- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Mon, 10 Mar 2003 16:30:28 -0500
- To: w3c-p3p-specification@w3.org
- Cc: public-p3p-ws@w3.org
Minutes of the P3P Specification Working Group Face to Face Meeting
6-7 March 2003
Cambridge, MA
(thanks to Rigo Wenning and Ari Schwartz for contributing their notes)
Present
1/ Lorrie Cranor, AT&T Labs-Research
2/ Jack Humphrey, Coremetrics
3/ Brooks Dobbs, Doubleclick
4/ Ari Schwartz, CDT
5/ Jeremy Epling, Microsoft
6/ Mathias Schunter, IBM
7/ Brian Zwit, Integrity Insurance, AOL
8/ Danny Weitzner, T-and-S Domain Leader, W3C
9/ Rigo Wenning, Privacy Activity Lead, W3C
10/ Helena Lindskog, Ericsson
March 6
INTRODUCTIONS AND DISCUSSION OF THE AGENDA
All present introduced themselves. As part of his introduction,
Mathias Schunter made the following announcement: We are pleased to
announce the first public version of the IBM Enterprise Privacy
Authorization Language (EPAL). You can find the language
specification and XML schema at
http://www.zurich.ibm.com/security/enterprise-privacy/epal We are
working on WS-Privacy together with Microsoft, want to keep P3P out
the B2B area. Want to have some enterprise language that should be
compatible to P3P.
Danny gave some history related to the Liberty Alliance in
preparation for our discussion with them later.
- Liberty has notion of rights expression language, they have a gap
and need something to fill it
- attribute sharing
- packages of privacy practices/profiles? high/medium/low
- looking for something easier to implement than P3P
- P3P gives them a level of policy legitimacy in Europe
CHARTER AND TASKFORCES
The P3P 1.1 charter
(http://www.w3.org/P3P/Group/Specification/1.1/01-spec-charter.html)
is being voted on by the membership. We hope to hear that it is
approved in the next few weeks. We are currently operating under the
assumption that it is likely to be approved with minor changes.
The deliverables in the charter are based on the discussion at the
workshop last fall. They include items that reflect a strong consensus
that these are things we should do as well as items with less support
where someone just said he would do it.
We will have task-forces. Those TF will bring up the first draft and
it will be discussed in the WG. Timeline in the deliverable session:
Lorrie announced that she will enforce the timeline strictly.
Everything that doesn't make it in the timeline will be considered for
P3P 2.0 (pending charter of that working group).
The W3C's public Bugzilla will be the thing to be used for for
tracking issues instead of our old issues list. Please register with
Bugzilla at http://www.w3.org/Bugs/
Spec clarifications and items not covered by a specific taskforce
will be covered by the working group as a whole. An individual should
raise the issue and make a specific proposal.
Brian was interested in working on clarifying what a P3P policy means
in the spec. He and Danny volunteered to draft a proposal.
ACTION: Brian & Danny: Create a proposal for clarification of what a
P3P policy means
If we have a lot of clarifications and corrections before we are
ready to put out the p3p 1.1 spec we may put out a corrected version
of the p3p 1.0 spec. In the mean time we will update the errata page.
P3P Beyond HTTP taskforce:
- volunteers: Danny Weitzner, Marc Langheinrich, John Morris
(volunteered by Ari), Matthias Schunter
- this taskforce still needs a chair... Danny suggested that Joseph
Reagle may be a possible chair
- TF will look at SOAP and WS, also independent P3P binding and
other things like jabber, IRC, mail, etc.
