Much work has been done in eliciting the requirements on privacy protection, which the existence, scope and structure of P3P is a clear sign of. To a large extent, deciding on requirements is a negotiation process between the stakeholders: the prototypical individual person; the actors providing services on the web; the set of legal actors in society; the public sector itself with its political tensions; the product vendors; etc. What we hope for, and believe, is that P3P represents a practical platform (sic!) for enhancing privacy protection in the near future.
What P3P offers is the set of primitives, the set of elementary Lego building blocks, the set of cogwheels, out of which we can construct a protective harness for ourselves. These primitives form a language, or is a conceptualisation, of what P3P can "understand", and therefore, what sort of protective harness one can can expect from a P3P user agent application.
The kind of negotiation that took place between the stakeholders concerned a number of areas, e.g.:
The way to characterise the resulting P3P standard is as a language for privacy preferences and policies. There are two dimensions of semantics involved: the societal framework in which legal decisions are taken (this is the soft, real world, in which new precedents are established, new rules, or new interpretations of rules, are established), and the technical framework in which programmatic components (software) evaluates states and selects actions (this is the hard technological world, where rules are followed, not established).
P3P, from the point of view of its implementation, can be regarded as a programming language, with a strong declarative character. Each way of defining, in the language of P3P, your preferences or policies actually constitutes a program for a "P3P computer". Looked at in this way, the P3P language can be evaluated w.r.t to ease of use, just as any other programming language!
Taking this approach, one can offer a fresh view of what P3P means in practice. Classically, programming languages are evaluated from a number of complementary view-points, e.g.:
Such classical dimensions have, during the last decade been complemented by other aspects, of high importance in modern IT environments, e.g.,:
What we take for granted in this work is the expressivity and semantics of P3P. In a sense it defines a standard off-the-shelf engine supporting privacy protection. Like in many other areas, it may be more sensible,pragmatically speaking, to look at how this platform can be extended in different ways, rather than investigating alternative basic platforms. This is the approach we take here. What we do is to look at a few of the higher-level criteria mentioned above, and how they can be supported on top of P3P.
A dimension that we focus on is the management of the "P3P software" that runs on the user's "P3P engine". This entails focussing on some specific aspects, like evolvability, tailorability, and adaptability (as indicated above), but also aspects on decentralisation.
The approach taken is to look at the P3P language from an orthogonal point of view, adopting concepts from another area concerned with protection and security. This other area is role-based access control, an area where a lot of work has been done on developing conceptual models that capture higher level pattterns in our protection needs.
|
This activity was partly supported by grant IST-2000-28767 from the European Union's Information Society Programme to the Question How project |