Remarks for the Technologies for Privacy Protection panel at the XXIII International Conference of Data Protection Commissioners, Paris, September 24-26, 2001
The Platform for Privacy Preferences (P3P) project provides a standard way for web sites to communicate about their data practices. Developed by the World Wide Web Consortium (W3C), P3P includes a machine-readable privacy policy syntax as well as a simple protocol that web browsers and other user agent tools can use to fetch P3P privacy policies automatically. P3P-enabled browsers can allow users to do selective cookie blocking based on site privacy policies, as well as to get a quick "snap shot" of a site's privacy policies.
The P3P specification includes a standard vocabulary for describing a web site's data practices, a set of base data elements that web sites can refer to in their P3P privacy policies, and a protocol for requesting and transmitting web site privacy policies. P3P policies are encoded in a machine-readable XML format using the P3P vocabulary. The P3P protocol is a simple extension to the HTTP protocol used for fetching web pages. P3P user agents use standard HTTP requests to fetch a P3P policy reference file from a well-known location on the web site to which a user is making a request. The policy reference file indicates the location of the P3P policy file that applies to each part of the web site. There might be one policy for the entire site, or several different policies that each cover a different part of the site. The user agent can then fetch the appropriate policy, parse it, and take action according to the user's preferences.
In this talk I will first provide an update on the current status of P3P design and deployment. Then I will talk about how P3P was developed and the role that data protection authorities played in its development. Finally I will conclude by discussing the role that data protection authorities might play in the future of P3P.
P3P was developed by working groups at the W3C. These working groups are composed of representatives from some of the W3C member companies and organizations, as well as invited experts from academia and government. In December 2000 the P3P Specification working group released a stable "Candidate Recommendation" draft of the P3P specification. This draft was the result of over three years of work and took into account the suggestions of many individuals who had commented on earlier public drafts.
Software developers at several companies and universities began to build P3P user agents and editors based on the December 2000 specification. In addition, about 100 companies and organizations P3P-enabled their web sites. As people used the specification, they raised a number of relatively minor concerns. The Specification working group addressed some of these concerns by adding clarifying language to the specification; other concerns were addressed with changes to the P3P vocabulary and protocol. This month a new specification was issued that incorporates all of these changes.
The first major commercial user agent implementation of P3P appeared in the Microsoft Internet Explorer web browser this summer. IE6 can filter cookies based on P3P policies. It also allows users to request a privacy report generated from web site P3P policies.
AT&T has developed a P3P user agent pluggin in partnership with IDcide. This pluggin works with the Internet Explorer web browser. It is currently being tested, and AT&T intends to release it some time this fall. This pluggin checks for P3P policies at every web site a user visits. It displays a green bird icon at sites that match the user's privacy preferences, a red bird icon at sites that do not match, and a yellow bird icon at sites that have no P3P policies. Users can click on the bird to get more detailed information about the site's privacy policy, including a link to the full human-readable policy, a link to the site's opt-in or opt-out page, and a list of ads and other content embedded in the site that may have their own privacy policies. This pluggin provides a variety of configuration options for users, and it also allows users to filter cookies based on site P3P policies.
IBM has released a P3P policy editor tool that web sites can use to create their P3P policies.
The W3C has created outreach groups in both North America and Europe to work towards widespread P3P deployment. The North American group is focusing on getting P3P deployed at the top 100 web sites. Already P3P is deployed at a number of major companies including AT&T, Microsoft, IBM, and Procter and Gamble. It is also being used by DoubleClick and some of the other major online advertising networks. And it is being used by the Lycos search engine, several US Congressional web sites, and a wide range of other web sites. Next month p3ptoolbox.org will be launched to provide a centralized online resource for getting information about using P3P.
Now that I have brought you up to date on P3P, I would like to step back and tell you a little bit about how P3P came to be, and discuss especially the role that data protection authorities played in its development.
