10 May 2001Platform for Privacy Preferences 1 The Platform for Privacy Preferences (P3P) Katherine...

10 May 2001 Platform for Privacy Preferences1

The Platform for Privacy Preferences (P3P)

Katherine Koch

Matt Taylor

Stanley Trepetin

10 May 2001Platform for Privacy Preferences2

Agenda

Privacy Environment P3P Specification Privacy Policy Editors User Agents Conclusion


Privacy Environment

Online privacy key: 1999 Survey: 92% of Americans concerned about privacy threats when interacting online.

Websites collect information and consumers willing to provide it for certain benefits.


Privacy Environment

Internet is unstable:– Poor data quality.– Organizational problems.– Security problems.– No (or difficult to read) notification.


Privacy Environment

Resulting problems:– Annoyance.– Embarrassment.– Discrimination.

All are unexpected.


Privacy Environment

Responses:– Social: opt-out– Technical: cookie managers, encryption, etc– Legislative:

Numerous proposed bills in US (and some passed). Considerable protection in EU.


Privacy Environment

Insufficient:– Social: opt-out costly.– Technical: technology incompatible or not

widespread.– Legislative:

Sectoral in US. Enforcement lax in EU.


P3P - Background

P3P solves prior problems:– Essentially opt-in

Preference-based decision-making.

– Economic and technical issues: Widespread: integrated into MS Internet Explorer 6. Standard (i.e. standardized) specification.


P3P - Background

P3P solves prior problems (cont):– P3P works with all industries via enforceable privacy

policies. Toysmart.com vs. FTC.

– Privacy policies: created from consumer and government demand. However, “Notice-based” legislation is needed to ensure creation of policies.


P3P - Background

Privacy policy maker creates policy.– Including optional human readable privacy policy.

Consumers (via user agents): specify preferences, parse policy, and decide how to proceed.


P3P - Specification<POLICY xmlns="http://www.w3.org/2000/12/P3Pv1" discuri="http://www.catalog.example.com/PrivacyPracticeBrowsing.html"> <ENTITY> <DATA-GROUP> <DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.postal.street">4 Main St.</DATA> <DATA ref="#business.contact-info.postal.city">Birmingham</DATA> <DATA ref="#business.contact-info.postal.stateprov">MI</DATA> <DATA ref="#business.contact-info.postal.postalcode">48009</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.example.org"> <REMEDIES><correct/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> </DATA-GROUP> </STATEMENT></POLICY>


P3P - Specification strengths

Robust notice: policy-wide:– Human readability: short and long descriptions.– New policies don’t apply to “old” data w/o consent.



Robust notice: data-specific:– PURPOSE - reason for data collection.– RECIPIENT – destination.– RETENTION – longetivity depends on purpose.



ACCESS to data. Enforcement: DISPUTES statement (e.g.

applicable court, law, etc)



Development optimization: Compact Policies for cookies.

Flexible vocabulary: Can handle new types of monitoring technologies.


P3P - Specification weakness

Notice weakness:– No multiple policies per person or across

individuals.


P3P - Specification

No assurance that policies are being followed. No security standards.


P3P - Improvement

Multiple privacy policies.


P3P Policy Editors

Utilities for drafting Specification-Compliant P3P Policies


Outline

What P3P editing tools are currently available? What criteria should we use to evaluate these

tools? What insight do these evaluations provide

designers of future tools? What role does this play in P3P’s future?


Editing Tools

IBM P3P Policy Editor YOUpowered.com/Consumer Trust PrivacyBot.com Privacy Information Management System

(PIMS) P3P Policy Wizard


Evaluation Criteria

Technical Criteria– Correctness

Specification-compliant/error-free policies that can be used by any user-side agent.

– Consistency Utilities that verify that the P3P policy is consistent with

what was originally intended.

– Completeness Must accommodate all data practices, collection methods,

and provide the full flexibility of the spec.


