Privacy, P3P and Internet Explorer 6 P3P Briefing – 11/16/01.
-
Upload
abraham-sharp -
Category
Documents
-
view
234 -
download
4
Transcript of Privacy, P3P and Internet Explorer 6 P3P Briefing – 11/16/01.
Privacy, P3P and Internet Privacy, P3P and Internet Explorer 6Explorer 6
P3P Briefing – 11/16/01P3P Briefing – 11/16/01
Privacy ContextPrivacy Context Online Privacy a concern:Online Privacy a concern:
ConsumersConsumers Advocacy groupsAdvocacy groups GovernmentsGovernments
Users often do not understand:Users often do not understand: What data is being collectedWhat data is being collected How it is being usedHow it is being used
A primary focus for online privacy has A primary focus for online privacy has been cookiesbeen cookies Cookies are Cookies are notnot inherently bad inherently bad
How does P3P fit in?How does P3P fit in?
P3P is the work of the Worldwide Web Consortium; P3P is the work of the Worldwide Web Consortium;
currently in candidate recommendation phase currently in candidate recommendation phase
Creates a common vocabulary and syntax for Creates a common vocabulary and syntax for
expressing Web site data management practicesexpressing Web site data management practices
Machine-readable format which can be deployed on any Machine-readable format which can be deployed on any
web-server web-server
Allows user agents (such as browsers) to act directly on Allows user agents (such as browsers) to act directly on
a user’s behalf, or facilitatea user’s behalf, or facilitate decision-making, regarding decision-making, regarding
privacy preferencesprivacy preferences
The P3P vocabularyThe P3P vocabulary
WhoWho is collecting data? is collecting data?
What dataWhat data is collected? is collected?
For For what purposewhat purpose will will data be used?data be used?
Is there an ability to Is there an ability to opt-opt-in or opt-outin or opt-out of some of some data uses?data uses?
Who are the data Who are the data recipientsrecipients (anyone (anyone beyond the data beyond the data collector)?collector)?
To what information To what information
does the data collector does the data collector
provide provide accessaccess??
What is the data What is the data
retentionretention policy? policy?
How will How will disputesdisputes about about
the policy be resolved? the policy be resolved?
Where is the Where is the human-human-
readable privacy policyreadable privacy policy??
P3P is part of the solutionP3P is part of the solution
P3P 1.0 helps users understand privacy P3P 1.0 helps users understand privacy policies, but is not a complete solutionpolicies, but is not a complete solution Seal programs and regulations Seal programs and regulations
help ensure that sites comply with their policieshelp ensure that sites comply with their policies
Anonymity tools Anonymity tools reduce the amount of information revealed while reduce the amount of information revealed while
browsingbrowsing
Encryption tools Encryption tools secure data in transit and storagesecure data in transit and storage
Laws and codes of practice Laws and codes of practice provide a baseline level for acceptable policiesprovide a baseline level for acceptable policies
How do I How do I createcreate a privacy a privacy statement?statement?
Evaluate existing web-site practicesEvaluate existing web-site practices
Write literal expression of these behaviors in natural Write literal expression of these behaviors in natural
languagelanguage
Review statement with legal counsel and marketing Review statement with legal counsel and marketing
departmentsdepartments
Post conspicuously on web-site, with “one-click” Post conspicuously on web-site, with “one-click”
accessaccess
Transform natural language privacy statement Transform natural language privacy statement
into vocabulary and syntax of P3Pinto vocabulary and syntax of P3P
Types of P3P-based PoliciesTypes of P3P-based Policies
Verbose P3P Policy (Mandatory)Verbose P3P Policy (Mandatory)
XML file with complete description of site XML file with complete description of site
privacy policiesprivacy policies
Compact P3P Policy (Optional)Compact P3P Policy (Optional)
1-line description of site privacy policy1-line description of site privacy policy
Found in HTTP HeaderFound in HTTP Header
Served by the provider of the cookieServed by the provider of the cookie
Policy ExamplePolicy Example
contoso.com:contoso.com:
