Re: P3P question from Karen Coyle on 1999-11-24 (www-p3p-public-comments@w3.org from November 1999)

From: Karen Coyle <kcoyle@ix.netcom.com>
Date: Wed, 24 Nov 1999 11:04:48 -0800
To: "Lorrie Cranor" <lorrie@research.att.com>, "Joseph M. Reagle Jr." <reagle@w3.org>
Cc: <www-p3p-public-comments@w3.org>, <massimo@w3.org>, <dll@w3.org>
Message-Id: <199911241904.LAA41100@dosuno.ucop.edu>
Thanks. So the bottom line is that P3P still facilitates the exchange of
user data by providing a data standard, it just no longer defines the
protocol for the transfer. Is this correct? What I'm trying to reconcile is
the earlier stated goal of relieving users of the need to re-type their
data in response to each request. Is that still a goal, even though the
mechanism may not be contained within the P3P protocol?

So, for example, this statement from the November 1998 Note would still be
true?

"Some P3P implementations will likely support a data repository where users
store information they are willing to release to certain services. If they
reach an agreement that allows the collection of specific data elements,
such information can be transferred automatically from the repository.
Services may also request to store data in the user's repository."

kc

At 12:01 PM 11/24/99 -0500, Lorrie Cranor wrote:
>Karen,
>
>The working group tried to explain our intentions regarding the
>removal of the data transport mechanism in:
>http://www.w3.org/P3P/data-transfer.html
>
>The last call working draft (http://www.w3.org/TR/P3P)
>also explains:
>
>  1.1.2 P3P User Agents
>
>  P3P1.0 user agents can be built into web broswers, browser plug-ins,
>  or proxy servers. They can also be implemented as Java applets or
>  Javascript; or built into electronic wallets, automatic form-fillers, or
>  other user data management tools. P3P user agents look for P3P
>  headers in HTTP responses and in P3P LINK tags embedded in
>  HTML content. These special headers and tags indicate the location
>  of a relevant P3P policy. User agents can fetch the policy from the
>  indicated location, parse it, and display symbols, play sounds, or
>  generate user prompts that reflect a site's P3P privacy practices.
>  They can also compare P3P policies with privacy preferences set
>  by the user and take appropriate actions. P3P can perform a sort
>  of "gate keeper" function for data transfer mechanisms such as
>  electronic wallets and automatic form fillers. A P3P user agent
>  integrated into one of these mechanisms would retrieve P3P policies,
>  compare them with user's preferences, and authorize the release of
>  data only if a) the policy is consistent with the user's preferences and
>  b) the requested data transfer is consistent with the policy. If one of
>  these conditions is not met, the user might be informed of the
>  discrepancy and given an opportunity to authorize the data release
>  themselves.
>
>In general, the base data set is still there for two main reasons:
>1. We wanted to have a way for web sites to talk precisely about the
>kinds of data they collect in order to better inform visitors about their
>practices
>2. We wanted P3P to be able to easily interoperate with other tools that
>will focus on the actual data collection. It has been the group's feeling
>that if users are going to take advantage of the many tools that seem to
>be emerging that help them manage their data and automate data
>collection, than P3P must be able to directly interoperate with these
>tools if it is to prove useful to a consumer. We don't want people to have
>P3P only in their web browser and feel they are protected, and then have
>their electronic wallet blindly disseminating their information without
>regard for privacy policies.
>
>In order to meet these goals we are currently reviewing whether we can
>substitute the vcard data schema for our user data set for even better
>interopeability.
>
>Regards,
>
>Lorrie Cranor
>P3P Specification Group Chair
>
>----- Original Message -----
>From: Joseph M. Reagle Jr. <reagle@w3.org>
>To: Karen Coyle <kcoyle@ix.netcom.com>
>Cc: <www-p3p-public-comments@w3.org>; Lorrie Cranor
><lorrie@research.att.com>; <massimo@w3.org>; <dll@w3.org>
>Sent: Wednesday, November 24, 1999 11:50 AM
>Subject: Re: P3P question
>
>
>> Karen,
>>
>> I'm forwarding your email to the comment list and the other contacts since
>I
>> think they can answer this question better than I can.
>>
>> At 07:23 99/11/23 -0800, Karen Coyle wrote:
>>  >Hi. I'm trying to get a grasp on the lastest P3P draft and the removal
>of
>>  >the data transport portion of the protocol. Some people are interpreting
>>  >this as meaning that there will not be any uploading of data during a
>>  >P3P-managed transaction. That would only make sense to me if there were
>no
>>  >data elements associated with P3P, but the mandatory data elements
>remain
>>  >in the protocol.
>>  >
>>  >Is it still expected that the user's data may/will be conveyed to the
>>  >requesting site, but just using some other mechanism? In other words,
>what
>>  >is the purpose of the mandatory data elements in the current draft?
>>  >
>>  >If I missed something on the P3P site that explains all of this, don't
>>  >hesitate to point me to it.
>>  >
>>  >Thanks,
>>  >
>>  >Karen Coyle
>>  >http://www.kcoyle.net
>>  >
>>
>> _________________________________________________________
>> Joseph Reagle Jr.
>> Policy Analyst           mailto:reagle@w3.org
>> XML-Signature Co-Chair   http://www.w3.org/People/Reagle/
>>
>>
>
Received on Wednesday, 24 November 1999 14:04:32 UTC