Getting Your Web Site P3P Compliant

1
Getting Your Web Site P3P Compliant

• Joshua Freed
• http//www.neted.org

2
P3P Deployment

• Planning for deployment
• Understanding how policies are applied to sites
• Decisions to make
• Developing the policies and policy reference
  files
• How to develop them
• Tools to help
• Deployment and testing
• How to deploy
• Testing the deployment

3
The Biggest Challenge

• Toughest and most important aspect
• Get a clear understanding of what information
  site collects
• Ensuring that your privacy statement accurately
  reflects these actions

4
Planning for Deployment
5
Applying policies to sites

• P3P policies can be applied broadly or narrowly
• As broad as an entire site
• As narrow as a single URL on a site
• Maximum is a single hostname
• P3P policies are applied to "HTTP entities"
• That is, URLs, not pages
• A page is typically many "entities" (frameset,
  framed content, graphics, style sheets, ...)
• It is OK to overstate a site's practices, but not
  understate them

6
Applying policies to cookies

• Can be applied broadly or narrowly
• Can apply to all cookies on a site
• Or, can specify applicable cookies by name,
  domain of use, or path of use
• Domain/path of use are set by the cookie (hosts
  to send the cookie to, path within that host to
  send the cookie to)
• Narrow scope for cookies only useful if you are
  willing for visitors to accept some cookies but
  not all cookies

7
How is it done?

• P3P uses a policy reference file which
• Lists the P3P policies used by the site
• States what parts of the site and what cookies
  are covered by each policy
• A policy reference file can only cover resources
  on that host
• Each host needs its own policy reference file
• The policies themselves can be on another host

8
PRF Request in Action
Web Server
9
Policy Reference File Contents

• Allow specification of which policy applies to
  which resources on a site
• Determines how long PRF is valid
• URL of policy
• , URL prefixes (local) to
  which policy applies or doesnt apply
• , Associates or
  disassociates cookies with policy
• Methods to which policy applies

10
Locating Policy Reference Files

• There are three ways to locate a PRF
• Publish it in the well-known location,
  /w3c/p3p.xml
• Send an HTTP header which gives the location of
  the policy reference file
• Include a link to the policy reference file in
  the site's HTML
• Well-known location is fastest for clients
• HTML link is slowest for clients (must first
  fetch and parse the HTML page)
• HTTP header falls in between these two

11
More on Locating Policy Reference Files

• If possible, use just one reference file per site
• Multiple are allowed, but this is harder to
  manage
• Whenever possible, use the well-known location
• But the entire host must be under a single
  organization
• Use the HTTP header method if you control the
  site's configuration
• Use HTML links only as a last resort
• When you don't control the entire site, and can't
  change the server configuration

12
Using Compact Policies

• Compact policy is sent in an HTTP header
• Typically done by configuring server to send
  header
• No policy reference file mechanism for CPs
• To put different CPs on different parts of the
  site, server must send the appropriate CP
• Compact policy applies to all cookies in the
  current response
• Compact policy applies to that cookie for the
  life of the cookie

13
How Many Policies?

• Most organizations will use a small number of
  policies (less than 5)
• Using more than this quickly gets unmanageable
• At a minimum, try to split your site into two
• Parts of the site which require personally
  identifiable information (PII)
• Parts of the site which don't require PII
• This must be distinguishable by URL or hostname

14
Policy Lifetime and Updates

• Policy in effect when the data is collected
  applies as long as you hold the data
• Policy and reference file lifetime covers how
  long clients can cache the file
• Doesn't use HTTP caching rules lifetimes are
  built directly into policy and reference files
• Strike a balance between cacheability and
  flexibility
• Compact policy lifetime is the entire lifetime of
  the cookie
• Don't use compact policies if using long-lived
  cookies!

15
Importance of Standards

• Standard practices are the single biggest aid to
  P3P deployment
• They also make privacy management easier in an
  organization
• Standards to consider
• Company-wide privacy policy
• Standardized opt-in/opt-out text and method
• Acceptable data collection standards
• Cookie naming and lifetime standards

16
Third-party Content

• If your site uses third-party content, they will
  also need to deploy P3P
• The content owner will need to do this your
  sites can't give the policy for content from
  other hosts
• Third-party cookies will be blocked by IE6 unless
  they have P3P compact policies
• Third-party is based on hostnames
• Any content imbedded within a page from a
  different domain is "third party"
• Distinction made by IE, not part of P3P

17
Developing the Files
18
Inside a P3P Policy

• The really hard work
• Description of the major parts of a P3P policy
• How to avoid writing XML by hand

19
The Really Hard Work

• Understanding your data collection and use
  practices
• What data do you use?
• What do you use it for?
• Who else can see the data?
• When a user opts in/out, what does this cover?
• This is a business-process task, not a technical
  task
• Involve business people in this step
• Consider outside consulting assistance

20
P3P Vocabulary

• Describes the organization collecting the data
• Uses the P3P dataschema to structure description
  of collector
• Required to include at least one way to contact
  the organization (phone, post, or e-mail)

21
P3P Vocabulary

• Used to list dispute-resolution mechanisms
  available to visitors
• In the event user thinks the policy has been
  violated
• Can include
• Company's customer service department
• Web privacy seals (TRUSTe, BBBOnline, etc.)
• Relevant legislation, for regulated businesses

