W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > February 2000

Re: Some Comments on P3P

From: Christopher D. Hunter <chunter@asc.upenn.edu>
Date: Thu, 17 Feb 2000 00:38:22 -0400
Message-ID: <38AB7B17.FFA09FE2@asc.upenn.edu>
To: www-p3p-public-comments@w3.org
P3P Development Team,

I appreciate your response to the issues I raised in an earlier message.
 However I still have a few critical points to make, particularly in
regards to data categories.

> > - Under the POLICY entity or the DISCLOSURE element, why not require
> > sites to also list a contact person and the address of the company?
> > This type of addition would go a long way towards ameliorating the
> > information asymmetry critique.  I also believe that it will become a
> > necessity if governments eventually set up "privacy clearinghouses"
> > which certify company privacy practices.  Perhaps all of this can
> > already be done with APPEL?
> Please see our new and improved "entity" attribute.

Let me say that I think that the mandatory "entity" attribute is a big
step forward.  This certainly speaks to the accountability principle of
OECD.  However, why not go even further, and as Karen Coyle suggests,
include a number of other "entity" attributes such as public/private
company, subsidiary of, nation incorporated in, etc. ?  I know that this
would make things more complicated, but my guess is that the EU is going
to want a fuller set of disclosure elements about companies.  I'd just
make sure that you have an extension element to the entity attribute
that would allow for additional disclosure statements that legislatures
may want.  As a starting point, maybe look at what identifying and
accountability attributes the Securities and Exchange Commission (and
its European counterpart?) requires for publicly traded companies.  

> We don't have any good proposals on the table about how to resolve the
> category problems. If you have any specific suggestions we would be
> happy to consider them. In the mean time, we believe things like health
> information are not well represented by any category and thus would
> require the use of the "other" category where a human-readable explanation
> is required.

Not to be mean, but this is a pretty weak response given that categories
are essential to end user "informed consent."  If you can not come up
with clear and informative categories, end users will be left guessing
about what types of data companies are collecting.  I don't mean to be
too harsh, because I'm not particularly sure about how to delineate
categories myself, but I do know that leaving the tough decisions to a
company defined "other" category is not the way to go.  The reason being
that companies will put everything in vaguely worded "other" categories
that will be very difficult for an APPEL rule set to deal with.  Do you
prompt end users to read every "other" category collection request, thus
inundating users with pop up windows, and therefore defeating the point
of P3P?  Or do you have the APPEL rule say accept all "other" categories
collection requests, thus defeating the whole point of human-readable explanations?

I also don't think that your response has adequately addressed the
reasons why you have agreed on the current set of categories, why health
information shouldn't be its own category, and why you are not
disaggregating the Demographic and Socio-economic Data category.  These
issues, and your decisions regarding them need to be made explicit and
public.  There's no question that this is a thorny and difficult area,
but relegating these issues to an "other" category seems to be a bit of
a cop out.

How to go about defining useful categories?  I would start by conducting
an international privacy survey that would be composed of a series of
likert scales that would ask people to value a whole range of personal
information items.  Through factor/cluster analysis you could come up
with the most highly valued categories, and then put them into P3P. 
This is by no means the answer to the problem, but at the very least
it's a starting point that would allow you to justify certain default categories.

Generally speaking, I think the latest P3P Working Draft is heading in
the right direction, particularly on the information asymmetry issue. 
Nevertheless, as my comments above note, a number of issues (some
seemingly intractable) remain which I feel will prevent P3P from
becoming a true tool for end user privacy protection.  This is certainly
not due to a lack of effort, expertise, or dialogue on the part of the
P3P development team.  Rather, I would argue that certain complex social
issues, like privacy and content appropriateness (PICS), simply can not
be reduced to lines of code.

I look forward to your comments.


Christopher D. Hunter
Ph.D. Candidate
Annenberg School for Communication
University of Pennsylvania
Received on Thursday, 17 February 2000 00:30:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:57:27 UTC