- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Wed, 16 Feb 2000 14:13:41 -0500
- To: "Christopher D. Hunter" <chunter@asc.upenn.edu>, <www-p3p-public-comments@w3.org>
Chris, Thank you for the comments you sent us on P3P in early January. Last week we released a new public working draft that I believe addresses many of your concerns. Please let us know if concerns remain that you think we should be addressing. The new draft is available at http://www.w3.org/TR/P3P/ > - Under the POLICY entity or the DISCLOSURE element, why not require > sites to also list a contact person and the address of the company? > This type of addition would go a long way towards ameliorating the > information asymmetry critique. I also believe that it will become a > necessity if governments eventually set up "privacy clearinghouses" > which certify company privacy practices. Perhaps all of this can > already be done with APPEL? Please see our new and improved "entity" attribute. > - I believe that the DISCLOSURE access element needs to be expanded. > Rather than offer a rather worthless statement that a site may give you > access to some information they have collected, why not require that > this element be attached to every data type collected. I suppose that > this would look something like this: > > <DATA name="user.gender"/ access="yes/no"> Because much of the data disclosure is done by category rather than by data element, this would be very difficult to do. Initially, at least, we expect most sites will not enumerate every piece of data they collect, only the categories of data they collect. This is do to the fact that large companies may collect data from many different web sites for many different purposes. They have corporate privacy policies that place limits on how they use the data, and thus they can easily translate these policies into P3P syntax, using general terms. But identifying a complete enumeration of data collected would be a very difficult task. We have expanded the access disclosure to make it more useful however. Now sites have the ability to indicate that they provide access to all identifiable information if that's what they do. > - The Categories element needs to be extended and tweaked. Perhaps the > most obvious category that should be added is "Health Information," > which many surveys show people are particularly concerned about. The > Demographic and Socio-economic Data category should be disaggregated > into multiple separate categories such as Race, Income, etc. People > value these elements differently and would likely not want them lumped > into one general category. I'm sure the EU would be particularly > interested in a Race or Protected Minority category. This opens up a > can of political worms, but the current Demographic/Socio-economic > category is far to broad and limits end users ability to express exact > privacy preferences. We don't have any good proposals on the table about how to resolve the category problems. If you have any specific suggestions we would be happy to consider them. In the mean time, we believe things like health information are not well represented by any category and thus would require the use of the "other" category where a human-readable explanation is required. Regards, Lorrie Cranor P3P Specification Working Group chair
Received on Wednesday, 16 February 2000 17:26:40 UTC