Introduction to P3P

1
Introduction to P3P
Martin Presler-Marshall, IBM
2
P3P Overview

• What is P3P?
• Overview
• Referencing Policies
• P3P and Cookies
• Vocabulary
• Base Dataschema
• Compact Policies

• P3P Deployment
• Site Setup
• Internet Explorer Client
• Summary Outlook

3
P3P 1.0 Concept

• Offers an easy way for web sites to communicate
  about their privacy policies in a standard
  machine-readable format
• Can be deployed using existing web servers
• This will enable the development of tools that
• Provide snapshots of sites policies
• Compare policies with user preferences
• Alert and advise the user

4
What's in P3P 1.0?

• A standard vocabulary for describing set of uses,
  recipients, data categories, and other privacy
  disclosures
• A standard schema for data a Web site may wish to
  collect (base data schema)
• An XML format for expressing a privacy policy in
  a machine readable way
• A means of associating privacy policies with Web
  pages or sites
• A way to transport P3P policies over HTTP

5
P3P is a partial solution

• P3P1.0 helps users understand privacy policies
  but is not a complete solution
• Other tools are still needed (encryption, policy
  enforcement, etc)
• P3P doesn't define "acceptable" privacy

6
A simple HTTP Request
Web Server
GET /x.html HTTP/1.1 Host foo.com . . . Request
web page
HTTP/1.1 200 OK Content-Type text/html . . .
Send web page
V. P3P - Overview
7
HTTP Request Including P3P
GET /w3c/p3p.xml HTTP/1.1 Host foo.com Request
Policy Reference File
Web Server
Send Policy Reference File
Request P3P Policy
Send P3P Policy
GET /x.html HTTP/1.1 Host foo.com . . . Request
web page
V. P3P - Overview
HTTP/1.1 200 OK Content-Type text/html . . .
Send web page
8
P3P Client Software

• Client can be implemented as browser, proxy,
  plug-in, java applet, etc.
• Looks for link to P3P policy and fetches policy
  with HTTP GET request
• Parses policy and takes appropriate action
• Display symbol, play sound, prompt user, etc.
• Action can be based on user preferences
• Action can optionally allow data to be
  automatically filled into form

9
P3P Policies

• Machine-readable version of web site data usage
  practices
• Use P3P Vocabulary to express data practices
• Use P3P Base Dataschema to express type of data
  collected
• Capture common elements of privacy policies but
  may not express everything (sites may provide
  further explanation in human-readable policies)

10
Referencing P3P Policies

• Allows web sites to indicate what policy applies
  to what resource
• "Policy reference file" provides a map of what
  policy applies where on the site
• Allows user agents to determine what policy
  applies to what resource
• Performance optimization
• Only parse and process each policy once as long
  as results are cached

11
Cookies

• Cookies are listed as data elements in P3P
  policies
• Cookies are explicitly referenced in P3P policy
  reference files
• The cookie policy must cover
• Data stored in, or linked via, the cookie
• All purposes associated with stored or linked
  data
• If data collection done via HTTP, then separate
  policy must also cover that data transfer

12
Cookies Example
Declares only clickstream data logging.
policy1
Entrance Page. Sets unique id for session
tracking.
covers
policy2
covers
Associates unique id with contact info for
customer.
Declares collection of contact info (required for
"ACTION" URL handling the POST of the data)
Set_cookie
Set_cookie
policy3
covers
Declares unique id, clickstream data, and contact
info.
13
The P3P Vocabulary

• Who is collecting data?
• What data is collected?
• For what purpose will data be used?
• Is there an ability to opt-in or opt-out of some
  data uses?
• Who are the data recipients?

• What information can the individual access?
• What is the data retention policy?
• How will disputes about the policy be resolved?
• Where is the human-readable privacy policy?