In 1995, members of the Platform for Internet Content Selection (PICS) working groups at W3C began discussing the possibility of using PICS as a tool to help Internet users protect their privacy. PICS is a system for labeling web content according to a set of criteria called a rating system. While PICS ratings systems could be used to capture virtually any type of information about web content, PICS was being applied mostly to rate web pages according to their suitability for children. Indeed the PICS effort had been launched primarily as a non-legislative alternative to the U.S. Communications Decency Act and other similar legislation. But, as PICS co-chair Paul Resnick suggested at the June 1996 Federal Trade Commission Workshop on Consumer Privacy on the Global Information Infrastructure, PICS could also be used to rate web sites according to their information practices. Fordham University Law Professor Joel Reidenberg wrote a PICS rating system based on the Canadian Standards Association privacy standard to demonstrate this idea. Resnick also proposed that PICS be extended to allow people to negotiate with web sites over information practices. There was much enthusiasm for this idea at the workshop, although some of the privacy advocates present warned that the model would need to be supplemented by enforcement mechanisms and laws. So in the fall of 1996 the PICS co-chairs worked with the Center for Democracy and Technology (CDT) to gather industry support for pursuing this idea.
In mid November 1996, CDT convened the Internet Privacy Working Group (IPWG) to further explore the development of a PICS-like privacy tool. Initial participants included representatives from AT&T, IBM, America Online, Microsoft, the Electronic Frontier Foundation, DMA, W3C and others. The group appointed a "vocabulary subcommittee" to develop a draft privacy vocabulary that web sites could use to describe their privacy practices. The subcommittee produced several drafts of a privacy vocabulary and worked with W3C to develop a demonstration privacy tool for the June 1997 FTC privacy workshop. The first view that many of you had of P3P was when I gave a presentation on the idea at the Paris IWGDPT meeing in the spring of 1997.
While P3P was focused on negotiating agreements about web site privacy practices, if was often suggested that P3P should also include mechanisms for transferring data according to these agreements. There was growing interest in tools that would allow users to fill out online forms automatically, and some IPWG members felt that P3P should include these tools as well so that all data transfer would be done under P3P control. On the other hand, other IPWG members were reluctant to associate a privacy protection tool with a tool that made data transfer easier. No consensus on this issue was ever reached within IPWG. However, W3C management would later decide that data transfer mechanisms should be included as part of P3P. Two years later the P3P Specification working group would remove the data transfer mechanism for a combination of policy and technical reasons.
In May 1997, P3P was launched officially as a W3C project. Over the next four years, a series of working groups were convened by W3C. The general P3P model stayed pretty much the same during this period; however, the specific details changed regularly. The P3P vocabulary evolved. Cookie-like persistent identifiers were added and later removed. And the data transfer mechanism was redesigned several times before it was finally dropped.
The use of the term "negotiation" within P3P also evolved throughout the project. Originally many of the participants envisioned a system that would allow web sites and user agents to haggle over privacy practices, engaging in a series of offers and counter offers. This multi-round negotiation was later replaced with a single-round negotiation in which the site has to make all of its offers up front. If more than one offer is made, the user agent may choose which one to accept. Eventually negotiation was removed altogether in order to simplify P3P implementation and make it possible for web sites to implement P3P without adding any special software to their servers. Existing servers could be configured to advertise the location of their P3P policies, and user agents could fetch these policies using standard web protocols. Furthermore, without the requirement that they attempt to negotiate an agreement, user agent tools could simply present privacy information to a user in an easy-to-understand format, without necessarily evaluating it or using it to make decisions.
Throughout the P3P design process, data protection authorities and privacy advocates played an important role. Representatives from several data protection authorities joined P3P working groups or attended working group meetings and participated in the process directly. These included representatives from the French CNIL, the Ontario Information and Privacy Commission, the Privacy Commissioner of Schleswig-Holstein, and the Hong Kong Privacy Commissioner's Office. In addition, several experts from academia as well as representatives from CDT and TRUSTe participated in the development of P3P.
In January 1998 the European Commission DG XV issued an opinion on P3P. In this opinion it was suggested that the P3P vocabulary be expanded to include information about remedies should web sites fail to comply with their stated privacy policies. This suggestion was taken into consideration and a disputes section with a remedies subsection was added to the P3P vocabulary. The opinion also raised concerns about how defaults would be set in P3P user agents as well as whether these agents might transfer data to web sites without user consent. The decision to remove the concept of automatic data transfer from P3P reduced this concern somewhat; however, the choices implementers make about defaults remain very important.