Evaluation Criteria

Viability in Industry– Low cost, easily obtained– Easy to use– Scale well to web sites of increased size and complexity

Apply multiple policies to a domain, and its cookies and embedded content, through policy-ref

Aid user in integration of P3P into the site


IBM P3P Policy Editor

Advantages– Strong interface for defining data collection– Utilities that warn user of errors or possible inconsistencies– XML to HTML translation to verify consistency

Disadvantages– Poor integration utilities, for creating detailed policy reference

files, and exporting the necessary files/code.


IBM P3P Policy EditorDefining Data Collection Practices

Clear Data Definitions/GUI Interface– Left pane contains Base Data Schema elements

user, third party, business, and dynamic

– Right pane contains the data collected by the policy Define data groups with usage attributes Move elements from the left pane into groups on the right to

include them in the policy Any number of groups can be defined

– This provides a useful, organized way of representing the site’s data collection helping to ensure consistency


IBM P3P Policy Editor


IBM P3P Policy EditorDefining New Data Structures

A new data set can be defined in the left pane– Elements can be added from the base data schema or can be

user defined– Data sets and elements can be moved into any number of

data groups on the right pane

Mechanism exploits the flexibility in data definitions provided by the specification


IBM P3P Policy EditorCorrectness

Error Pane– Below the two data definition panes– Prompts user to supply any specification requirements that

have not been met required attributes, such as entity, or access information data groups that contain no elements, recipients, purpose, etc.

– Warns user about possible mistakes does not provide action for disputes claims to not collect any data, is this right?


IBM P3P Policy EditorConsistency

XML to HTML translation– Translates the XML policy into English using a standardized

template– This outlines what the XML policy states so that the user can

be sure it is consistent with he/she intended to state

Policy Element Pane– Outlines the data elements, their group, purpose, and recipient– A summary of the data definitions helps ensure consistency


IBM P3P Policy EditorCompleteness

Drafting multiple policies for different directories of the domain is not straight forward

– Multiple policies cannot be edited simultaneously– Policy reference file is difficult to generate

Uniquely associating policy with cookies or embedded content is difficult

– No mechanism for embedded or cookie include/exclude– Mechanism for compact policies is unclear


IBM P3P Policy EditorViability in Industry

Free, Easy to use solution for defining data practices Utilities for verifying correctness and consistency Poor/Lacking mechanisms for uniquely associating multiple

policies with directories of the domain,cookies, or embedded content

Poor Mechanisms for providing the user with the necessary files/code to integrate P3P into the web site

Not a scalable solution for web sites of significant complexity


YOUpowered.com Consumer Trust Policy Editor

Advantages– Strong interface for creating multiple policies for a domain and

associating them with directories, cookies, and embedded content

– Provides much flexibility

Disadvantages– Data definition utilities less clear than IBM editor– Does not verify correctness or consistency– Allows less technically savvy user to create ambiguous and

incorrect policies


YOUpowered.com

GUI Interface– Allows user to toggle between different domains and their

policies to allow the user to edit their attributes Left pane is a pull down menu containing the policies and system

configuration Right pane toggles as selection is made to allow user to edit the

attributes

– Provides user with the ability to manipulate multiple policies simultaneously


YOUpowered.comCorrectness

Errors managed as user inputs information into menus and forms

– no error pane that makes user aware of errors– no mechanism that warns user of possible inconsistencies as

in the IBM editor– Not all errors can be prevented in this manner


YOUpowered.comCompleteness

Policy Reference files are easily created– when a policy is being edited actively, the attributes of its policy

reference file can be edited include/exclude cookie-include/exclude embedded-include/exclude

– affords user full flexibility of the specification

The lacking correctness features cripple these added features

– policy reference files can be created with errors and ambiguities


YOUpowered.comConsistency

Lacks XML to HTML translation utilities Data definition is done through menus and a less

organized GUI tool, leading to more possible errors Does not summarize the policy for the entire domain,

after the policies have been applied through a policy reference file


YOUpowered.comViability in Industry

Has the Completeness characteristics of a scalable solution for industry

– No compact policies

Lacks the correctness and consistency requirements to be a good tool


PrivacyBot.com

Generates P3P compliant policies Charges fees for this service, as well as dispute mediation services Provides forms for the user, which it uses to generate a P3P policy for