- Matthias is concerned about P3P turning into an enforcement
language, wants to distinguish between consumer notice and enterprise
enforcement
ACTION: Danny to ask Joseph Reagle if he will chair this taskforce
ACTION: Matthias to draft proposed modification to P3P Beyond HTTP
taskforce
description in draft charter and submit it with IBM ballot
User Agent Behavior taskforce
- volunteers: Brian Zwit, Ari Schwartz, Jeremy Epling, Brooks Dobbs,
Lorrie Cranor, Diana Alonso-Blas (volunteered by Rigo), David
Stampley (volunteered by Lorrie)
- nobody has volunteered to chair, Lorrie may chair this TF
- TF may propose guidelines or requirements
- Microsoft is opposed to this TF coming up with mandatory spec
components but supports guidelines
- will work on guidelines for wording of P3P vocab elements as well
as other aspects of UA behavior (for example, allow policies to be
saved and printed)
ACTION: Jeremy and Brian: deliver wording for P3P vocab elements from
IE and Netscape
Compact Policies taskforce
- Brian Zwit volunteered to chair
- volunteers: Brooks Dobbs, Jack Humphrey, Jeremy Epling, Helena
Linkskog
- first step is to get empirical data on performance issues related
to CPs and do evaluation of tradeoffs
Article 10 taskforce
- Giles Hogben volunteered to chair
- volunteers: Jeremy Epling, Diana Alonso-Blas, Rigo Wenning
- Casper Bowden (Microsoft) had previously expressed interest in
participating
Agent and Domain Relationships taskforce
- Jack Humphrey volunteered to chair
- volunteers: Brian Zwit, Brooks Dobbs, Matthias Schunter
- Rigo suggested asking Mark Nottingham to participate
- will look at how to deal with third parties.. How to say: I am the
agent working for this site...
- closely tied to compact policies
Consent Choices taskforce
- Matthias Schunter volunteered to chair
- Lorrie will participate
- Have more statements and group them and opt-out opt-in in a package
It is pretty similar to naming statements.
XML Schema taskforce
- Giles Hogben volunteered to chair
- Jack volunteered to review
- Rigo suggested that Massimo should be involved
Signed P3P Policies taksforce
- Giles Hogben volunteered to chair
- some people unclear on why signed policies are need.
ACTION: Danny and Rigo, modify charter for this taskforce to require
that TF first provide explanation of why signed policies are needed
and motivation for this work
APPEL is not mentioned in charter despite strong interest from
some. There was no consensus on how to move forward for P3P1.1... We
don't have a TF but we will accept proposals, otherwise can be
considered in P3P2.0 timeframe.
Regularly scheduled teleconference will be 11 am on Wednesdays. We
probably will use this time slot every other week, but people are
encouraged to reserve this time in their schedules every week and use
it for taskforce meetings, etc. Conference calls will start in two
weeks.
There will public mailing-list and public group-page. Contact info etc
will be on the member-only page.
P3P BEYOND HTTP
What do we want to discuss with Web Services Architecture Group
tomorrow?
Lorrie gave an overview and history of our attempts to get the WS
folks to pay attention to P3P.
- key points to discuss at meeting:
- binding problem
- traveling problem (data may travel through multiple services with
differing policies
- where to put policy? soap, WSDL, etc.
- need liasons
P3P on other things than Web Services..
Lorrie explained the issue identified with XForms that we have
not sufficient granularity like xml:lang
COMPACT POLICIES
Accuracy/Expressiveness problems
- what do we mean by accurate?
- could clarify meaning of compact policy in the spec
- problem may not be best called accuracy, but precision
- decisions are being made about risk management
- companies often use worst case scenario
- may still be a problem with full policies
- problem is more difficult with sensitive information
(Article 8 in EU directive -- health, financial, political, race,
sex, trade union membership)
- trying to make P3P understandable has been difficult to date,
making it more granular would make it worse
- general discussion on how user agents handle these issues
- concern about the fact that individuals that individuals choose
strong privacy rules without realizing the loss of functionality
- this is why P3P focuses on use and specifically secondary use
- discussion about the term "linked" in the spec. Meant to be based
on the intention. We need to clarify this in the spec
*** Agreement if compact policies were as expressive as full
policies, it would still not be expressive as some may like, but this
should be expressive enough for our needs (Brian reserved the right
to question this again down the road)... assuming that we want to
keep compact policies
Required attributes
- I, A & O - cookie may be necessary for functionality
- user can't tell the difference between different secondary purposes
- discussion of ways to set different preference to be accepted
within the same cookie
- discussion of issues with contractors that have access to cookies
- most privacy issues come on the cookie replay not at cookie collection
ACTION: Lorrie: add issue to Bugzilla to consider modifications to
2.3.2.7 -- could be changed "MAY" to "SHOULD" in order to cover
importance of replay -- this should be brought up with the whole
group. It is larger than just a compact policy question.
