- From: Daniel Weitzner <djweitzner@w3.org>
- Date: Tue, 9 Jul 2002 09:54:13 -0400
- To: <cathy@fsround.org>
- Cc: <jburke@foleyhoag.com>, <leigh.williams@fidelity.com>, <daniel.m.schutzer@citi.com>, <miller.eo@mellon.com>, <mary_n_jones@fleet.com>, <steve.durkee@citicorp.com>, <Marcel_E_Meth@fleet.com>, <www-p3p-public-comments@w3.org>
Dear Cathy, Thanks for your ongoing commitment to assuring the P3P is implemented in a manner that assures both consumers and service providers have clearer, more transparent privacy relationships. Through the efforts of BITS and many of your leading members, P3P implementation is already helping to bring greater transparency and more informed privacy choices to Web users. In your letter of 19 June 2002 (appended below), you have stated that "[I]t is our understanding that the legally controlling policy is the human readable policy," as opposed to the policy statements made through the use of the P3P vocabulary." You have further asked us whether the W3C agrees that "it is the human readable policy that is legally controlling." The P3P Coordination Group has discussed this matter and offers the following reply. The function of P3P is to enable web sites to make statements about their privacy policies in machine readable format so that user's software (browsers, etc.) can help users to understand a sites privacy policy, compare it to the users preferences, and ultimately decide whether or not to continue in a relationship defined by that policy. As we said in response to comments BITS made before the P3P Recommendation was finalized: "Users, however, can be expected to make decisions based on the content of P3P statements. Therefore, the proper functioning of P3P depends on organizations implementing P3P to make sure that all policies are consistent with both the practices of that organization and the human readable policy found on that Web site. For example, if for some reason a site's P3P statements contradicted the human readable privacy notice, users not be able to know what the sites policy actually is and be unable to make an informed choice about the privacy relationship into which they are entering." [1] In order to fulfill the basic goals of P3P, it is necessary that the representations made to users through the P3P statements, and those made through the human readable policy are consistent with each other. Therefore, the proposition that the human readable policy is the sole legally controlling representation made to users to be inconsistent with the functional goals of P3P. However, we do recognize that it is possible that some nuances of sites privacy policies may be beyond the expressive capacity of the current P3P standard. Based on comments BITS made on the draft version of the P3P specification, the final P3P Recommendation includes the provision: "In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanations (as stated in Section 3.2). However, policies MUST NOT make false or misleading statements." [2] This statement in the P3P Recommendation document clarifies our understanding of the technical relationship between a site's human readable policy and the P3P policy. Beyond that, it bears noting that W3C is not a legislative or regulatory body and therefore cannot rule on the legal ramifications of statements made by sites to users. What we have done is to state our expectations about how P3P will be used. And, relying on the passage from the Recommendation cited above, we have indicated our expectation about what will happen when all the details of the sites policy cannot be expressed with the P3P vocabulary. As you know from our response to your previous comments,[1] in developing the P3P specification we have drawn on several years of implementation experience which has entailed translating actual site's privacy policies into the P3P vocabulary. We are not aware of any privacy policy which cannot be expressed in the final version of the vocabulary, but certainly remain open to expanding the vocabulary when specific deficiencies are identified. I hope that this letter clarifies our views on this matter. Your letter points to an area that is certain to challenge regulators around the world as P3P gains wider use. W3C is committed to working with our Members and the public policy community to help smooth P3P implementation not only from a technical but also from a legal standpoint. Thank you again for your careful attention to all aspects of P3P implementation. I look forward to continued cooperation between W3C, BITS and our respective members on these matters. Sincerely, Daniel J. Weitzner, W3C Technology & Society Domain Leader, P3P Coordination Group Chair Lorrie Faith Cranor, P3P Specification WG Chair cc: P3P Public Comment Archive <www-p3p-public-comments@w3.org> links: [1] http://lists.w3.org/Archives/Public/www-p3p-public-comments/2001Dec/0010.htm l [2] http://www.w3.org/TR/P3P/#P3PPolicies ---------------- LETTER FROM BITS June 19, 2002 Danny Weitzner Lorrie Cranor W3C (sent by email) Dear Danny and Lorrie: Congratulations on the advancement of the Platform for Privacy Preferences P3P 1.0 from Specification to Recommendation. We would like to reiterate our interest in continuing communications with you and other representatives of the W3C as P3P continues to evolve. We would also like to review our understanding of one key point related to the implementation of P3P 1.0. It is our understanding that P3P 1.0 is a technical recommendation. It is complementary to laws and regulations but is not in itself legally binding. It is our understanding that when organizations implement P3P 1.0, they will make every effort to make accurate statements that are consistent with the human readable privacy policies. At the same time, it is our understanding that the legally controlling policy is the human readable policy, and that W3C would not find statements to this effect to make an organization’s policies less useful to consumers. Given the importance of this understanding to both the regulators and the companies in the financial services industry, we would appreciate your responding to this letter to indicate that this is also the understanding of the W3C—that is, that it is the human readable policy that is legally controlling. We appreciated the discussion that we had on March 8 and your responsiveness to points we raised. It is clear to us that the P3P 1.0 Recommendation does reflect a conscious effort on your part to address concerns of the financial services industry. We appreciate the opportunity to continue to bring such issues to your attention. Sincerely, Catherine A. Allen CEO, BITS C: BITS Privacy Working Group
Received on Tuesday, 9 July 2002 09:53:19 UTC