Privacy, P3P and Internet Privacy, P3P and Internet Explorer 6Explorer 6

P3P Briefing – 11/16/01P3P Briefing – 11/16/01

Privacy ContextPrivacy Context Online Privacy a concern:Online Privacy a concern:

ConsumersConsumers Advocacy groupsAdvocacy groups GovernmentsGovernments

Users often do not understand:Users often do not understand: What data is being collectedWhat data is being collected How it is being usedHow it is being used

A primary focus for online privacy has A primary focus for online privacy has been cookiesbeen cookies Cookies are Cookies are notnot inherently bad inherently bad

How does P3P fit in?How does P3P fit in?

P3P is the work of the Worldwide Web Consortium; P3P is the work of the Worldwide Web Consortium;

currently in candidate recommendation phase currently in candidate recommendation phase

Creates a common vocabulary and syntax for Creates a common vocabulary and syntax for

expressing Web site data management practicesexpressing Web site data management practices

Machine-readable format which can be deployed on any Machine-readable format which can be deployed on any

web-server web-server

Allows user agents (such as browsers) to act directly on Allows user agents (such as browsers) to act directly on

a user’s behalf, or facilitatea user’s behalf, or facilitate decision-making, regarding decision-making, regarding

privacy preferencesprivacy preferences

The P3P vocabularyThe P3P vocabulary

WhoWho is collecting data? is collecting data?

What dataWhat data is collected? is collected?

For For what purposewhat purpose will will data be used?data be used?

Is there an ability to Is there an ability to opt-opt-in or opt-outin or opt-out of some of some data uses?data uses?

Who are the data Who are the data recipientsrecipients (anyone (anyone beyond the data beyond the data collector)?collector)?

To what information To what information

does the data collector does the data collector

provide provide accessaccess??

What is the data What is the data

retentionretention policy? policy?

How will How will disputesdisputes about about

the policy be resolved? the policy be resolved?

Where is the Where is the human-human-

readable privacy policyreadable privacy policy??

P3P is part of the solutionP3P is part of the solution

P3P 1.0 helps users understand privacy P3P 1.0 helps users understand privacy policies, but is not a complete solutionpolicies, but is not a complete solution Seal programs and regulations Seal programs and regulations

help ensure that sites comply with their policieshelp ensure that sites comply with their policies

Anonymity tools Anonymity tools reduce the amount of information revealed while reduce the amount of information revealed while

browsingbrowsing

Encryption tools Encryption tools secure data in transit and storagesecure data in transit and storage

Laws and codes of practice Laws and codes of practice provide a baseline level for acceptable policiesprovide a baseline level for acceptable policies

How do I How do I createcreate a privacy a privacy statement?statement?

Evaluate existing web-site practicesEvaluate existing web-site practices

Write literal expression of these behaviors in natural Write literal expression of these behaviors in natural

languagelanguage

Review statement with legal counsel and marketing Review statement with legal counsel and marketing

departmentsdepartments

Post conspicuously on web-site, with “one-click” Post conspicuously on web-site, with “one-click”

accessaccess

Transform natural language privacy statement Transform natural language privacy statement

into vocabulary and syntax of P3Pinto vocabulary and syntax of P3P

Types of P3P-based PoliciesTypes of P3P-based Policies

Verbose P3P Policy (Mandatory)Verbose P3P Policy (Mandatory)

XML file with complete description of site XML file with complete description of site

privacy policiesprivacy policies

Compact P3P Policy (Optional)Compact P3P Policy (Optional)

1-line description of site privacy policy1-line description of site privacy policy

Found in HTTP HeaderFound in HTTP Header

Served by the provider of the cookieServed by the provider of the cookie

Policy ExamplePolicy Example

contoso.com:contoso.com:

Analyzes behavior of individual usersAnalyzes behavior of individual users Purpose = <individual-analysis/>Purpose = <individual-analysis/>

Provides user info to third partiesProvides user info to third parties Recipient = <other/>Recipient = <other/>

Collects user email address Collects user email address Category = <online/>Category = <online/>

Provides no opt in / outProvides no opt in / out

Policy Example (cont) Policy Example (cont)