ACTION: lorrie: add issue to Bugzilla on clarifying what we mean by
data linked to a cookie
User Agent
- verifying that Web developers aren't just complying with IE6 and
not doing full policy or proper compact policy, user agent behavior
TF should discuss
ACTION: Lorrie: add Bugzilla issue for UA TF on guidelines for
verification that CP site has full policy, complete CP, etc.
Performance issues
- measurement and understanding of where performance hits are taken
Scope problems
- discussions of problems with sites that only have one policy
OTHER DISCUSSION
ACTION: Lorrie: add Bugzilla issue to consider standardizing
STATEMENT name attribute based on IBM extension
ACTION: Lorrie: Specify version #s in Bugzilla
Certification
- Can we get a seal program or logo for sites that are compliant?
- Agreement that adoption is the first issue
MEETING WITH LIBERTY ALLIANCE
We met with about a dozen representatives from the Liberty
Alliance. They presented their LAP P3P Adaptation proposal V01.
- don't have time to invent from scratch -- need to use something
with agreed upon semantics... use P3P as a starting point
- separate activity in parallel with next release but not tied to it
Use case
- service asks for attributes and indicates privacy policy
- attribute provider checks policy against users preferences for
attribute in question
- if service provider's policy is equal or stricter than the one
defined by user, data is released
- if service provider's policy is less restrictive user is prompted
Privacy policies based on P3P compact policies
Policies describe restrictions related to the use of attribute data
Five different policies that reflect different degrees of strictness
- strict
- cautious
- moderate
- flexible
- casual
Five elements
- purpose, recipient, retention, access, remedies
- mapped these to five policies
WSC = web services consumer
WSP = web services provider - previously collected information and
user consent and privacy rules
privacy context = policy for a particular piece of data and
transaction for a user = user privacy preference
Liberty folks think 5 levels are needed for interoperability, compact
dataflows, etc.?
Lorrie argued that 5 levels are not needed and that idententy service
providers could come up with whatever levels they want to offer their
users
Joseph Reagle suggested that 5 levels help sites coalese and find a
common level facilitating policy making in the market
There may be a potential collision problem when w3c gets around to
defining P3P/soap bindings... this should be anticipated and design
should avoid problems ... joint note on transferring P3P references
with SOAP?
discussion of location vocabulary and privacy policies - work being
done at OMA, 3GPP
- how to define location precisely
- how location data will be used
P3P group will continue to provide feedback to Liberty
March 7
The Article 10 issues and UA behavior issues were discussed on a
phone conference. Dialing in were Giles Hogben, Marc Langheinrich,
and Marty Abrams
ARTICLE 10 VOCABULARY ISSUES
Giles - plans to make detailed report with proposals before June Kiel
meeting
ambiguity on cookie processing requirements - set or replay?
- storing a cookie on a users computer is an act of data processing
- maybe offer two choices to WG
- requirement
- EU guideline
notification of user before data processing - to satisfy EU law
human-readable portion of policy should be displayed to user before
data is processed
- lots of practical and usability issues
- maybe simultaneous display rather than consent
- probably EU guideline
ability to specify jurisdiction
- attribute of recipient element - EU, US safe harbor, non-EU
- concern about regime-specific data element that may need to change
as laws change
preference language
- want to highlight as important issue, but are ok waiting to v2
- should discuss at Kiel meeting
USER AGENT BEHAVIOR
- work on user friendly language for P3P vocab elements
- work on other guidelines -- user agents should print P3P policies,
etc.
