To:
Stephane Bortzmeyer <bortzmeyer@nic.fr>
cc:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>, "Hollenbeck, Scott" <shollenbeck@verisign.com>, "'ietf-provreg@cafax.se'" <ietf-provreg@cafax.se>, brunner@nic-naa.net
From:
Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net>
Date:
Tue, 22 Oct 2002 10:55:48 -0400
Content-ID:
<10529.1035298548.1@nic-naa.net>
In-Reply-To:
Your message of "Tue, 22 Oct 2002 15:55:16 +0200." <20021022135516.GA7638@nic.fr>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: "private" Element Attribute
Stephane, I spent 2000 working for a "grey hat" in the privacy area, Engage, a CMGI company. Engage shares trade at about US$ 0.07 last time I looked, down slightly from US$ 160. Bulk and transactionally acquired PII (deterministic) or demographic (probablistic) data was my interest, cookies and other bits of web cruft, and onward-transport of customer-profiles from web sites that performed data collection -- oddly, quite similar to our own provisioning chain. In October 2000 the P3P Spec WG decided to split the APPEL draft out from the P3P Spec. I was one of those who voted for this split, and never took a look at APPEL subsequent. I really like Marc Langheinrich (editor), but it was delaying getting P3P to W3C RC status. This is simply to say I was writing rather carelessly about APPEL. From the high-level blurb, written by someone(s) in the P3P Policy and Outreach (non-techies): ... P3P is a standardized set of multiple-choice questions ... ... a standard, machine-readable format ... ... enabled browsers can [evaluate a policy statement] ... ... compare it to the [user]'s own set of privacy preferences. Its a data collection practice announcement format specification, intended for data collection implementors and policy evaluation implementors. It is not a user preference announcement language, nor is it a mechanism to negociate data collection practices. From the high-level blurb, written either by Marc (editor) or Lorrie (chair): ... the language for exchanging privacy preferences ... This document complements the P3P1.0 specification [P3P10] by specifying a language for describing collections of preferences regarding P3P policies between P3P agents. In all the discussion I've had with data collectors and policy evaluation engine implementors in 2000, 2001, and 2002 I can't recall anyone making the case that a use-case for APPEL was communicating between the data source and the data sink. It was always between data sources (users) and between template providors (privacy advocates) and users. I spent 2001 working for a gTLD operator that never really "got" privacy and I expect engages in bulk transactions and otherwise repurposes user data. Like others, but not all others. Please let me know what makes sense for the .fr operator, and others too. Eric