- From: Dobbs, Brooks <bdobbs@doubleclick.net>
- Date: Fri, 20 Dec 2002 13:39:21 -0500
- To: "'public-p3p-ws@w3.org'" <public-p3p-ws@w3.org>
P3P Future Work Items 4.b: SemanticIssues Purpose P3P assumes "Accuracy" between all policies related to given data collection, including: Natural Language Policy (which is itself a requirement of P3P), a Full XML policy and a Compact Policy (if used). To accommodate a data collector's need to describe their practices, P3P has a base data schema and the ability to extend that schema to accommodate particular collector practices where those practices cannot be accurately described within the existing schema. The difficulty with Compact Policies, CPs, is that they allow for only a subset of the functionality of the Full Policy with no ability to extend or accurately group practices. The result of which is an in ability for a data collector to be truly accurate with the limited syntax. This then implies that to be accurate in a CP the data collector MUST overstate. Currently the CP allows a collector to make statements from among the following predefined groups: <PURPOSE>s-12, <RECIPIENT>s-6, data <CATEGORIES>-16, <ACCESS>-6, <RETENTION>-5, <DISPUTES>-1, <REMEDIES>-3. This effectively limits a CP implementer to the requirement of accurately representing his/her NLP by choosing from ~49 predefined tokens (the UA rendering of which the collector will have no control - but from which they will be liable). This lack of nuance forces a data collector who e.g. associates a cookie with a proclivity to examine cold remedies with a category that also includes "mental health" and "sexual orientation". It is extremely possible that such statements may be illegal within the effected jurisdiction or specifically against the NLP expressed practices of the data collector. Scope: Possible areas of exploration could include: 1. If accuracy and consistency across NLP<->XML<->CP is core to P3P but unachievable by the CP do we scrap the accuracy requirement or the CP? Is there a better balance to be found? Or a better language construct than accurate. 2. Examine what exactly we are trying to achieve with the CPs? Do we allow it to be a performance optimisation only as an imperfect placeholder until a Full policy can be discovered? 3. Consider adding a token which denotes the "up to and including" nature of the statements made by a CP or should this be better explained within the spec with more delineated requirements for UAs. 4. Consider adding more tokens to allow some degree more nuance. 5. *It should be noted that a number of these issues overlap Question 1. Vocabulary Issues Resources: The size of this issue requires the resources of a full working group. Time Frame: To me this problem is fundamentally the question of trading off between the accuracy requirement in the spec (which are likely to be upheld by enforcement agencies) and the performance increases of the Compact Policy. Brooks Dobbs Director of Privacy Technology DoubleClick, Inc. office: 404.836.0525 fax: 404.836.0521 email: bdobbs@doubleclick.net
Received on Friday, 20 December 2002 13:54:25 UTC