In September 1999 the Article 29 Working Party, representatives of the European Commission, and representatives from the P3P working groups met in Brussels to discuss options for using P3P to comply with the European Union Data Protection Directive. The meeting was a very good opportunity for the Working Party members to learn more about P3P, and for the P3P working group members to better understand some of the concerns that had been raised from the perspective of compliance with the European Directive. The meeting was supposed to result in a formal joint report and in follow-up discussions. Unfortunately this did not happen. However, the P3P working group members who attended the meeting did take the European concerns back to the working group, and discussions did continue informally. As the vocabulary continued to evolve, I believe many of the issues raised at the Brussels meeting were taken into account.
In August 2000 representatives from the P3P working groups gave presentations at the privacy summer school in Kiel. Following the presentations the Privacy Protection Commissioners of Berlin, Brandenburg, Hamburg, Northrhine-Westphalia, Schleswig-Holstein and Zurich held a press conference and issued a statement:
... P3P technology is useful for online privacy, but not sufficient on its own because P3P only offers a basic standard for privacy protection. Under any circumstances, additional, effective privacy monitoring and precise laws in order to protect Internet users are required. P3P allows to transfer a great part of the model European privacy protection acts into "bits and bytes". It is more difficult for privacy protection in the USA where citizens have to get by without the backing of laws and Privacy Protection Commissioners.
In Germany P3P has to be implemented as soon as possible and on its basis a comprehensive privacy concept has to be developed in order to adequately realise the Teleservices Data Protection Act. P3P 1.0 is a first step in the right direction. With P3P 1.0 the development in this area has not yet come to an end, but additional features have to be integrated. In the long run the use of P3P and other privacy tools could be an advantage in market competition for German Internet business, as the Teleservices Data Protection Act incorporates a high degree of privacy protection in Europe-wide comparison. According to surveys from many countries, customers will prefer websites where a maximum of privacy protection is technically guaranteed.
P3P is an important building block of a new privacy protection concept that increasingly focusses on transparency and market-economic elements. P3P provides the Privacy Protection Commissioners new possibilities for co-operation with the industry and to make effective privacy protection in Europe a competitive factor. In the future consumers should be given more and more the possibility to create demand for privacy protection through their consumer behaviour. This should make it clear to the companies that the European privacy protection is a locational advantage and that privacy-invasive sites don't have a chance in the market in the long run.
Since the Kiel meeting, representatives from Schleswig-Holstein have continued to be actively involved in the P3P working groups, and were very helpful as we ironed out some of the last remaining vocabulary issues. While I believe that most of the participants in the P3P working groups really are working towards similar goals of helping consumers better protect their privacy, there are some fundamental differences in understanding about what will best lead us towards these goals. One area that proved particularly difficult was the discussion of what constitutes "personally identifiable data," "identifiable data," or "identified" data. While it is quite clear that some data such as name, address, or telephone number is identifiable, data such as IP address is less clear. In some parts of the P3P specification distinctions were made between data that could be used to identify a person and data that actually is used to identify a person. This raises questions about what we mean by could -- just that something is theoretically possible, or must it be reasonably possible to actually do it? And are we concerned about the data being used by another party other than the data collector (for example law enforcement) to identify someone, or are we only concerned about its use by the data collector? Throughout this discussion many of the American working group members actually thought that a fairly strict interpretation of identifiable would be needed, but the data protection authority representatives argued for an interpretation based on the idea of "reasonable" and focusing on what would be possible for data collectors to do on their own. In the end we removed the term "personally identifiable data" from the specification and adopted the term "identified data" to mean "Data that reasonably can be used by the data collector to identify an individual."
I believe that the participation of representatives from the data protection authorities helped us to improve the P3P vocabulary and also helped us think about how P3P might be used to complement data protection laws. While the proceedings of the P3P working group take place in English and the P3P working group conference calls are held at times that may not be as convenient outside the US as they are in the US, we were able to get valuable input from our friends overseas. We also had active participation from the Ontario Commission, which did not have problems with language or time zones. The appointment of a European W3C staff member, Rigo Wenning, to work with the P3P working group was also helpful, and he was able to meet directly with some of the European authorities. Rigo and some of our other European members also corresponded directly in German and French with some of the people who had comments on and questions about the P3P specification.