$100– editing this policy costs $10– XML cannot be previewed before this fee is paid

User has minimal input in the construction of the XML Verification of completeness, consistency, and correctness is difficult with

a third party delivering the policy as part of a suite of services Does not focus on generating a comprehensive policy, that is stored

locally, and can be interpreted by any variety of user agents Focus is on seal verification and service model


PIMS P3P Policy Wizard

Advantages– Provides flexibility– Files/Code are output in a simple and user friendly

way

Disadvantages– Generally requires more technically competent

users



Tool caters to the technically competent– Prompts the user for the information required for the

XML statements– User must copy XML code into a box for data

statements and new data structure definitions

This design affords flexibility, but sacrifices consistency and correctness



Exports files/code in an HTML document– Box for each policy, policy reference file, html link tag, http

headers, and any compact policies– Each box has instructions on what to do with the text, where to

put the file, where to paste the code, etc.

Simple Design– Exporting to a local file structure, as in the YouPowered.com,

tool can be confusing– Explanations allow users to integrate P3P into their site easily


Design Recommendations

Do any of these tools provide a scalable solution for P3P compliance?

Do the sum of the strengths of the tools achieve the technical and business goals?

How can this be done?



What must be achieved? Correctness Consistency Completeness User friendly Scalable

– Detailed, accurate policy reference files– Integration utilities



Combine the strengths of the YOUpowered, IBM, and PIMS tools

– YOUpowered tool provides ability to edit multiple policies simultaneously and construct and edit detailed policy reference files

– IBM tool provides a useful GUI for defining data groups, and new data sets, in an organized way

– PIMS tool allows user to export files/code in a simple and fault-tolerant way

What’s missing?



Correctness Verification Utilities utility must be added to create warnings and errors for policy

reference file– multiple policies point to same URI– this policy is not referenced to anything

Consistency Verification Utilities XML to HTML translation for a web site with multiple policies Summary of data elements across domain with multiple policies


What does this mean for P3P?

Comprehensive compliance tool is easy to conceive

What user-side demand might force its development or widespread use?


Future of P3P Editors

It should not be the case that editor-side friction prevents propagation of P3P use throughout the commercial web

Could be easily integrated into web authoring tools, or offered as a stand alone utility

If user-side demand requires the adoption of P3P, commercial sites should have a tool that facilitates compliance.


P3P User Agents

User Agent Implementations


P3P User Agents

Evaluation Criteria– Public Policy, Technical, Business

User Agent Evaluations– Internet Explorer 6, Orby Privacy Plus, Privacy

Minder, Privacy Bank

Recommendations


Evaluation Criteria: PolicyWhat is the tool intended to do?

Users need control of their personal information– What data does the tool allow the user to control?– Cookies, Identifiable, Non-Identifiable?

Users don’t want to read the privacy policies– How does the tool help the user make an informed

decision about a site’s practices?


Evaluation Criteria: PolicyWhat is the tool intended to do?

Users should be able to trust the user agent– Does the tool act on behalf of only the user?

Users should know what to expect from the user agent – Are the claims the tool makes legitimate?


Evaluation Criteria: TechnicalDesign Implications

“Novice” and “Advanced” Users– Is the tool easy to use? – Is it suitable for all types of users?

Seamless Browsing Experience– Does the tool interrupt the user’s browsing?


Evaluation Criteria: TechnicalDesign Implications

Security– Does the agent store and transmit the user’s

personal information securely?

Default Behaviors– How does the tool protect the user’s information in

its default settings?


Evaluation Criteria: BusinessEffected Parties

What is the effect on:– Software Developer : What are the business goals?– User : What are the costs?– Third Parties : Implications for web sites?


P3P User Agents

Internet Explorer 6.0 Orby Privacy Plus Privacy Minder Privacy Bank


Internet Explorer 6

Microsoft– Beta version available,

Release Summer 2001

More Cookie Management Features


Internet Explorer 6: Policy What is the tool intended to do?

