skip to main content
10.1145/1111348.1111349acmotherconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

A formal semantics for P3P

Published: 29 October 2004 Publication History

Abstract

The Platform for Privacy Preferences (P3P), developed by the W3C, provides an XML-based language for websites to encode their data-collection and data-use practices in a machine-readable form. To fully deploy P3P in enterprise information systems and over the Web, a well-defined semantics for P3P policies is a must, which is lacking in the current P3P framework. Without a formal semantics, a P3P policy may be semantically inconsistent and may be interpreted and represented differently by different user agents; it is difficult to determine whether a P3P policy is indeed enforced by an enterprise; and privacy policies from different corporations cannot be formally compared before information exchange. In this paper, we propose a relational formal semantics for P3P policies, which precisely and intuitively models the relationships between different components of P3P statements (i.e., collected data items, purposes, recipients and retentions) during online information collection.The proposed formal semantics is an important step towards improving P3P, making it more appropriate to be integrated with business practice and ultimately accelerating the large-scale adoption of P3P across the Internet.

References

[1]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. Hippocratic databases. In Proceedings of the 24th International Conference on Very Large Databases. ACM Press, August 2002.
[2]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. Implementing P3P using database technology. In Proceedings of the 19th International Conference on Data Engineering, March 2003.
[3]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. An XPath-based preference language for P3P. In Proceedings of the Twelfth International World Wide Web Conference (WWW2003), pages 629--639. ACM Press, May 2003.
[4]
Annie I. Antón, Qingfeng He, and David Baumer. The Complexity Underlying JetBlue's Privacy Policy Violations. IEEE Security and Privacy, 2004.
[5]
AT&T Privacy Bird. http://privacybird.com.
[6]
JRC P3P Resource Centre. http://p3p.jrc.it.
[7]
Lorrie Cranor. P3P user agent guidlines, May 2003. P3P User Agent Task Force Report 23.
[8]
Lorrie Faith Cranor. Personal communication.
[9]
Lorrie Faith Cranor. Web Privacy with P3P. O'Reilly, 2002.
[10]
Lorrie Faith Cranor and Joel R. Reidenberg. Can user agents acurately represent privacy notices?, August 2002. Discussion draft 1.0.
[11]
Massimo Marchiori et al. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, April 2002. W3C Recommendation.
[12]
UCLA Center for Communication Policy. The UCLA Internet report: Year three. Available at http://ccp.ucla.edu/pages/internet-report.asp.
[13]
Giles Hogben. A technical analysis of problems with P3P v1.0 and possible solutions, November 2002. Position paper for W3C Workshop on the Future of P3P. Available at http://www.w3.org/2002/p3p-ws/pp/jrc.html.
[14]
Giles Hogben. Suggestions for long term changes to P3P, June 2003. Position paper for W3C Workshop on the Long Term Future of P3P. Available at http://www.w3.org/2003/p3p-ws/pp/jrc.pdf.
[15]
Giles Hogben, Tom Jackson, and Marc Wilikens. A fully compliant research implementation of the P3P standard for privacy protection: Experiences and recommendations. In Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), volume 2502 of LNCS, pages 104--125. Springer, October 2002.
[16]
Gunter Karjoth and Matthias Schunter. A privacy policy model for enterprises. In Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW-15 2002), pages 271--281. IEEE Computer Society Press, June 2002.
[17]
Gunter Karjoth, Matthias Schunter, and Els Van Herreweghe. Translating privacy practices into privacy promises - how to promise what you can keep. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003, pages 135--146. IEEE Computer Society Press, June 2003.
[18]
Gunter Karjoth, Matthias Schunter, and Michael Waidner. Platform for enterprise privacy practices: Privacy-enabled management of customer data. In Proceedings of the Second International Workshop on Privacy Enhancing Technologies (PET 2002), number 2482 in LNCS, pages 69--84. Springer, 2003.
[19]
Marc Langheinrich. A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft, April 2002.
[20]
Ninghui Li, Ting Yu, and Annie I. Antón. A semantics-based approach to privacy languages. Technical Report TR 2003-28, CERIAS, November 2003.
[21]
Matthias Schunter, Els Van Herreweghen, and Michael Waidner. Expressive privacy promises --- how to improve the platform for privacy preferences (P3P). Position paper for W3C Workshop on the Future of P3P. Available at http://www.w3.org/2002/p3p-ws/pp/ibm-zuerich.pdf.
[22]
Daniel M. Schutzer. Citigroup P3P position paper. Position paper for W3C Workshop on the Future of P3P. Available at http://www.w3.org/2002/p3p-ws/pp/ibm-zuerich.pdf.
[23]
W3C. Platform for privacy preferences (P3P) project. http://www.w3.org/P3P/.
[24]
Rigo Wenning. Minutes of the P3P 2.0 workshop, July 2003. Available at http://www.w3.org/2003/p3p-ws/minutes.html.

Cited By

View all
  • (2024)A Universal Data Model for Data Sharing Under the European Data StrategyPrivacy Technologies and Policy10.1007/978-3-031-61089-9_1(3-19)Online publication date: 30-May-2024
  • (2020)Big Picture on Privacy Enhancing Technologies in e-Health: A Holistic Personal Privacy WorkflowInformation10.3390/info1107035611:7(356)Online publication date: 8-Jul-2020
  • (2019)A Survey on Privacy Policy Languages: Expressiveness Concerning Data Protection Regulations2019 12th CMI Conference on Cybersecurity and Privacy (CMI)10.1109/CMI48017.2019.8962144(1-6)Online publication date: Nov-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SWS '04: Proceedings of the 2004 workshop on Secure web service
October 2004
109 pages
ISBN:158113973X
DOI:10.1145/1111348
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2004

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Universal Data Model for Data Sharing Under the European Data StrategyPrivacy Technologies and Policy10.1007/978-3-031-61089-9_1(3-19)Online publication date: 30-May-2024
  • (2020)Big Picture on Privacy Enhancing Technologies in e-Health: A Holistic Personal Privacy WorkflowInformation10.3390/info1107035611:7(356)Online publication date: 8-Jul-2020
  • (2019)A Survey on Privacy Policy Languages: Expressiveness Concerning Data Protection Regulations2019 12th CMI Conference on Cybersecurity and Privacy (CMI)10.1109/CMI48017.2019.8962144(1-6)Online publication date: Nov-2019
  • (2018)Critical Analysis of LPL according to Articles 12 - 14 of the GDPRProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3233267(1-9)Online publication date: 27-Aug-2018
  • (2018)LPL, Towards a GDPR-Compliant Privacy Language: Formal Definition and UsageTransactions on Large-Scale Data- and Knowledge-Centered Systems XXXVII10.1007/978-3-662-57932-9_2(41-80)Online publication date: 2-Aug-2018
  • (2015)Formal Verification of Privacy Properties in Electric Vehicle ChargingEngineering Secure Software and Systems10.1007/978-3-319-15618-7_2(17-33)Online publication date: 2015
  • (2014)Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirementsRequirements Engineering10.1007/s00766-013-0190-719:3(281-307)Online publication date: 1-Sep-2014
  • (2014)Privacy Architectures: Reasoning about Data Minimisation and IntegritySecurity and Trust Management10.1007/978-3-319-11851-2_2(17-32)Online publication date: 2014
  • (2014)Privacy by Design: From Technologies to ArchitecturesPrivacy Technologies and Policy10.1007/978-3-319-06749-0_1(1-17)Online publication date: 2014
  • (2013)Privacy by designProceedings of the third ACM conference on Data and application security and privacy10.1145/2435349.2435361(95-104)Online publication date: 18-Feb-2013
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media