W3C home > Mailing lists > Public > public-p3p-spec@w3.org > April 2003

UA translations

From: Giles Hogben <giles.hogben@jrc.it>
Date: Wed, 30 Apr 2003 16:55:04 +0200
To: <public-p3p-spec@w3.org>, "Lorrie Cranor" <lorrie@research.att.com>
Message-ID: <GAEKIJGJBJOBBJEFAHMLAEEMCJAA.giles.hogben@jrc.it>

Sorry for late entry into this discussion - lack of time, not because I'm
not interested!

Here are some comments on the docs: I went through the 3 docs trying to be
as picky as possible...:)
Disclaimer - haven't had time to look through other people's comments + I
can be a bit picky about exact meanings of things - Philosophy+Physics at
Uni + lots of proof reading...)

General comments. The thing that struck me as most important is to come up
with consistent and good ways of expressing a couple of things like
"identifies you". My impression from reading them that they haven't been
looked at by a lawyer. I think as we suggested, they need to be run by a
usability lab and a lawyer (for consistency and to look at implications)

Lorrie - let me know if you would like me to structure this better.

Privacy Bird:

"identified with you" is a. inconsistent with "about you" and b. could be
The word identity or related words should probably be avoided unless
specifically talking about identity.
Also - is the information really about "you" - I mean couldn't it be more
factual and say "your activities"

3 different terms for the same thing - "about you", "your information" and
"information identified with you"

Purpose- current - "data was provided" - is ambiguous - first of all it
hasn't necessarily been provided yet - it's a policy after all and secondly
provided sounds like something a provider does - would suggest submitted.

admin - To do web site and system administration - the information doesn't
do the administration does it. Suggest "Used in ....". Perhaps you mean
"PURPOSE is to do ...."  but that's still not what we really mean.

"To do research and development without creating a record identified with
you" - identified with you in common parlance is not a very exact phrase -
"which identifies you"?

"To contact you through means other than telephone (email, postal mail,
etc.) to interest you in other services or products" - "to interest you" is
not really what the purpose - usually it is "to sell you" although interest
might be a bi-product. Ditto below for telemarketing.

Other unknown uses - are they unknown or just incapable of being expressed
within P3P?

--  "only if you request this" is ambiguous - should be more exact.

"Delivery companies who may also use your information for other purposes" -
is that correct or is it "only for delivery"? Surely that makes more sense?

"PREFERENCE	Information about your tastes or preferences" - tastes is a bit
vague. Doesn't really add anything to the meaning.

 General comment - unclear about voice - should be either "this site (owner
of policy is talking)" or "the site (browser manufacturer is talking)" but
not both. Another example "our stated business practice".

"Contact and other specific information " - "other specific information" is

"Information identified on this web site such as your account statement."
Unclear what "identified on this web site" - specific examples restrict the
domain too much.

"	Reference to applicable law" - applicable doesn't mean much to me.

	Payment to you of an amount specified in the privacy policy or the amount
of damages."
What is "the amount". How do we determine what amount is specified in the
privacy policy. Which privacy policy??

"	Complete the activity for which it was specifically provided." - Complete
or carry out?

"	Provide technical support of the web site and its computer system." wrong

"	Customize or tailor the design or content on the site during a single
visit to the site—it will not be maintained for future visits to the site.
" - did we mean to make it session specific?

pseudoanalysis - "without linking them to you personally" - you personally
is ambiguous - PII would be better.

individual-analysis does not explicitly say whether information is linkable.

"	Preserve social history in accordance with an existing law or policy."
Very different from PB definition - did anyone mention law or policy?

Opt-in/opt out description - "you can" and "you will be given an
opportunity" for the same thing - should use the same phrase.

<ours> "an agent " is a bit ambigous - no longer an agent under mandate of
this site etc...

Delivery different from PB definition.

"held accountable to this web site " is very ambiguous. How can you be
accountable to a web site?

	Other entities that do not tell us what they will do with your
information." I don't think the point is that they don't tell us. It is that
we do not know (and are not accountable).

	Public bulletin boards, chat rooms, or other public forums or services."
The boards are not the recipients - as PB rightly makes clear.

"Your information will be destroyed and it will not be logged or archived
after your session ends." is ambiguous - what the "after your session ends"
applies to.

"	As long as it is required by law or liability under applicable law.
Click here for more information. ADD: The information is retained to meet a
specific purpose but may be retained longer that it takes to meet that
purpose. For example, if a consumer has 30 days to dispute a transaction,
the web site may maintain the transaction information for 30 days until the
time for lodging the dispute has passed."

