Response to BITS comments

-----Original Message-----
From: Daniel Weitzner [mailto:djweitzner@w3.org]
Sent: Monday, December 17, 2001 8:59 PM
To: cathy@fsround.org
Cc: W3c-P3p-Coordination@W3. Org; P3P Outreach Group
Subject: 2nd Draft Legal status of P3P statement


RESPONSE TO BITS COMMENTS ON P3P SPECIFICATION

Dear Ms. Allen,

We thank you for the comments you and your colleagues have provided on the
24 September 2001 Working Draft of the Platform for Privacy Preferences
(P3P) Specification.  As you know, P3P has been under development for
several years and during that time we have offered many opportunities for
public comment and have addressed every concern raised through this process.
We will continue this important accountability mechanism as the
specification moves forward. As most of your comments are technical in
nature they have been addressed directly by the P3P Specification Working
Group. As of this writing, the Specification Working Group has made a number
of changes and clarifications to P3P based on you comments, so we are
grateful for the time you have taken in your specific comments. The response
from the Specification Working Group (the group that has actually written
the P3P standard) will detail where changes were made following the BITS
Comments.

The P3P Policy Outreach Working Group has considered the two main public
policy-related issued raised in your 15 October 2001 letter:

1. Legal status of P3P statements
2. The degree to which P3P is able to assist in compliance with various
privacy-related laws and regulations

Legal Status of P3P Statements
------------------------------

Your letter suggests that the P3P specification "state explicitly that P3P
is neither a legal nor an audit standard and should not be treated as such
in contracts, site monitoring, and for other legal and regulatory purposes."
P3P is a protocol and machine-readable vocabulary through which services
(Web sites) and user agents (users) can communicate about the service's
privacy policy. The operation of this protocol will result in users
receiving and using information about a site's privacy practices. However,
W3C, as a technical standards setting body, is not competent to declare what
the legal status of these statements should or should not be, especially
given the fact that W3C develops technical standards with global reach. That
determination must be up to legal and regulatory authorities in the proper
jurisdiction.

Users, however, can be expected to make decisions based on the content of
P3P statements. Therefore, the proper functioning of P3P depends on
organizations implementing P3P to make sure that all policies are consistent
with both the practices of that organization and the human readable policy
found on that Web site. For example, if for some reason a site's P3P
statements contradicted the human readable privacy notice, users not be able
to know what the sites policy actually is and be unable to make an informed
choice about the privacy relationship into which they are entering.

We would also like to note that compact policies give a user agent the
ability to make a first, summary assessment of a full P3P statement.  As is
made clear in the specification (Section 4), an individuals or individual
user agent would need to be able to have access to both the full P3P policy
and a human readable policy in order to be able to rely on the compact
policy.  Therefore, consistency between the compact policy and full policy
is also important.

P3P and the Global Diversity of Privacy Regulations
---------------------------------------------------

The introductory portion of your letter suggests that P3P "cannot handle the
complex requirements of the European Union Directive, Gramm-Leach-Bliley,
HIPPA, COPPA, or other specific laws and regulations."  This statement is
cause for concern as we believe that P3P must be able to express privacy
practices arising out of a wide variety of data protection regimes. With the
help of data protection experts from Europe, Canada, the United States, and
Asia, the P3P working groups have taken into account all of the major
privacy approach of which the WG participants are aware. As P3P
implementation is beginning around the world, we have seen P3P-compliant
sites and user agents that are tailored to many different jurisdictions.
Thus far, no implementer has cited any case in which it is impossible to
comply with relevant laws. If there are any privacy practices required by
the laws you cite that cannot be expressed in P3P, we hope that you will
bring them to our attention. Your letter, however, does not cite specific
details of failure with respect to any particular law, so we are not able to
respond with any specific action or change to the specification.


Finally, the comments from BITS point to several features not included in
P3P that would be of use to the financial services community. We expect that
the P3P 1.0 specification -- already being implemented and hopefully soon to
be finalized  -- is only the first step in the process of building greater
privacy awareness into the infrastructure of the World Wide Web. Many of
your comments point to the need to increase the interaction between Web
technology developers at W3C and those in the banking industry as
represented by BITS. We look forward to talking with you about how to be
sure that the evolving P3P specifications meet the needs of all those who
provide and use financial services on the Web. In order to discuss options
for closer cooperation in the future, we will contact you shortly to set up
a time that we might meet to talk further.

On behalf of the P3P Coordination Group:

	Lorrie Cranor, P3P Specification Working Group Chair, AT&T Research
	Josh Freed, P3P North American Outreach Task Force Chair, IEF
	Ari Schwartz, P3P Policy Outreach Working Group Co-Chair, CDT
	Daniel Weitzner, P3P Coordination Group Chair, W3C

--
Daniel J. Weitzner                              +1.617.253.8036 (MIT)
World Wide Web Consortium                       +1.202.364.4750 (DC)
Technology & Society Domain Leader              <djweitzner@w3.org>
http://www.w3.org/People/Weitzner.html

Received on Monday, 17 December 2001 21:09:10 UTC