Projects/QH/P3P - Conceptualisation

The P3P language rests on a conceptualisation that covers nine complementary aspects of online privacy (quoted from "P3P 1.0: A New Standard in Online Privacy"). Five topics detail the data being tracked by the site.

• Who is collecting this data?
• Exactly what information is being collected?
• For what purposes?
• Which information is being shared with others?
• And who are these data recipients?

The remaining four topics explain the site's internal privacy policies.

• Can users make changes in how their data is used?
• How are disputes resolved?
• What is the policy for retaining data?
• And finally, where can the detailed policies be found in "human readable" form?

These constitute the set of dimensions where a user may want to make statements about or make changes to his preferences.

P3P is a formal language, though a policy expressed in P3P may contain parts that are not formalised. This means that the complete set of conditions expressed by a P3P policy cannot be guaranteed to be semantically analysed, formally speaking. Part of the work on explicating P3P has been done through developing an RDF Schema for P3P This contibutes to clarifying the meaning of P3P.

The APPEL language provides a conceptualisation of P3P, as seen from the user's side. The result is a language of manageable size and complexity, with the objective of making it easier to express privacy preferences. As a consequence, APPEL provides a complementary conceptualisation of P3P, downplaying certain aspects of P3P and emphasising other aspects. Some new concepts are introduced, intended to offer, to the user, a way to express more generic constraints. Whereas a (server-side) P3P policy makes statements about one specific actor (the site itself), a (client-side) APPEL preference must be able to make statements that are applicable to an open-ended set of P3P server-side policies (though of course, the policies should capture the unique preference of the single owner, the user).

We extract a conceptual model from the APPEL conceptualisation, take the P3P conceptualisation into account, and add new concepts that permits one to make statements about sets of privacy preferences. A major component in what is added is the hierarchical aspect, inspired by RBAC.

The aim has been to explore both lower levels of expressivity of privacy preference management ("how simple can one make that task?"), and higher levels of expressivity ("at what point will complexity dominate over usability?"). Hence, the approach has been to develop a framework demonstrator that allows one to experiment with different degrees of complexity of the conceptual model one operates with.

This activity was partly supported by grant IST-2000-28767 from the European Union's Information Society Programme to the Question How project