Transcript Next Generation Web Policy Challenges

P3P: User Empowerment Tools
for Web Privacy
Daniel J. Weitzner <[email protected]>
World Wide Web Consortium
23 April 2001
National Association of Attorneys General
Overview: Approaching Web
Privacy
Unique Web Privacy Challenges
Web Community Response: P3P
P3P: Necessary but not sufficient
Conclusion: Empowering users to
address privacy problems
Loss of Control: The Unique
Web Privacy Challenge
Intel Pentium ID
Windows Registry ID
Doubleclick ID matching
P3P: W3C's Platform for
Privacy Preference
The Goal of P3P -- Meet Increasing User
Privacy Demands
Use the power of the Web to


enhance notice
enable choice
Streamline ecommerce transactions
Framework for global privacy
About the W3C
Mission: realize the full potential of the Web
Product: Technical standards and guidelines

HTML, XML, Style Sheets
Founded in 1994 by Tim Berners-Lee
Global Reach: MIT, INRIA (France), Keio
University(Japan), Offices
500+ members from industry, research, nonprofit, user communities
P3P Functional Overview
Notice: Easy access to the service's privacy
practices through standard privacy vocabulary
(in XML)
Choice: machine-assisted policy guidance
comparing user preferences with site
practices
Assurance: Reference to assuring
organizations – government, self-regulatory
body
P3P In Operation
User
Service
Personal Data
Choice
Notice
Privacy
Preferences
Personal
profile
Privacy
Policy
Customer
Information
P3P Status at W3C and in the
market
P3P is W3C Candidate Recommendation
(Draft Standard)
Active participation from vendor & user
communities - financial services, data
warehousing, mobile communications
Implementation Commitments: support
from 25 companies; 8 companies with
implementation plans
P3P Implementations
Web Sites
Web Software




Browsers: AOL/Netscape, Microsoft
Servers: IBM
Browser plug-ins: IDCide, YouPowered
Data mining/CRM: NCR
P3P enabled web sites
www.aol.com
www.att.com
www.cdt.org
www.engage.com
www.hp.com
www.ibm.com
www.idcide.com
www.microsoft.com
www.pg.com
www.ttuhsc.edu
www.youpowered.com
www.vineyard.net
www.w3.org
www.whitehouse.gov
And many more….
P3P Implementations
IDcide Privacy Companion
IBM P3P Policy Editor


Create privacy policies in P3P and humanreadable format
Available from IBM AlphaWorks site:
http://www.alphaworks.ibm.com/tech/p3
peditor
Microsoft Internet Explorer v6 – P3P
for cookie control
Double clicking on the P3P icon indicates where
the site’s policy differs from the user’s preferences
IDcide P3P Icons
Searching for
a P3P policy
No P3P policy found
P3P policy is
NOT acceptable
P3P policy is
acceptable
Sites can
list the types
of data they
collect
And view the
corresponding
P3P policy
P3P: Necessary but not
Sufficient

Necessary…




Statutes/regulations cannot make all
choices or anticipate new relationships
Statutes/regulations should not make all
choices
Lots of choices – machines can help
The Web is trans-jurisdictional
P3P: Necessary but not
Sufficient
 ..but not sufficient

2 or 4 FTC Fair Information Practices
 Notice
 Choice
 Security
 Enforcement

2 of 8 OECD FIPS
 Procedural Rights: notice, enforcement
 Minimum standards for sensitive information:
financial, medical, …
P3P & the Law
Law alone won’t suffice
Build user trust through privacy
empowerment tools
Combined effort by vendors & web
services needed
Next Steps for P3P
Deployment in major browsers
Target Top 100 Web Sites
No blinking VCRs on the Web –
Consumer Education
More information:
http://www.w3.org/P3P