The Platform for Privacy Preferences Project (P3P)

Lorrie Faith CranorAT&T Labs-Research

P3P Interest Group Co-Chair

October 1998

2

Background Dynamic privacy negotiation concept has been

around for a while ‘95-96: PICS for privacy discussions Fall ’96: Internet Privacy Working Group convened

by CDT Summer ‘97: W3C launches P3P ‘96-98: Increasing government pressure and

public concern motivates various self-regulatory efforts

3

Government PressureEuropean Union directiveFTC “losing patience with

self-regulation”14% of surveyed sites that collect personal

data had privacy policies posted last spring

Children’s Online Privacy Protection Act

4

Public ConcernApril 1997 Louis Harris Poll of Internet users5% say they have been the victim of an

invasion of privacy while on the Internet

53% say they are concerned that information about which sites they visit will be linked to their email address and disclosed without their knowledge

5

Threat or Tool?Threat: Technology can automate

data collection and processing

Tool: Technology can automate individual control over

personal information

6

Revealing Personal InfoAdvantages

home delivery of productscustomized information and servicesability to buy things on credit

Disadvantagesinfo might be used in unexpected waysinfo might be disclosed to other parties

7

User Empowerment Approach

Develop tools that allow people to control the use and dissemination of their personal information

8

Empowerment Tools Prevent your actions from being linked to you

Crowds - AT&T Labs

Allow you to develop persistent relationships not linked to each other or youLucent Personal Web Assistant - Bell Labs

Make informed choices about how your information will be used Platform for Privacy Preferences Project - W3C

Know that assurances about information practices are trust worthyTRUSTe - Electronic Frontier Foundation and CommerceNet

9

Regulatoryand

self-regulatoryframework

Regulatoryand

self-regulatoryframework

ServiceUser

The Internet

Secure channel

Negotiation agent/trust engine

Pseudonym agent

Anonymizing agent

10

Platform for Privacy Preferences Project (P3P)

A framework for automated privacy discussions under development by W3CServices communicate about practices

Users exercise preferences over those practices

User agent can facilitate automated decision making, prompt user, exchange data, etc.

11

Noticeand

Choice

Fair Information Practice Principles

12

Simplifying Notice and Choice

visual labelsexample: (old) TRUSTe

machine readable labelsexample: Platform for Internet

Content Selection (PICS)

13

Beyond LabelingLabels support notice, but provide

only limited support of choiceP3P also supports

Multiple privacy policiesExplicit agreementsNegotiation

14

Basic P3P Concepts

useragent

user datarepository

preferences

service

proposal

agreementuser

datapractices

15

A Simple P3P Conversationuser

agentservice

User agent: Get index.html

Service: Here is my P3P proposal - I collect click-stream data and computer information for web site and system administration and customization of site

User agent: OK, I accept your proposal

Service: Here is index.html

16

More Complicated Conversations

Service offers choice of proposals User agent makes counter proposal User agent rejects proposal and asks service

for another offer Upon agreement, user agent automatically

sends requested data No agreement is reached (see “Automated Negotiation” paper with Paul Resnick)

17

Assertions that can be made in a P3P Proposal

Proposal level Realm Disclosure URI Access Assurance Other disclosures

Change agreementRetention

Statement level Consequence Data category

and/or element Purpose Identifiable use Recipients

18

P3P Vocabulary:Purposes

Completion and support of current activity

Web site and system administration

Customization of site to individuals

Research and development

Contacting visitors for marketing of services or products

Other uses

19

Data Referenced by category or element P3P methods may be used to transfer data

referenced by elementCoupling between privacy disclosure and data collection

Base data set includes elements all implementations should know about

Services may create their own elements Vocabulary includes 10 data categories

20

Data RepositoryUsers can store elements they don’t

mind providing to some servicesServices can gain read and/or write

access through P3P agreementsElements can be automatically

retrieved from repository when P3P methods or auto-fill forms are used

21

Info can be usedonly when necessary

to complete atransaction

home address

household income

phone number

name

Info I consider

somewhat sensitive

favorite beverage

gender

zip code

hair color

Info I do not consider sensitive

health insurance ID

bank accountcredit card num

ber

social security #

Info I consider

highlysensitive

Info may be used to complete a

transaction or customize content

Info may be used by site for any purpose,

but may not bedisclosed to others

Physicalcontact info

financialaccount IDs

Computer infodemographics

click-stream

Datacategory

Dataelement

Preference

Userinterface

22

W3C P3P Documents

Syntax

Harmonized Vocabulary

Base Data Set

P3P1.0 Specification Implementation Guide

Guiding principles

. . .

APPEL (A P3P Preference

Exchange Language)

23

Guiding Principles

Information Privacy

Notice and Communication

Choice and Control Fairness and

Integrity Security

A statement of intent by members of the P3P working groups and a recommendation on

how to use P3P to maximize privacy

24

APPELA rule language that expresses what should

be done with P3P proposalsNot essential to P3P, but useful for:

Sharing and installation of rulesetsCommunication to agents, search engines, proxies, or

other serversPortability between products

Could be replaced by XML or RDF query language

25

Implementation and Deployment

Need user agent and server implementations

Need Web sites to create P3P proposalsWeb sites can use P3P without a special

server, but P3P-compliant server and tools allow them to take advantage of flexibility

26

Incremental adoption “Levels” allow implementers to ramp up

gradually Good implementations provide incentives

“Privacy watchdog” features to provide useful info about non-P3P-compliant sites

Good data repository implementations in user agent save typing

Good data management tools for Web servers

Adoption drives more adoption

27

Keys to Success Good end-user

implementationseasy to use

easy to plug in “recommended settings”

not annoyinguse incremental

adoption modelprivacy friendly

Good server implementations and tools

Adoption by many Web sites

Users find it useful Endorsement by

government-regulatory and self-regulatory organizations

Papers and demo of AT&T P3P Proposal Generator:

www.research.att.com/projects/p3p/

P3P Web site at W3C:www.w3.org/p3p/