Re: Citing your work on P3P from Lorrie Cranor on 2001-11-25 (www-p3p-public-comments@w3.org from November 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Sat, 24 Nov 2001 22:21:42 -0500
To: "Ruchika Agrawal" <ruchika@Stanford.EDU>
Cc: <p3p-comments@w3.org>, "Barbara Simons" <simons@acm.org>, <www-p3p-public-comments@w3.org>
Message-ID: <017201c17560$4e3cc440$3e06cf87@research.att.com>

> > Yes, I was referring to this section. This section spells out several
> > implications of implementing P3P. For example "Countries with data
> > protection and privacy laws and others seeking to police compliance
> > with privacy standards could find the automated ability to assess a
> > businesses' privacy statement useful in their broader oversight and
> > compliance program." Why is this implication less worthy of quoting
> > than the EPIC/Junkbuster assertion that "P3P will likely serve to
> > delay other efforts to establish privacy standards"? These two quotes
> > go very well together. One side says that P3P is complementary to data
> > protection laws, while the other says that P3P will delay the
> > enactment of data protection laws. And this is just one example. Each
> > of the paragraphs in that section talks about another implication.
>
> I never said that this implication is "less worthy" (and in fact, I have
> quoted it in the Critiques section).  Based on the context in which it is
> given, it is not clear how it is an implication.  The qualifier is: ". . .
> P3P is just one stone in the foundation.  It needs to be used in concert
> with effective legislations, strategic policy and other privacy enhancing
> tools.  For example: (1) "Countries with data protection and privacy laws
> and others seeking to police compliance with privacy standards could find
> the automated ability to assess a businesses' privacy statement useful in
> their broader oversight and compliance program." . . . ".  So, it is an
> *example* of how P3P needs to be used in concert with effective
> legislations, strategic policy and other privacy enhancing tools and that
> is all.  Same for the other three points.

Looking over that section of the paper again, I believe the
examples are examples of "how P3P 1.0 will help protect privacy" --
the qualifier is important, but it does not mean that these are
no longer examples of how P3P will help protect privacy, which
sounds like an implication to me. I realized the grammar
of the paragraph is a little ambiguous, and it is not made clear
what these are examples of...  even so, the two bold headings
in that section are quite clearly statements of implications
"P3P can help standardize privacy notices" and
"P3P can support the growth of more privacy choices, including anonymity and
pseudonymity"... but if you don't believe me that these
are really intended to be implications, you can always
ask the authors.

> Is there another paper/article that you can point me to where the
> implications are more clearly implications?

I don't know of another one explains these implications as
well as this paper does.

Lorrie

Received on Saturday, 24 November 2001 22:22:11 UTC