Analyzes behavior of individual usersAnalyzes behavior of individual users Purpose = <individual-analysis/>Purpose = <individual-analysis/>
Provides user info to third partiesProvides user info to third parties Recipient = <other/>Recipient = <other/>
Collects user email address Collects user email address Category = <online/>Category = <online/>
Provides no opt in / outProvides no opt in / out
Policy Example (cont) Policy Example (cont)
<STATEMENT><STATEMENT> <PURPOSE><PURPOSE> <individual-analysis/><individual-analysis/> </PURPOSE> </PURPOSE> <RECIPIENT><RECIPIENT> <other/><other/> </RECIPIENT> </RECIPIENT> <DATA-GROUP><DATA-GROUP> <DATA ref="#user.homeinfo.online.email"> <DATA ref="#user.homeinfo.online.email"> <CATEGORIES><CATEGORIES> <online/><online/> </CATEGORIES> </CATEGORIES> </DATA> </DATA> </DATA-GROUP></DATA-GROUP>
</STATEMENT></STATEMENT>
IVAIVA
OTROTR
ONLONL
Compact PolicyCompact Policy
Compact Policy ExampleCompact Policy Example
Policies could have more tokens, such as Policies could have more tokens, such as
which data is available for accesswhich data is available for access
Compact Policy:Compact Policy:
P3P: CP=“IVA OTR ONL”P3P: CP=“IVA OTR ONL”
IE 6 P3P Implementation GoalsIE 6 P3P Implementation Goals
End-user goalsEnd-user goals UnobtrusiveUnobtrusive Works out of the boxWorks out of the box Easy to understandEasy to understand Flexible for power usersFlexible for power users
Site goalsSite goals Not disruptive to web business modelNot disruptive to web business model Easy to implement any changesEasy to implement any changes Help sites boost consumer confidenceHelp sites boost consumer confidence
IE 6 P3P ImplementationIE 6 P3P Implementation
Focus on providing more information Focus on providing more information
about cookiesabout cookies
Help users make choicesHelp users make choices
Create smarter automated behaviorCreate smarter automated behavior
Discriminate according to purposeDiscriminate according to purpose
Cookie ManagementCookie Management
End user experience in IE browsers End user experience in IE browsers before IE 6:before IE 6:
““Reject” all, “accept” all, “prompt”Reject” all, “accept” all, “prompt” CookiesCookies
login, customization, advertisinglogin, customization, advertising How do you know?How do you know?
Same action applied to all cookies Same action applied to all cookies indiscriminately indiscriminately
Status Icon:Status Icon: First Encounter First Encounter
User Experience User Experience Help TopicsHelp Topics
Explains Explains privacy issues privacy issues with cookieswith cookies
Explains how to change privacy settings
User ExperienceUser ExperienceStatus IconStatus Icon
Web site uses Web site uses cookiescookies
Privacy Privacy Policies don’t Policies don’t match settingsmatch settings
Cookies are Cookies are restrictedrestricted
User notifiedUser notified
User ExperienceUser ExperiencePrivacy SettingsPrivacy Settings
Privacy Tab sliderPrivacy Tab slider Medium = DefaultMedium = Default Highest = Block All Highest = Block All
CookiesCookies 11stst and 3 and 3rdrd
Lowest = Allow All Lowest = Allow All CookiesCookies
11stst and 3 and 3rdrd
ImportImport XML Privacy XML Privacy
settings filesettings file
User ExperienceUser ExperienceAdvanced Privacy SettingsAdvanced Privacy Settings
Overrides Overrides
automatic cookie automatic cookie
handlinghandling
Control over 1Control over 1stst & &
33rdrd Party cookies Party cookies
Users can exempt Users can exempt
session cookies session cookies
from first two from first two
optionsoptions
Additional InformationAdditional Information
MSDN articleMSDN article http://msdn.microsoft.com/iehttp://msdn.microsoft.com/ie and read the and read the
material on IE 6 privacymaterial on IE 6 privacy
Contact Contact [email protected]@microsoft.com with with questionsquestions
W3C: W3C: www.w3c.org/P3Pwww.w3c.org/P3P Deployment guide Deployment guide
http://www.w3.org/TR/p3pdeploymenthttp://www.w3.org/TR/p3pdeployment Candidate Recommendation Candidate Recommendation
http://www.w3.org/TR/P3P/http://www.w3.org/TR/P3P/
Call to ActionCall to Action
Express full privacy policy via the Express full privacy policy via the P3P syntaxP3P syntax
Deploy compact policiesDeploy compact policies Read MSDN IE 6 privacy articleRead MSDN IE 6 privacy article
Also browse through W3C P3P Also browse through W3C P3P literatureliterature
Work with your external partners to Work with your external partners to have them deploy compact policieshave them deploy compact policies