The Platform for Privacy Preferences Project (P3P)

Lorrie Faith CranorAT&T Labs-Research

P3P Interest Group Co-Chair

October 1998

2

BackgroundBackground Dynamic privacy negotiation concept has been

around for a while

‘95-96: PICS for privacy discussions

Fall ’96: Internet Privacy Working Group convened by CDT

Summer ‘97: W3C launches P3P

‘96-98: Increasing government pressure and public concern motivates various self-regulatory efforts

3

Government PressureGovernment Pressure

European Union directive

FTC “losing patience withself-regulation”14% of surveyed sites that collect personal

data had privacy policies posted last spring

Children’s Online Privacy Protection Act

4

Public ConcernPublic Concern

April 1997 Louis Harris Poll of Internet users

5% say they have been the victim of an invasion of privacy while on the Internet

53% say they are concerned that information about which sites they visit will be linked to their email address and disclosed without their knowledge

5

Threat or Tool?Threat or Tool?

Threat: Technology can automate data collection and

processing

Tool: Technology can automate individual control over

personal information

6

Revealing Personal InfoRevealing Personal Info

Advantageshome delivery of productscustomized information and servicesability to buy things on credit

Disadvantagesinfo might be used in unexpected waysinfo might be disclosed to other parties

7

User Empowerment Approach

User Empowerment Approach

Develop tools that allow people to control the use and dissemination of their personal information

8

Empowerment ToolsEmpowerment Tools Prevent your actions from being linked to you

Crowds - AT&T Labs

Allow you to develop persistent relationships not linked to each other or youLucent Personal Web Assistant - Bell Labs

Make informed choices about how your information will be used Platform for Privacy Preferences Project - W3C

Know that assurances about information practices are trust worthyTRUSTe - Electronic Frontier Foundation and CommerceNet

9

Regulatoryand

self-regulatoryframework

Regulatoryand

self-regulatoryframework

ServiceUser

The Internet

Secure channel

Negotiation agent/trust engine

Pseudonym agent

Anonymizing agent

10

Platform for Privacy Preferences Project (P3P)

Platform for Privacy Preferences Project (P3P)

A framework for automated privacy discussions under development by W3C

Services communicate about practices

Users exercise preferences over those practices

User agent can facilitate automated decision making, prompt user, exchange data, etc.

11

Noticeand

Choice

Fair Information Practice Principles

Fair Information Practice Principles

12

Simplifying Notice and Choice

Simplifying Notice and Choice

visual labelsexample: (old) TRUSTe

machine readable labelsexample: Platform for Internet

Content Selection (PICS)

13

Beyond LabelingBeyond Labeling

Labels support notice, but provide only limited support of choice

P3P also supportsMultiple privacy policiesExplicit agreementsNegotiation

14

Basic P3P ConceptsBasic P3P Concepts

useragent

user datarepository

preferences

service

proposal

agreementuser

datapractices

15

A Simple P3P ConversationA Simple P3P Conversation

useragent

service

User agent: Get index.html

Service: Here is my P3P proposal - I collect click-stream data and computer information for web site and system administration and customization of site

User agent: OK, I accept your proposal

Service: Here is index.html

16

More Complicated Conversations

More Complicated Conversations

Service offers choice of proposals

User agent makes counter proposal

User agent rejects proposal and asks service for another offer

Upon agreement, user agent automatically sends requested data

No agreement is reached

(see “Automated Negotiation” paper with Paul Resnick)

17

Assertions that can be made in a P3P Proposal

Assertions that can be made in a P3P Proposal

Proposal level

Realm

Disclosure URI

Access

Assurance

Other disclosuresChange agreementRetention

Statement level

Consequence

Data category and/or element

Purpose

Identifiable use

Recipients

18

P3P Vocabulary:Purposes

P3P Vocabulary:Purposes

Completion and support of current activity

Web site and system administration

Customization of site to individuals

Research and development

Contacting visitors for marketing of services or products

Other uses

19

DataData Referenced by category or element

P3P methods may be used to transfer data referenced by elementCoupling between privacy disclosure and data collection

Base data set includes elements all implementations should know about

Services may create their own elements

Vocabulary includes 10 data categories

20

Data RepositoryData Repository

Users can store elements they don’t mind providing to some services

Services can gain read and/or write access through P3P agreements

Elements can be automatically retrieved from repository when P3P methods or auto-fill forms are used

21

Info can be usedonly when necessary

to complete atransaction

home address

household income

phone number

name

Info I consider

somewhat sensitive

favorite beverage

gender

zip code

hair color

Info I do not consider sensitive

health insurance ID

bank accountcredit card num

ber

social security #

Info I consider

highlysensitive

Info may be used to complete a

transaction or customize content

Info may be used by site for any purpose,

but may not bedisclosed to others

Physicalcontact info

financialaccount IDs

Computer infodemographics

click-stream

Datacategory

Dataelement

Preference

Userinterface

22

W3C P3P DocumentsW3C P3P Documents

Syntax

Harmonized Vocabulary

Base Data Set

P3P1.0 Specification Implementation Guide

Guiding principles

. . .

APPEL (A P3P Preference

Exchange Language)

23

Guiding PrinciplesGuiding Principles

Information Privacy

Notice and Communication

Choice and Control

Fairness and Integrity

Security

A statement of intent by members of the P3P working groups and a recommendation on

how to use P3P to maximize privacy

24

APPELAPPELA rule language that expresses what should

be done with P3P proposals

Not essential to P3P, but useful for:Sharing and installation of rulesetsCommunication to agents, search engines, proxies,

or other serversPortability between products

Could be replaced by XML or RDF query language

25

Implementation and Deployment

Implementation and Deployment

Need user agent and server implementations

Need Web sites to create P3P proposals

Web sites can use P3P without a special server, but P3P-compliant server and tools allow them to take advantage of flexibility

26

Incremental adoptionIncremental adoption

“Levels” allow implementers to ramp up gradually

Good implementations provide incentives “Privacy watchdog” features to provide useful info

about non-P3P-compliant sitesGood data repository implementations in user agent

save typingGood data management tools for Web servers

Adoption drives more adoption

27

Keys to SuccessKeys to Success

Good end-user implementationseasy to use

easy to plug in “recommended settings”

not annoying

use incremental adoption model

privacy friendly

Good server implementations and tools

Adoption by many Web sites

Users find it useful

Endorsement by government-regulatory and self-regulatory organizations

Papers and demo of AT&T P3P Proposal Generator:

www.research.att.com/projects/p3p/

P3P Web site at W3C:www.w3.org/p3p/