22
P3P Vocabulary

• Describes what type of data the user will be able
  to access (and possibly update) in the future
• Does not indicate how the user will do this
• The site's human-readable privacy policy must
  explain how the user can access their information
• P3P does not include a mechanism to automate data
  access or update

23
P3P Vocabulary

• Used to group information about types of data
• Same practices apply to all data listed in the
  group

24
P3P Vocabulary

• Indicates what the site will do with the
  information
• Includes information about user options
• Purposes include attribute required (always,
  opt-in, or opt-out)

• P3P purposes

o-analysis/ is/ /
25
P3P Vocabulary

• Indicates who will receive the information
• Includes information about user options
• Recipients include attribute required (always,
  opt-in, or opt-out)

• P3P recipients

ted
26
P3P Vocabulary

• Indicates how long the site will keep the
  information
• Described in general terms only, not specific
  amounts of time
• Human-readable policy is required to explain
  policy for starred values

• P3P retention values

27
P3P Vocabulary

• Lists the data collected by the site under these
  practices
• Uses data elements (or categories) from the base
  dataschema or a custom schema in the policy
• Almost all base data elements have an assigned
  category
• Sites can describe the data they collect using
  either specific data elements, or simply by
  categories of data

28
P3P Vocabulary

• Physical contact information
• Online contact information
• Unique identifiers
• Purchase information
• Financial information
• Computer information
• Navigation and click-stream data

• Interactive data
• Demographic and socioeconomic data
• Content
• State management mechanisms
• Political information
• Health information
• Preference data
• Government-issued identifiers
• other

29
P3P Vocabulary

• Used to indicate policy is for testing purposes
• Can be used to verify that the site deployment
  was done correctly
• Clients will ignore policies that include this
  element

30
Creating a Reference File

• If one policy covers the entire site, this is
  trivial
• Examine the server's configuration
• Look for directory trees where server-side
  executables are allowed or used
• Map these to the correct policy
• Map "everything else" to a default policy
• Reference files are processed top to bottom
• Place most specific entries first, most general
  last

31
Do I have To Write All That?

• Yes and no...
• You need to understand what will go into a P3P
  policy...but you don't have to write it in 'vi'.
• Use a policy editor which will create the XML for
  you
• No need to actually code the XML directly
• Policy editor will also create the compact
  version for sites which are using compact
  policies
• IBM Microsoft have free policy editors
  http//www.alphaworks.ibm.com/tech/p3peditor
• http//www.microsoft.com/privacy/wizard/

32
IBM P3P Policy Editor
33
IBM P3P Policy Editor
34
Microsoft P3P Privacy Wizard
35
Microsoft P3P Privacy Wizard
36
Deployment
37
Deploying P3P on a Site

• Publish policy file(s) and reference file
• Add HTTP header giving location of reference file
  (if using HTTP header for this)
• Add HTTP header containing compact policy (if
  using compact policies)
• Can be combined with previous step
• Add link tags to HTML with location of reference
  file (if using link tags)
• Test deployment

38
Testing the Deployment

• Use the W3C's P3P validator
• http//www.w3.org/P3P/validator
• Test with Internet Explorer 6
• Most useful if your site is using third-party
  cookies
• Also view the privacy summary, to see how IE
  renders your P3P policy

39
Deployment resources

• P3P Editors
• http//www.alphaworks.ibm.com/tech/p3peditor
• http//www.microsoft.com/privacy/wizard
• P3P Deployment Guide
• http//www.w3.org/TR/p3pdeployment
• P3P Validator
• http//www.w3.org/P3P/validator
• P3P Toolbox
• http//www.p3ptoolbox.org (Coming Soon!)

40
Acknowledgments

• My thanks to Martin Pressler-Marshall of IBM for
  his assistance and contribution to this
  presentation

41
Conclusion

• You should now understand what's involved in
  deploying P3P for your organization
• Tackle it on your own if that's appropriate
• Contact Josh Freed for any
  questions or information about implementation
  assistance
• Any questions?

42
Examples
43
Example Privacy Policy

• At CatalogExample, we care about your privacy.
  When you come to our site to look for an item, we
  will only use this information to improve our
  site and will not store it in an identifiable
  way.
• CatalogExample is a licensee of the
  PrivacySealExample Program.
• Questions regarding this statement should be
  directed to CatalogExample 1-248-392-6753
• When you browse through our site we collect
• The basic information about your computer and
  connection to make sure that we can get you the
  proper information and for security purposes
• Aggregate information on what pages consumers
  access or visit to improve our site
• We purge the browsing information that we collect
  regularly

44
Example Privacy Policy in P3P
discuri"http//www.catalog.example.com/Privacy.ht
ml" ref"business.name"CatalogExample
enum.intcode"1 ref"business.contact-info.telecom.telephonenum.l
occode" 248 ref"business.contact-info.telecom.telephonenum.n
umber" 3926753 TY
ndent" service"http//www.PrivacySeal.exampl
e.org" short-description"PrivacySeal.example
org"
gif"/
SE

m"/

45
Example Policy Reference File
Y-REFERENCES relative expiry 2 days -- about"/P3P/Policy1.xml" /
/catalog/
/cgi-bin/
/servlet/

/catalog/

/cgi-bin/
/servlet/
/servlet/unknown

46

• Joshua Freed
• http//www.neted.org