Privacy, P3P and Internet Explorer 6

1
Privacy, P3P and Internet Explorer 6

• Greg Hampson
• Microsoft
• Corporate Privacy Group

2
Privacy Context

• Online Privacy a concern
• Consumers
• Advocacy groups
• Governments
• Users often do not understand
• What data is being collected
• How it is being used
• A primary focus for online privacy has been
  cookies
• Cookies are not inherently bad

3
How does P3P fit in?

• P3P is the work of the Worldwide Web Consortium
  currently in candidate recommendation phase
• Creates a common vocabulary and syntax for
  expressing Web site data management practices
• Machine-readable format which can be deployed on
  any web-server
• Allows user agents (such as browsers) to act
  directly on a users behalf, or facilitate
  decision-making, regarding privacy preferences

4
P3P is part of the solution

• P3P 1.0 helps users understand privacy policies,
  but is not a complete solution
• Seal programs and regulations
• help ensure that sites comply with their policies
• Anonymity tools
• reduce the amount of information revealed while
  browsing
• Encryption tools
• secure data in transit and storage
• Laws and codes of practice
• provide a baseline level for acceptable policies

5
The P3P vocabulary

• Who is collecting data?
• What data is collected?
• For what purpose will data be used?
• Is there an ability to opt-in or opt-out of some
  data uses?
• Who are the data recipients (anyone beyond the
  data collector)?

• To what information does the data collector
  provide access?
• What is the data retention policy?
• How will disputes about the policy be resolved?
• Where is the human-readable privacy policy?

6
Why Privacy Statements?

• Privacy Statements are an important component in
  establishing a trusted relationship with Web Site
  visitors
• Describe what data you collect
• For what purpose
• And with whom the data is shared
• Good for your business

7
Privacy Statements Whats involved?

• Create
• Certify
• Transform to code
• Validate
• Deploy on site

8
How do I create a privacy statement?

• Evaluate existing web-site practices
• Write literal expression of these behaviors in
  natural language
• Review statement with legal counsel and marketing
  departments
• Post conspicuously on web-site, with one-click
  access

9
How can I get statement certified?

• Privacy seal programs can certify that a sites
  privacy policy addresses the concerns of
  consumers, and may provide dispute resolution.
• Many examples, including
• TrustE
• BBBOnline
• Clicksure
• Privacybot.com
• Ultimately, responsibility lies with the Web site
  operator to fulfill commitments made in privacy
  statements. Failure to do so could result in
  erosion of trust in brand, and potentially, legal
  action.

10
How do I create a P3P-based privacy statement?

• Transform natural language privacy statement into
  vocabulary and syntax of P3P ? ? XML
• Read the spec, and hand-code the XML
• http//www.w3.org/TR/2000/CR-P3P-20001215/
• Use existing P3P Privacy Statement generators
• http//www.w3.org/P3P/implementations

11
Current Privacy Statement Generators

• Microsoft Web-based service found at
  http//www.microsoft.com/privacy/wizard
• IBM P3P Policy Editor found at
  http//www.alphaworks.ibm.com/tech/p3peditor
• New Media Dev Assn P3P Policy Wizard found at
  http//www.nmda.or.jp/enc/privacy/eindex.html
• http//www.Privacybot.com Fee-based privacy
  seal program. Generates privacy policies,
  including XML versions based on the P3P
  specification
• YouPowered SmartPrivacy Publisher
  http//www.youpowered.com/products_smartprivacy.ht
  ml

12
Types of P3P-based Policies

• Verbose P3P Policy
• XML file with complete description of site
  privacy policies
• Compact P3P Policy
• 1-line description of site privacy policy
• Found in HTTP Header
• Served by the provider of the cookie

13
Policy Example

• contoso.com
• Analyzes behavior of individual users
• Purpose ltindividual-analysis/gt
• Provides user info to third parties
• Recipient ltother/gt
• Collects user email address
• Category ltonline/gt
• Provides no opt in / out

14
Policy Example (cont)
Compact Policy

• ltSTATEMENTgt
• ltPURPOSEgt
• ltindividual-analysis/gt
• lt/PURPOSEgt
• ltRECIPIENTgt
• ltother/gt
• lt/RECIPIENTgt
• ltDATA-GROUPgt
• ltDATA ref"user.homeinfo.online.email"gt
• ltCATEGORIESgt
• ltonline/gt
• lt/CATEGORIESgt
• lt/DATAgt
• lt/DATA-GROUPgt
• lt/STATEMENTgt

15
Compact Policy Example

• Policies could have more tokens, such as which
  data is available for access

16
Validate - W3C P3P XML Policy Validator

• http//www.w3.org/P3P/validator/20001215/
• Access Check Can Policy URI can be accessed from
  the internet, using HTTP GET method?
• Syntax Check
• Check if the syntax of Policy is correct using
  following sub steps
• Policy is well-formed XML document?
• Policy has the correct namespace URI for P3P
• The root element of PRF is POLICY or POLICIES?
  (or META, when Policy is inline)
• PRF is valid with regards to the XML schema for
  P3P?
• Vocabulary Check
• Check if the P3P data elements in ltDATA
  ref"..."gt directive are included in P3P Base
  Data Schema.
• Link Check
• Check if URI references included in Policy are
  accessible.

17
(No Transcript)
18
(No Transcript)
19
IE 6 P3P Implementation Goals

• End-user goals
• Unobtrusive
• Works out of the box
• Easy to understand
• Flexible for power users
• Site goals
• Not disruptive to web business model
• Easy to implement any changes
• Help sites boost consumer confidence

20
IE 6 P3P Implementation

• Focus on providing more information about cookies
• Help users make choices
• Create smarter automated behavior
• Discriminate according to purpose

21
Cookie Management

• End user experience in IE browsers before IE 6
• Reject all, accept all, prompt
• Cookies
• login, customization, advertising
• How do you know?
• Same action applied to all cookies
  indiscriminately

22
Status Icon First Encounter
23
User Experience Help Topics

• Explains privacy issues with cookies
• Explains how to change privacy settings

24
User ExperienceStatus Icon

• Web site uses cookies
• Privacy Policies dont match settings
• Cookies are restricted
• User notified

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
User ExperiencePrivacy Settings

• Privacy Tab slider
• Medium Default
• High Block All Cookies
• 1st and 3rd
• Low Allow All Cookies
• 1st and 3rd
• Import
• XML Privacy settings file

29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
User ExperienceAdvanced Privacy Settings

• Overrides automatic cookie handling
• Control over 1st 3rd Party cookies
• Users can exempt session cookies from first two
  options

41
Additional Information

• MSDN article
• http//msdn.microsoft.com/ie and read the
  material on IE 6 privacy
• Contact privinfo_at_microsoft.com with questions
• W3C www.w3c.org/P3P
• Deployment guide http//www.w3.org/TR/p3pdeploymen
  t
• Candidate Recommendation http//www.w3.org/TR/P3P/
  

42
(No Transcript)
43
Call to Action

• Express full privacy policy via the P3P syntax
• Deploy compact policies
• Read MSDN IE 6 privacy article
• Also browse through W3C P3P literature
• Work with your external partners to have them
  deploy compact policies

44
Summary

• Privacy Statements are good for your business
• P3P is a useful way to present standard privacy
  language
• Resources are available to help
• Create
• Certify
• Transform to code
• Validation
• Deployment
• IE6 gives users control over cookies based on P3P
  CP content