I think procedure more than language or time zones proved to be a handicap in the participation of data protection authority representatives in the development of P3P. Government agencies and international working parties tend to have formal procedures they have to follow before they can send representatives to meetings or offer official comments. However, Internet standards are developed at a rapid pace, and there is often not enough time for official procedures to be followed and comments submitted before a new draft is available that may make comments on the previous draft obsolete. As much as it seems silly to suggest that a standard that has been five years in the making is proceeding on rapid "Internet time," the evolution of P3P has indeed occurred on Internet time. Most of the work of the working groups has taken place via email, and we hold weekly conference calls in which new issues get resolved almost every week. While most of these issues are relatively minor details, it is the collection of these details that will determine the ability of P3P to be an effective standard. Often when a new issue was raised in the P3P working group we scrambled to get feedback from a diverse group of viewpoints before the next meeting so we could determine whether there were any aspects of the decision that might have implications not readily apparent. It was easy to get quick unofficial feedback from some of our academic friends and from those data protection authorities who had representatives monitoring the working group mailing list and participating in conference calls. But getting even unofficial feedback from those not up to speed on the details of the specification was difficult. And even if they were up to speed, some were reluctant to provide unofficial feedback and wished to wait for the opportunity to provide official comments.
In the future I hope we can find ways to use both official and unofficial channels to get more rapid feedback on proposed changes to the P3P specification. If data protection authorities are to play a meaningful role in future Internet standards efforts, I think they will need to find ways to work on Internet time, even if it means using unofficial channels. There were a number of instances when we were able to make very effective use of unofficial channels in the P3P effort. I am quite grateful for some frank personal conversations I have had with some of you in which you helped me understand perspectives that could not be stated officially in a timely fashion or in some cases at all.
In addition, I think in order for data protection authorities to participate meaningfully in Internet standards efforts, they need to be able to devote enough resources to follow these efforts. It is helpful to have someone who is both technically proficient and understands policy issues available to read the correspondence on the working group mailing lists and participate in discussions. This is a problem not just for data protection authorities, but also for the non-profit organizations that have tried to participate in P3P as well as other Internet standards efforts. The Center for Democracy and Technology in the US has managed to participate in the P3P process quite effectively, but they have done this by designating one or two staff members who have spent a large percentage of their time working on P3P. Incidentally, CDT has recently launched a project with the goal of finding ways to support the participation of public interest organizations in Internet standards efforts.
Returning to P3P specifically, the main work left to do is to get P3P deployed. Data protection authorities can assist in this by encouraging web sites under their jurisdiction to use P3P. Authorities may wish to distribute information about using P3P, provide examples of exemplary P3P policies, or translate instructions for P3P enabling web sites into languages appropriate for the people in their jurisdiction. Authorities may also consider allowing sites to submit their P3P policies rather than filling out separate forms as part of their own compliance procedures. They might develop automated tools that can extract some of the necessary information directly from the P3P policies.
The final area where I think data protection authorities can play a significant role with respect to P3P is in the development of default settings and other aspects of the user interface of P3P user agents. A lot of concerns have been raised about the P3P user interface, and especially about default settings, but very few concrete suggestions have been made as to what the interface should look like or what the default settings should be. I realize that it is somewhat difficult to make such recommendations while P3P is still an abstract concept and it is difficult to understand what the range of possibilities might be. But now that P3P user agents are emerging, it is time for data protection authorities to review them and to make specific suggestions about how they might be improved. They might take these suggestions to the companies who have already implemented P3P user agents, or they might fund projects to develop P3P user agents built especially to meet these needs. In addition, most P3P user agents come equipped with an ability to import settings files. Data protection authorities might consider developing recommended setting files for these user agents and distributing them on their web sites.
In conclusion, I think the data protection authorities have already played an important role in the development of P3P, and I look forward to their continued participation as P3P is deployed.
http://lorrie.cranor.org/pubs/paris-talk0901.html