Getting Your Web Site P3P CompliantJoshua Freed http://www.neted.org

P3P DeploymentPlanning for deploymentUnderstanding how policies are applied to sitesDecisions to makeDeveloping the policies and policy reference filesHow to develop themTools to helpDeployment and testingHow to deployTesting the deployment

The Biggest ChallengeToughest and most important aspect:

Get a clear understanding of what information site collectsEnsuring that your privacy statement accurately reflects these actions

Planning for Deployment

Applying policies to sitesP3P policies can be applied broadly or narrowlyAs broad as an entire siteAs narrow as a single URL on a siteMaximum is a single hostnameP3P policies are applied to "HTTP entities"That is, URLs, not pagesA page is typically many "entities" (frameset, framed content, graphics, style sheets, ...) It is OK to overstate a site's practices, but not understate them

Applying policies to cookiesCan be applied broadly or narrowly:Can apply to all cookies on a siteOr, can specify applicable cookies by name, domain of use, or path of useDomain/path of use are set by the cookie (hosts to send the cookie to, path within that host to send the cookie to) Narrow scope for cookies only useful if you are willing for visitors to accept some cookies but not all cookies

How is it done?P3P uses a policy reference file which:Lists the P3P policies used by the siteStates what parts of the site and what cookies are covered by each policyA policy reference file can only cover resources on that hostEach host needs its own policy reference fileThe policies themselves can be on another host

PRF Request in ActionWebServer

Policy Reference File ContentsAllow specification of which policy applies to which resources on a site: Determines how long PRF is valid : URL of policy, : URL prefixes (local) to which policy applies or doesnt apply, : Associates or disassociates cookies with policy: Methods to which policy applies

Locating Policy Reference FilesThere are three ways to locate a PRF:Publish it in the well-known location, /w3c/p3p.xmlSend an HTTP header which gives the location of the policy reference fileInclude a link to the policy reference file in the site's HTMLWell-known location is fastest for clientsHTML link is slowest for clients (must first fetch and parse the HTML page)HTTP header falls in between these two

More on Locating Policy Reference FilesIf possible, use just one reference file per siteMultiple are allowed, but this is harder to manageWhenever possible, use the well-known locationBut the entire host must be under a single organizationUse the HTTP header method if you control the site's configurationUse HTML links only as a last resortWhen you don't control the entire site, and can't change the server configuration

Using Compact PoliciesCompact policy is sent in an HTTP headerTypically done by configuring server to send headerNo policy reference file mechanism for CPsTo put different CPs on different parts of the site, server must send the appropriate CPCompact policy applies to all cookies in the current responseCompact policy applies to that cookie for the life of the cookie

How Many Policies?Most organizations will use a small number of policies (less than 5)Using more than this quickly gets unmanageableAt a minimum, try to split your site into two:Parts of the site which require personally identifiable information (PII)Parts of the site which don't require PIIThis must be distinguishable by URL or hostname

Policy Lifetime and UpdatesPolicy in effect when the data is collected applies as long as you hold the dataPolicy and reference file lifetime covers how long clients can cache the fileDoesn't use HTTP caching rules; lifetimes are built directly into policy and reference filesStrike a balance between cacheability and flexibilityCompact policy lifetime is the entire lifetime of the cookieDon't use compact policies if using long-lived cookies!

Importance of StandardsStandard practices are the single biggest aid to P3P deploymentThey also make privacy management easier in an organizationStandards to consider:Company-wide privacy policyStandardized opt-in/opt-out text and methodAcceptable data collection standardsCookie naming and lifetime standards

Third-party ContentIf your site uses third-party content, they will also need to deploy P3PThe content owner will need to do this; your sites can't give the policy for content from other hostsThird-party cookies will be blocked by IE6 unless they have P3P compact policiesThird-party is based on hostnamesAny content imbedded within a page from a different domain is "third party"Distinction made by IE, not part of P3P

Developing the Files

Inside a P3P PolicyThe really hard workDescription of the major parts of a P3P policyHow to avoid writing XML by hand

The Really Hard WorkUnderstanding your data collection and use practicesWhat data do you use?What do you use it for? Who else can see the data? When a user opts in/out, what does this cover?This is a business-process task, not a technical taskInvolve business people in this stepConsider outside consulting assistance

P3P Vocabulary: Describes the organization collecting the dataUses the P3P dataschema to structure description of collectorRequired to include at least one way to contact the organization (phone, post, or e-mail)

P3P Vocabulary: Used to list dispute-resolution mechanisms available to visitorsIn the event user thinks the policy has been violatedCan include:Company's customer service departmentWeb privacy seals (TRUSTe, BBBOnline, etc.)Relevant legislation, for regulated businesses

P3P Vocabulary: Describes what type of data the user will be able to access (and possibly update) in the futureDoes not indicate how the user will do thisThe site's human-readable privacy policy must explain how the user can access their informationP3P does not include a mechanism to automate data access or update

P3P Vocabulary: Used to group information about types of dataSame practices apply to all data listed in the group

P3P Vocabulary: Indicates what the site will do with the informationIncludes information about user optionsPurposes include attribute required (always, opt-in, or opt-out)P3P purposes:

P3P Vocabulary: Indicates who will receive the informationIncludes information about user optionsRecipients include attribute required (always, opt-in, or opt-out)P3P recipients:

P3P Vocabulary: Indicates how long the site will keep the informationDescribed in general terms only, not specific amounts of timeHuman-readable policy is required to explain policy for starred valuesP3P retention values:

* * *

P3P Vocabulary: Lists the data collected by the site under these practicesUses data elements (or categories) from the base dataschema or a custom schema in the policyAlmost all base data elements have an assigned categorySites can describe the data they collect using either specific data elements, or simply by categories of data

P3P Vocabulary:: Physical contact information: Online contact information: Unique identifiers: Purchase information: Financial information: Computer information: Navigation and click-stream data: Interactive data: Demographic and socioeconomic data: Content: State management mechanisms: Political information: Health information: Preference data: Government-issued identifiers: other

P3P Vocabulary: Used to indicate policy is for testing purposesCan be used to verify that the site deployment was done correctlyClients will ignore policies that include this element

Creating a Reference FileIf one policy covers the entire site, this is trivialExamine the server's configurationLook for directory trees where server-side executables are allowed or usedMap these to the correct policyMap "everything else" to a default policyReference files are processed top to bottomPlace most specific entries first, most general last

Do I have To Write All That?Yes and no...You need to understand what will go into a P3P policy...but you don't have to write it in 'vi'.Use a policy editor which will create the XML for youNo need to actually code the XML directlyPolicy editor will also create the compact version for sites which are using compact policiesIBM & Microsoft have free policy editors: http://www.alphaworks.ibm.com/tech/p3peditor http://www.microsoft.com/privacy/wizard/

IBM P3P Policy Editor

IBM P3P Policy Editor

Microsoft P3P Privacy Wizard

Microsoft P3P Privacy Wizard

Deployment

Deploying P3P on a SitePublish policy file(s) and reference fileAdd HTTP header giving location of reference file (if using HTTP header for this)Add HTTP header containing compact policy (if using compact policies)Can be combined with previous stepAdd link tags to HTML with location of reference file (if using link tags)Test deployment

Testing the DeploymentUse the W3C's P3P validator:http://www.w3.org/P3P/validatorTest with Internet Explorer 6Most useful if your site is using third-party cookiesAlso view the privacy summary, to see how IE renders your P3P policy

Deployment resourcesP3P Editors:http://www.alphaworks.ibm.com/tech/p3peditorhttp://www.microsoft.com/privacy/wizardP3P Deployment Guide:http://www.w3.org/TR/p3pdeploymentP3P Validator:http://www.w3.org/P3P/validatorP3P Toolbox:http://www.p3ptoolbox.org (Coming Soon!)

AcknowledgmentsMy thanks to Martin Pressler-Marshall of IBM for his assistance and contribution to this presentation

ConclusionYou should now understand what's involved in deploying P3P for your organizationTackle it on your own if that's appropriateContact Josh Freed for any questions or information about implementation assistance

Any questions?

Examples

At CatalogExample, we care about your privacy. When you come to our site to look for an item, we will only use this information to improve our site and will not store it in an identifiable way.CatalogExample is a licensee of the PrivacySealExample Program. Questions regarding this statement should be directed to: CatalogExample 1-248-392-6753When you browse through our site we collect:The basic information about your computer and connection to make sure that we can get you the proper information and for security purposesAggregate information on what pages consumers access or visit to improve our siteWe purge the browsing information that we collect regularlyExample Privacy Policy

CatalogExample 1 248 3926753

/* /catalog/* /cgi-bin/* /servlet/*

/catalog/*

/cgi-bin/* /servlet/* /servlet/unknown

Example Policy Reference File

Joshua Freed http://www.neted.org

Title pageStop and ask for questionsKeep in mind:P3P is URL-specific. Your P3P policy covers content served by your URL and, more broadly, by your domain.Need to know where all content comes fromif its served by your URL or not. Content not served by your site but on your page may not be P3P compliant should check the P3P compliance of everyone serving content on your page (Java forms, .GIFs, etc)Host applies to a single logical host name, such as www.neted.org. It would not apply to josh.neted.org or *.neted.org, which are both still under the neted.org domain.

If you have only one P3P policy for your entire site, it must take into account the broadest data collection policies for any section of your site covered by that policy.Name: Can name cookie(s) you serve and have a policy for each name groupDomain: All cookies served by each domainPath: Cookies from domain/name X served on site Y

Again, if you have only one policy for cookies, it must be the broadest policy appropriate for your site.Well-known location is easiest way to do this. If you dont have access to your domain name, i.e. geocities.com/, you cannot use this method.Some servers can automatically add HTML meta-tags to each page. Otherwise, you have to place the tags on each page, which is a tedious and potentially error prone process.

More the one reference file requires HTTP headers or HTML linkscannot use well-known locationCompact policies are optional in P3P, but are utilized by Internet Explorer 6.0 in their implementation of it to help manage information sharing.

Compact policies are three-letter representations of the cookies P3P policy, along with I (opt-in) O (opt-out) or A (always) for required data attributesCompact policy can easily outlive life of P3P policy, since many cookies are set for 30 years. Be careful.Compact policies most important for third-party cookies.Stop and ask for questionsLegislation:Government Privacy ActBanking Gramm Leach BlileyEuropean privacy lawsFor state-purpose, legal-requirement, and business practice, sites must have an explanation in their human readable policy and a stated time of destruction of the information collected.This is for withStop and ask for questions