Hi John,
Thanks for taking the time to bring CDT's perspective to these
issues.
PRIVACY: Because there is unlikely to be an opportunity for a
prior review (by the end user or the user's P3P agent) of the
privacy policies of the OPES server (or a third party server called
out by OPES), such OPES-related privacy policies should be
reflected in the privacy policies of any content publisher who
chooses to use OPES. Thus, publishers who wish to use OPES should
take responsibility for the use or dissemination of information by
an OPES service provider. We believe that addressing this need, or
some direct and effective method that a user can interrogate the
privacy policy of an OPES provider, should both be a part of OPES
and should be included in revisions to the P3P specification.
Just FYI, I brought this to the attention of the P3P spec WG a while
back, so they're aware of the issue. I belive that it's considered
out of scope for the time being (especially since P3P is in CR), but
it might be considered for a future version.
Cheers,
--
Mark Nottingham, Research Scientist
Akamai Technologies (San Mateo, CA USA)