Control of personal information– More control of cookie placement with compact

policies– Personally-identifiable information, recipients

Helping users make informed decisions– Compare cookie’s policy to user’s preferences– Only allows cookies that match preferences– Show site’s policy


Internet Explorer 6: Technical Design Implications

“Novice” and “Advanced” Users– 5 Privacy Settings (3 in Preview)

– Site-by-Site Cookie Settings– Import Preferences (Not in Preview)

Seamless Browsing Experience– Privacy Icon


Internet Explorer 6: Technical Design Implications

Security– Doesn’t store personal info for cookie management

Default Behaviors– Policy required for 3rd party cookies, but not 1st.– “If Internet Explorer 6 were to require all first-party Web sites to have a P3P

compact policy for the user to be "remembered" by the site using persistent cookie placement, it would break user personalization on the Web. It would also place significant undue hardship on small first-party sites that don’t have the resources and expertise to understand, create and implement a P3P CP by the time Internet Explorer 6 is scheduled to ship in early summer 2001.”


Internet Explorer 6: BusinessEffected Parties

Microsoft– Actively involved in P3P effort

Users– Free software– No configuration required to use the P3P features

Third Parties– Compact policies


Internet Explorer 6

Status bar informative, but not disruptive IE6 could expose a wide audience to P3P Limitation: Only uses compact policies

– Could encourage sites to implement CP’s


Orby Privacy Plus

YOUpowered– Version 3.0 April 2001

Add-on to Internet Explorer Manage cookies, remember passwords, store

personal data, fill forms


Orby Privacy Plus: Policy What is the tool intended to do?

Control of personal information– Track Eraser deletes cookies when you leave,

doesn’t control placement– Manages data transfer to SmartSense sites

Personal Demographic Financial Behavioral



Helping users make informed decisions– “Orby Trust” rating– Site Information

window Information flags Implicit/Explicit sites Privacy policies



On behalf of only the user– SmartSense sites can store behavioral profiles– Share with other sites through Orby!– User can turn off sharing

User expectations– “You can access and change your information

forever and whenever you want.”– May be misleading


Orby Privacy Plus: Technical Design Implications

“Novice” and “Advanced” Users– 4 Security levels for data transfer– Site-by-site preferences– Not enough flexibility for advanced users

Seamless Browsing Experience– Trust score does not give enough information


Orby Privacy Plus: Technical Design Implications

Security– Encrypted, password-protected profile

Default Behaviors– “Private” security level– Allows cookies


Orby Privacy Plus: Business Effected Parties

YOUpowered– Sell SmartSense to sites and distribute Orby free

Users– Free for users

Third Parties– SmartSense sites can receive data from Orby


Orby Privacy Plus

Behavioral profiling, but can turn off sharing Trust Score not informative enough Cookie management not as flexible as IE Form filling is nice, but doesn’t use P3P


Privacy Minder

AT&T Research Prototype (1999) Similar to Orby, but not full user agent Import preferences using APPEL Icons show site status Pop-up window shows information about forms


Privacy Bank

Stores user’s information online User’s indicate sharing preferences Provides form filler that uses P3P


User Agent Recommendations

Why are the current tools not adequate? No one tool for managing cookies and other

data collection Can import preferences, but no utility for

creating them



WWhhaatt a abboouut t tthhee k kiiddss??– Special settings for children, COPPA

Integrate into the browser.



Show the user what he needs to know to make a decision.– Show meaningful icons, not a rating– Separate window for detailed information– Show policy information on forms



Give users the power.– Full control…

Specify preferences in detail No automatic data transfer

– Of all types of personal data… Cookies, identifiable, non-identifiable


The Future…


Conclusion

P3P great step forward in privacy protection:– Standardized, highly flexible privacy protection specification

which facilitates tool development.– Implementing tools should soon be widely used.

Improvements:– Specification.– Policy editors.– User agents.


Conclusion

Work in tandem with other security technologies.

“Notice-based” legislation still needed.

P3P can become a great privacy protecting platform.

10 May 2001Platform for Privacy Preferences 1 The Platform for Privacy Preferences (P3P) Katherine...

Documents

Transcript of 10 May 2001Platform for Privacy Preferences 1 The Platform for Privacy Preferences (P3P) Katherine...