W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > May 1999

FWD: Proposed vocab changes

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Mon, 24 May 1999 11:27:35 -0400
Message-Id: <3.0.5.32.19990524112735.009f4d20@localhost>
To: www-p3p-public-comments@w3.org
Message-ID: <36DB06A7.3DF225E2@research.att.com>
Date: Mon, 01 Mar 1999 16:29:11 -0500
From: Lorrie Faith Cranor <lorrie@research.att.com>
To: w3c-p3p-coordination@w3.org
Subject: Proposed vocab changes

Based on our discussions with lawyers and our experience
using the P3P vocabulary over the past several months, I would
like to propose the following changes to the vocabulary.
I would also like to propose that after the coordination group
has discussed these and removed any that the group cannot
reach a consensus on, that the group consider forwarding 
the remaining list of proposed changes to the former P3P harmonized 
vocab group and/or P3P Interest Group to see if there are any 
objections.

All changes are based on the vocab draft 
http://www.w3.org/P3P/Group/Syntax/Drafts/WD-P3P-19990208/vocab.html
I don't believe this draft has changed in several months although
its version number has changed.

PROPOSED CHANGE 1:

In section 1, the fourth paragraph currently says:

Note, in addition to the terms specified in the harmonized vocabulary,
P3P requires services to specify in their proposals the service
provider's identity, an experience space to which their practices
apply (e.g., realm: http://www.w3.org), the location at which users
can find a human-readable explanation of the service's privacy
policies (discURI) and an optional human-readable description of the
result (e.g., consequence: "to offer customized sports updates").

I would like to make the following changes:

- insert "(entity)" following  "service provider's identity"

- add the following to the end of this paragraph:

In addition, services may specify an "assuring party" that attests
that the service provider will abide by its proposal, follow
guidelines in the processing of data, or other relevant
assertions. Entity, realm, discURI, consequence, and assurance
elements are fully specified in the <a href =
"http://www.w3.org/TR/WD-P3P/syntax">P3P Syntax Specification</a>.

The purpose of this change is to better document all in one place the 
other semantic information contained in a P3P proposal that is defined 
elsewhere in the spec.


PROPOSED CHANGE 2:

Add a category 10 to section 4 Data Categories. This category would be
called "State Management Mechanisms" and would be defined as:
Mechanisms for maintaining a stateful session with a user or
automatically identifying users who have visited a particular site or
accessed particular content previously -- such as HTTP cookies.

The purpose of this change is to provide a category that can be used
to describe current and future state management mechanisms.


PROPOSED CHANGE 3:

Add a category 11 to section 4 Data Categories. This category would be
called "Other" and would be defined as: Other types of data not
captured by the above definitions. (A human readable explanation should
be provided in these instances.)

The purpose of this change is to provide a category that developers
of new data element schemas can use if they wish to define new data 
elements that really don't fit well into our defined categories.


PROPOSED CHANGE 4:

Change the explanation of identifiable use to reflect its
relationship to the well-known term "personally identifiable data."
I am not proposing any change to our use of the term "identifiable
use" -- just a change in the way we explain it. Specifically, we 
should:

Change definition of Personally Identifiable Data in section 3
Definitions to the standard definition with a note that we emphasize
identifiable use: Any information relating to an identified or
identifiable individual. Note that this vocabulary uses a broader
term -- Identifiable Use -- that focuses on the way information is
used.

Add definition of Identifiable Use in section 3 Definitions: The use of
information relating to an individual that identifies that individual
-- this may include linking information with personally identifiable
information from other sources or combining information so as to infer
a person's identity.

Change the explanation of Identifiable Use in section 6 Purpose
Qualifiers to: 

Is data used in a way that is personally identifiable -- including
linking it with personally identifiable information from other
sources?  While some data is obviously identifiable (such as full
name), other data (such as zip code, salary, or birth date) could
allow a person to be identified depending on how it is used. Also, a
technically astute person in some circumstances could determine the
identity of a user from the IP number in a HTTP log. This requires a
specific effort and is based on how that IP number is registered,
whether it is used by more than one person on a computer, or if it is
dynamically allocated by an internet service provider. Consequently,
we refrain from defining any particular data or set of data as
personally identifiable and instead focus on whether data is used in
an identifiable way. Thus identifiable use applies to data commonly
considered to be personally identifiable as well as other data that is
used in an identifiable way.

The purpose of this change is to clarify our use of these terms for
people familiar with the well-known term "personally identifiable data."


___________________________________________________________
Joseph Reagle Jr.  http://www.w3.org/People/Reagle/
Policy Analyst     mailto:reagle@w3.org
Received on Monday, 24 May 1999 11:29:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.1 : Tuesday, 21 September 2004 12:14:15 GMT