<STATEMENT><STATEMENT> <PURPOSE><PURPOSE> <individual-analysis/><individual-analysis/> </PURPOSE> </PURPOSE> <RECIPIENT><RECIPIENT> <other/><other/> </RECIPIENT> </RECIPIENT> <DATA-GROUP><DATA-GROUP> <DATA ref="#user.homeinfo.online.email"> <DATA ref="#user.homeinfo.online.email"> <CATEGORIES><CATEGORIES> <online/><online/> </CATEGORIES> </CATEGORIES> </DATA> </DATA> </DATA-GROUP></DATA-GROUP>

</STATEMENT></STATEMENT>

IVAIVA

OTROTR

ONLONL

Compact PolicyCompact Policy

Compact Policy ExampleCompact Policy Example

Policies could have more tokens, such as Policies could have more tokens, such as

which data is available for accesswhich data is available for access

Compact Policy:Compact Policy:

P3P: CP=“IVA OTR ONL”P3P: CP=“IVA OTR ONL”

IE 6 P3P Implementation GoalsIE 6 P3P Implementation Goals

End-user goalsEnd-user goals UnobtrusiveUnobtrusive Works out of the boxWorks out of the box Easy to understandEasy to understand Flexible for power usersFlexible for power users

Site goalsSite goals Not disruptive to web business modelNot disruptive to web business model Easy to implement any changesEasy to implement any changes Help sites boost consumer confidenceHelp sites boost consumer confidence

IE 6 P3P ImplementationIE 6 P3P Implementation

Focus on providing more information Focus on providing more information

about cookiesabout cookies

Help users make choicesHelp users make choices

Create smarter automated behaviorCreate smarter automated behavior

Discriminate according to purposeDiscriminate according to purpose

Cookie ManagementCookie Management

End user experience in IE browsers End user experience in IE browsers before IE 6:before IE 6:

““Reject” all, “accept” all, “prompt”Reject” all, “accept” all, “prompt” CookiesCookies

login, customization, advertisinglogin, customization, advertising How do you know?How do you know?

Same action applied to all cookies Same action applied to all cookies indiscriminately indiscriminately

Status Icon:Status Icon: First Encounter First Encounter

User Experience User Experience Help TopicsHelp Topics

Explains Explains privacy issues privacy issues with cookieswith cookies

Explains how to change privacy settings

User ExperienceUser ExperienceStatus IconStatus Icon

Web site uses Web site uses cookiescookies

Privacy Privacy Policies don’t Policies don’t match settingsmatch settings

Cookies are Cookies are restrictedrestricted

User notifiedUser notified

User ExperienceUser ExperiencePrivacy SettingsPrivacy Settings

Privacy Tab sliderPrivacy Tab slider Medium = DefaultMedium = Default Highest = Block All Highest = Block All

CookiesCookies 11stst and 3 and 3rdrd

Lowest = Allow All Lowest = Allow All CookiesCookies

11stst and 3 and 3rdrd

ImportImport XML Privacy XML Privacy

settings filesettings file

User ExperienceUser ExperienceAdvanced Privacy SettingsAdvanced Privacy Settings

Overrides Overrides

automatic cookie automatic cookie

handlinghandling

Control over 1Control over 1stst & &

33rdrd Party cookies Party cookies

Users can exempt Users can exempt

session cookies session cookies

from first two from first two

optionsoptions

Additional InformationAdditional Information

MSDN articleMSDN article http://msdn.microsoft.com/iehttp://msdn.microsoft.com/ie and read the and read the

material on IE 6 privacymaterial on IE 6 privacy

Contact Contact privinfo@microsoft.comprivinfo@microsoft.com with with questionsquestions

W3C: W3C: www.w3c.org/P3Pwww.w3c.org/P3P Deployment guide Deployment guide

http://www.w3.org/TR/p3pdeploymenthttp://www.w3.org/TR/p3pdeployment Candidate Recommendation Candidate Recommendation

http://www.w3.org/TR/P3P/http://www.w3.org/TR/P3P/

Call to ActionCall to Action

Express full privacy policy via the Express full privacy policy via the P3P syntaxP3P syntax

Deploy compact policiesDeploy compact policies Read MSDN IE 6 privacy articleRead MSDN IE 6 privacy article

Also browse through W3C P3P Also browse through W3C P3P literatureliterature

Work with your external partners to Work with your external partners to have them deploy compact policieshave them deploy compact policies