature capabilities as they become available. P3P is being designed to be able to be incorporated into browsers, and servers, and proxy servers that sit between a client and server.
The P3P Grammar is a set of rules that defines the structure of P3P clauses used to make a valid P3P statement. The following example structures clauses (in the parentheses) to make a simple privacy practice statement:
The Appendices (reprinted pp38-39) provide the following further information:
The primary document that defines P3P is:
The P3P Syntax Specification was based on other documents, specifically the
as well as the:
Roger Clarke, Principal, XamaX Consultancy Pty Ltd.