W3C home > Mailing lists > Public > public-p3p-spec@w3.org > July 2003

MINUTES: 23 July P3P spec call

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 23 Jul 2003 12:10:10 -0400
To: public-p3p-spec@w3.org
Message-Id: <22AF60EA-BD28-11D7-9E89-000393DC889A@research.att.com>

1. Task force reports
    - P3P beyond HTTP - Joseph Reagle
Patrick Hung is taking over this task force. Lorrie will try to get him  
a jigedit account.
    - User agent behavior - Lorrie Cranor
Continuing to make progress. More feedback welcome.

    - Compact policies - Brian Zwit and Brooks Dobbs
Brooks and Jeremy have been discussing and will arrange a call in the  
next two weeks. They will focus on documenting performance issues and  
on the grouping mechanism.

    - Article 10 vocabulary issues - Giles Hogben
Giles will try to attend the working party meeting in September to make  
sure this gets discussed and we get EU feedback.

2. Discuss Liberty slides
http://lists.w3.org/Archives/Member/w3c-p3p-specification/2003Jul/ 
0002.html

Here is the gist of the feedback we want to send to Liberty. Other WG  
members may draft more detailed feedback to send themselves...

We have some concerns about taking the very expressive P3P vocabulary  
and reducing it down to a set of five privacy policies. If web sites  
are only going to be able to describe five policies, there is not a lot  
to be gained by using P3P at all. You could simply define five standard  
policies in human-readable language. From a technical perspective, we  
do not understand why the five-policy limitation is necessary. While  
service providers may want to provide a limited set of preference  
settings to users in order to make interfaces usable, it is not clear  
why every service provider needs to provide the same set of preference  
settings, or why web sites should be restricted to providing policies  
that correspond with these settings.

We also have concerns about the way these policies have been put into a  
well-ordered set. The P3P vocabulary was not intended to represent a  
well-ordered set. Depending on the context and user preferences, some  
data uses may be more privacy invasive than others, for example.

Looking at the specific five policies that have been proposed, we also  
do not understand why the least restrictive ones are not a superset of  
the more restrictive policies -- for example, why doesn't the moderate  
policy include nonident and all along with contact-and-other?

We also note that the policies require the use of the remedies element,  
which is actually an optional part of P3P. In addition, the delivery  
element is only permitted for the least restrictive policy, however, it  
is an element found in the privacy policies of most web sites today.


3. Discussion of Ari's identified/identifiable/link
    clarification draft.
http://www.w3.org/Bugs/Public/show_bug.cgi?id=167
http://lists.w3.org/Archives/Public/public-p3p-spec/2003Jun/0030.html

Rigo had some concerns about Ari's draft, which he explained in  
http://lists.w3.org/Archives/Public/public-p3p-spec/2003Jul/0033.html.  
Lorrie suggested that Ari try incorporating Rigo's suggestions about  
referring to the EU definitions in the introduction, but then stick  
with his current approach. Rigo was not on the call so we don't know  
what his reaction will be, but Ari will try this and then get feedback.  
Brooks will send Ari a linking example to include too.

4. Our next call will be on July 30. The primary agenda item will be  
discussing Jeremy's draft. If we do not receive this draft by July 28  
we will probably postpone this call until August 6 (unless something  
else comes up that we need to discuss).
Received on Wednesday, 23 July 2003 12:07:38 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:26 EST