NW on W3C's P3

Rohit Khare (khare@mci.net)
Wed, 09 Jul 1997 22:11:12 -0400

Hash: SHA1

Consortium takes a shot at sorting out Web user privacy and business
marketing interests
- ----------------------------------------------------------------------
- ----------
By Ellen Messmer

Cambridge, Mass.
The World Wide Web Consortium (W3C) is trying to strike the
balance - a balance between Web site operators' need to collect
about visitors for marketing purposes and visitors' right to privacy.
However, as work on the group's Platform for Privacy Preferences
project gets under- way, some observers are concerned that the W3C's
ideal of user privacy may be falling victim to the more base desire
making a buck off valuable user data.

Yep, that's us, Basic instincts and all. BTW, W3C's _demographics_
interests have fallen off the map in the rush to 'privacy'. No one
even has the invaluable mass of anonymous user data, or even a
pointer to the efforts that exist (which we *did* have at W3C before
I handed it to Joseph).

The P3 specification is supposed to define a common format for
an end user view a Web server privacy policy before the user's
releases end-user data. The W3C said it hopes to have its
out by fall.

Close enough one-liner overview. Not for lack of trying: W3C doesn't
have a quick one-liner to offer anyway for this project (primarily
due to the uneasy inclusion of OPS; see below).

Quiz: try to find a page on w3.org with *one-line* summaries of all
our projects.


Profiles in privacy
The P3 format includes a range of privacy profiles, such as
the Web merchant will resell the data the user discloses or otherwise

recycle it for marketing purposes, according to Tim Berners-Lee, W3C
director and inventor of the Web.
'The basis of P3 is that on the user side, there is a right and
choice to how that information is used,' Berners-Lee said.

Too broad a range. IMHO, there appears to be thought inherited from
IPWG that P3's vocabulary should be all-inclusive, leading to one of
these 34-way checkbox UIs. There are actually a very few useful
policies, but it's easier to get consensus by shoving everyone's
variant in there instead of holding the line at 3 levels.

Berners-Lee announced the P3 initiative at last month's Federal
Commission (FTC) hearings in Washington, D.C.
The FTC, which is concerned that consumer privacy has been
ignored as Web-based electronic commerce grows, last month spent a
hearing testimony about current online marketing practices.
The W3C picked up the P3 privacy policy idea from the Internet
Engineering Task Force's (IETF) Internet Privacy Working Group.
The IETF group came up with the concept 'as the first attempt to

implement notice and choice within the framework of the Internet,'
Deidre Mulligan, staff counsel at the Center for Democracy and
(CDT), an IETF participant.
The idea is that Web site operators can detail their privacy
practices, even creating different policies for each Web page.
At the FTC hearings, Berners-Lee gave a demonstration of what he

called a P3 mock-up, showing how an end user could call up a Web
privacy policy before providing personal information.

'Mock' is right. I don't think it's visible to the public (damn
little of the Technology & Society domain is...), but it's a
gargantuan two-page HTML table of preferences with a band-aid on top
for setting 3 or four levels by macro. Admirable mockup, but it's
plainly the result of an MIT undergrad attempting to fathom what
'users' are, much less UI.


OPS in question
However, observers said it is questionable whether this
privacy element actually will make it into the P3 specifications
for release within a few months.
The outcome is questionable because the technical foundation for
P3 is
the Open Profiling Specification (OPS), which mainly focuses on how
efficiently transfer user data, not keep it private.
OPS was submitted to the W3C as the basis for P3 by Netscape
Com-munications Corp. and Cambridge, Mass.-based start-up Firefly
Inc. OPS is based on Firefly's client/server Passport technology,
said Saul
Klein, Firefly's vice president of marketing.
The Passport client software lets end users quickly transmit
about themselves to Web servers running Passport software.
This setup can simplify credit card processing or the delivery
information of interest to end users.
Barnes & Noble, Inc. and Yahoo, Inc. are among the sites using
Passport, Klein said.
However, privacy advocates stressed that OPS has no mechanism
reviewing privacy policies - P3's stated goal.

Rabbit in hat, rabbit out of hat. Watch as we skate around this one:


'P3 is about protecting privacy. It would let me ask, 'What are
data practices?' ' Mulligan said. 'But OPS doesn't give me any
information about the data protection practices of the entity you are

dealing with. OPS is about transferring data.'
'That observation is not completely incorrect,' said Joseph
a policy analyst at the W3C.
He conceded that the privacy part of P3 needs work.

Whoops, I take that back. Joseph hides the truth in plain sight.


But OPS will definitely be a part of P3, said Philip DesAutels,
who is
managing the P3 effort. 'We are not modifying OPS,' he said.

Stubborn and indefensible, that's my Phillip. In the standards
process, never say never. Especially when you're grafting a llama
onto a swordfish -- OPS and privacy profiles are different beasts
entirely. Not modifying it just makes your life harder. A similar
last-minute hardline position on including PKCS-7 in DSIG has led..
well, where exactly has it led? Last I talked to Philip, he had me
specifically promise in the print edition that the 'DSIG arch' paper
would be obsoleted by July 1. No new paper exists. I have similar
questions about 'DSIG 2.0'.

About 30 W3C member companies - including AT&T, Microsoft Corp.,
and Netscape - met two weeks ago to hold the first meeting regarding
Although Netscape arch rival Microsoft has publicly voiced
support for
OPS, there could still be a dogfight over P3 at the W3C. Microsoft
submitted a P3 proposal of its own.

Where there's smoke, there's flames...

Rohit Khare

PS. There's a new book out on LDAP by the creators: "LDAP:
Programming Directory-Enabled Applications" by Tim Howes and Mark
Version: PGP for Personal Privacy 5.0
Charset: noconv


Rohit Khare /// MCI Internet Architecture (BOS) /// khare@mci.net
Voice+Pager: (617) 960-5131  VNet: 370-5131   Fax: (617) 960-1009