Marty Abrams - layered notices
- highlights notices - convention on things you cover, convention on
language
- financial institutions very interested
- short notice would hyperlink to long notice
- relationship between long notice, p3p notice, and highlights notice
- highlights notice has 5 or 6 categories you are capturing info
about, context dependent
- more granularity and detail in P3P
- what happens with P3P notice when translating to language for
consumers? statement don't always connect in logical way or include
full context. No consistency between user agent translations.
- completeness and consumer communication aren't necessarily the same
thing
- interested in having P3P user agents link to highlights notice
instead of machine translation
- alternatively need to reach a convention on human-readable
translation
brooks concerned about scope -- P3P does nice job of binding
policies... layered notices are cya
brian - lawyers would get more legalistic in full policy with layered
notices
Lorrie - use P3P human-readable fields to provide layered notice
Brooks - not that much legal uncertainty -- regulators say that
whatever the users see first you have to live up to so they all have
to be consistent
Everyone would benefit from more specific testing of language that
makes sense to users
- user agent testing in Europe - Giles, can test our user agent
strings, waiting for funding, hopefully will get funding by September
- Microsoft user agent testing - results within next few weeks
- AT&T probably testing in April or May
highlights notice glossary - go box by box and come up with vetted
phrases and words that define an item - that group will convene in May
- not everyone will use these terms -- voluntary effort
- consensus that we would like notices group to try to come up with 1
to 1 mapping of highlights notices to p3p vocab elements -- Lorrie
will work with them
Other areas for user agent guidelines
- EU-specific guidelines
- printing and saving policies
Microsoft beta 1 is planned for January... they would like guidelines
ASAP so that it is possible for them to take them into account for
that release... will be very difficult to incorporate changes from WG
later
OTHER DISCUSSION
North American outreach
Ari
- US federal government to require P3P
- OMB will issue guidance in April
- workshops for federal agencies
- FTC privacy workshops
WS Policy
Microsoft/IBM/BEA effort (not affiliated with W3C) - still
underspecified, but eventually should define bindings that may be
helpful in our efforts to define P3P beyond HTTP... political
problems due to this work taking place outside W3C
Jeremy had a long list of suggestions
- show the user the difference between a consequence and a value
proposition
- maybe two fields?
- maybe structured consequence field?
- add a statement grouping mechanism so that user agents can display
related statements together - grouping element is one mechanism to do
this, another is to add a group name attribute to the existing
STATEMENT element (ebay and windows media player examples)
- add human readable intro section ? not much interest in this
- consider adding human readable explanation strings to all elements
that don't currently have them ... generalize long description
- note explaining why we did identified/identifiable, what it means,
what linking means, include some examples
- access method or opt-in/opt-out method? we probably don't need that
Jeremy said it is likely that we will see preview of new IE P3P
functionality in October when Microsoft shows preview at developer
conference
ACTION: Lorrie, add Bugzilla issue to consider expanding definition
of consequence field in spec and/or adding structure to consequence
field
ACTION: Lorrie, add Bugzilla issue to consider adding a statement
grouping mechanism, possible through statement grouping element or
group name attribute
ACTION: Lorrie, add Bugzilla issue to consider adding human-readable
explanation strings to all elements that don't currently have them,
perhaps generalizing LONG-DESCRIPTION
ACTION: Lorrie, add Bugzilla issue to draft statement (perhaps Note)
on identified/identifiable, linked, etc.
ACTION: Ari, write first draft of note on identified/identifiable/linked
MEETING WITH WEB SERVICES ARCHITECTURE GROUP
Mike Champion, co-chair
WSAG
- focus on big picture ... no specifications, no specifics
- little discussion on privacy
Multiple places where P3P policy (reference) might live
- soap header, discovery, or description layer?
- WSDL? choreography? WS Policy?
- web services may be service to service rather than user to service,
does that change anything with respect to P3P?
working together going forward -- first step: collaboration on use cases
Received on Monday, 10 March 2003 16:30:31 UTC