Additional info does not mention anything about law - or only as an
example - very ambiguous.

"	Identifies you as a unique user but does not use your e-mail address,
social security number, or name to identify you." - is this correct???

"	Your passive behavior on the web site such as which pages you have
visited." - passive will be misinterpreted. Needs to be made more explicit.

	Specific content that you have provided to the site such as the text of an
e-mail." - not a very good example - an email is not an email when it's on a
site - so it's a bit confusing.

"	Your current physical location such as GPS data." your GPS co-ordinates.

Internet Explorer

"Information that allows an individual to be contacted or located in the
physical world" - how does it differ from location - not clear

Online - "located on the internet" - what does this mean?

"identifying an individual over time.  " Identifying is always over time -
this doesn't mean much. Identity comes from Latin "idem" meaning same - as
we are not talking about "the same type of thing in 2 different places"
identity means the same thing at 2 different times.

"Information about an individual's finances, **including** account status,
account balance, payment or overdraft history, and information about an
individual's purchase or use of financial instruments, including credit
cards or debit cards." - implies that all those things will be collected.
Should say "can include" or "such as" - such terms should be used
consistently throughout.

"Demographic and socioeconomic data, , such as gender, age, and income, not
tied to an identifiable person. "  double comma in IE too? Tied to an
identifiable person is a bit vague - there are so many ways of saying this -
we need to come up with a good way of saying this and use it consistently.

"The words and expressions contained in the body of a communication. For
example, the text of an e-mail message, bulletin board postings, or chat
room communications. "  It's unclear how a P3P agent would collect such
things in its prsent form as it can't be applied to chat rooms or email

"Mechanisms, such as HTTP cookies, for maintaining an active connection with
an individual or for automatically identifying an individual who has visited
a particular site or previously accessed particular content. " This is
completely confusing - does it mean identifying an individual in the sense
of knowing their identity or does it mean knowing that they are the same guy
as five minutes ago. Very different. "An active connection with an
individual" is also not clear - it sounds like some kind of social

"Information about membership in or affiliation with groups such as
religious organizations, trade unions, professional associations, political
parties, etc. "  It's not clear what links the items hence "etc..." is a bit
unclear here.

"Information, such as global positioning data, that can be used to identify
an individual's current physical location and track him as his location
changes. " - "current" is not what is meant - the information might be
stored. Avoid identify unless it's connected with identity. Don't use gender
specific pronouns. The fact that his location might change seems irrelevant.

"Identifiers issued by a government for purposes of identifying an
individual over time, such as a driver_ s license number, social security
number, or passport number."  - double use of word identity. Identifying the
individual may not be the PURPOSE of a drivers' license number as is

"What types of information about myself do I have access to? " where - how?

"Personally identifiable online and physical contact information, as well as
to other information linked to an identifiable person." - wrong grammar -
use of "to other information" we are trying to describe what sort of
information I have access to, not the access itself. Contains yet another
phrase for "linkable".

 "Information that is based upon a unique identifier but that cannot be
linked to an individual may be used for research, analysis, and reporting.
For example, the number of users within a ZIP code. "  - it's not clear that
a ZIP code cannot be linked to an individual. Maybe that's true in America
but if I use the word post-code, in the UK, this is a dubious example to

"Information that can be linked to an individual may be used to make a
decision that directly affects that individual. For example, a Web site
might show an individual houses that are within her ability to purchase,
regardless of the price range she has researched before. " - I don't see the
difference between this example and the one with the ZIP code/location given
above. They are both using information which is not unique to the individual
to give tailored information.

"Legal entities performing delivery services that may use data for purposes
other than completion of the stated purpose. "
The P3P description here is strange. In terms of what people will be
interested in, aren't delivery services who will not use data for purposes
other than delivering more of interest. Otherwise it probably just falls
into the category of <other> for practical purposes. I.e. if you give your
info to them, you can say goodbye to your privacy.

no-retention - "the single online interaction.  " What does this mean
Giles Hogben
CyberSecurity Unit
Institute for the Protection and Security of the Citizen (IPSC)
European Commission - Euratom Centro Comune di Ricerca
Via Enrico Fermi 1
21020 Ispra,   Italy
Tel.:   +39 0332 789187
Fax.:   +39 0332 789576
e-mail: giles.hogben@jrc.it
Received on Wednesday, 30 April 2003 10:52:24 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:23 EST