14
P3P Base Dataschema

• A set of common data elements that all P3P
  implementations know about
• Includes user, thirdparty, and business elements
  such as name, address, phone number, etc.
• Includes dynamic elements such as indicators that
  a site collects click-stream data or search
  terms, uses cookies, etc.
• Extensible using custom data schemas

15
P3P Base Dataschema Continued

• Sites can also declare data collected by
  category
• Site declares it collects dynamic.miscdata, then
  indicates the categories of data it collects.
• Can be simpler than listing all data elements
  collected
• Example categories
• physical - physical (real-world) contact info
• online - online contact info
• location - individual's current location

16
Compact Policies (CP)

• Optional performance optimization
• Summary of (full) P3P policies
• Only apply to cookies
• Allows quick decision whether to accept or reject
  cookie
• If not enough information, full policy should be
  fetched
• Must declare both data stored and linked to
  cookie
• Only for cookies set in current response

17
CP Syntax

• Part of P3P Header
• P3P CP"NON NID DSP NAV CUR"
• Supports subset of P3P vocabulary
• ACCESS (NOI ALL CAO IDC OTI NON)
• CATEGORIES (PHY ONL UNI PUR ... OTC)
• DISPUTES (DSP)
• NON-IDENTIFIABLE (NID)
• PURPOSE (CUR ADM DEV CUS ... OTP) with a, i, or o
• RECIPIENT (OUR DEL SAM UNR PUB OTR) with a, i, or
  o
• REMEDIES (COR MON LAW)
• RETENTION (NOR STP LEG BUS IND)
• TEST (TST)
• Generated by policy editor

18
P3P Site Deployment

• Create a human readable policy
• Create 1 or more policy statements
• Create a policy reference file (PRF)
• Publish policies and PRF
• Tell browsers where to find PRF
• Generally does not require new software on the
  site
• Can be deployed with no code changes on most
  popular Web servers

19
Planning For Deployment

• How many policies?
• What method to use?
• well-known location (/w3c/p3p.xml)
• HTTP header
• HTML LINK tag
• Should compact policies be used?
• Should cookie-policies be created?
• How will policy updates be handled?

20
Help for Deployment

• P3P deployment guide http//www.w3.org/TR/p3pdepl
  oyment
• IBM P3P policy editor http//www.alphaworks.ibm.c
  om/tech/p3peditor
• Other P3P implementations http//www.w3.org/P3P/i
  mplementations

21
Internet Explorer 6.0 Client

• IE6 will contain a partial P3P implementation
• Will process P3P compact policies
• Will handle cookies based on the presence and
  contents of those compact policies
• Details are on the Web at http//msdn.microsoft.c
  om/workshop/
• security/privacy/ie6privacyfeature.asp
• IE6 will display, but not process, full P3P
  policies

22
Summary

• P3P provides a way to extend your site's current
  privacy policy with a machine-readable version
• Clients which can read and process these policies
  will be available this fall
• Tools and instructions are available now to help
  sites deploy P3P

23
Additional Material
Future of P3P, and some examples
24
Future Versions of P3P

• Allow web sites to offer a choice of policies
• P3P 1.0 supports only one policy per resource
• Allow for negotiation and explicit agreements
  to be reached between user agent and web site
• P3P 1.0 policies are take-it-or-leave-it
• Allow for non-repudiation of agreements,
  signatures from third-party seal providers, etc.
• Facilitate automated data transfer
• P3P does not include any mechanism for data xfer

25
Example Privacy Policy

• At CatalogExample, we care about your privacy.
  When you come to our site to look for an item, we
  will only use this information to improve our
  site and will not store it in an identifiable
  way.
• CatalogExample is a licensee of the
  PrivacySealExample Program.
• Questions regarding this statement should be
  directed to CatalogExample 1-248-392-6753
• When you browse through our site we collect
• The basic information about your computer and
  connection to make sure that we can get you the
  proper information and for security purposes
• Aggregate information on what pages consumers
  access or visit to improve our site
• We purge the browsing information that we collect
  regularly

26
Example Privacy Policy in P3P
ltPOLICY xmlns"http//www.w3.org/2000/12/P3Pv1"
discuri"http//www.catalog.example.com/Privacy.ht
ml"gt ltENTITYgtltDATA-GROUPgtltDATA
ref"business.name"gtCatalogExamplelt/DATAgt
ltDATA ref"business.contact-info.telecom.telephon
enum.intcode"gt1lt/DATAgt ltDATA
ref"business.contact-info.telecom.telephonenum.l
occode"gt 248lt/DATAgt ltDATA
ref"business.contact-info.telecom.telephonenum.n
umber"gt 3926753lt/DATAgt lt/DATA-GROUPgtlt/ENTI
TYgt ltACCESSgtltnonident/gtlt/ACCESSgt
ltDISPUTES-GROUPgt ltDISPUTES resolution-type"indepe
ndent" service"http//www.PrivacySeal.exampl
e.org" short-description"PrivacySeal.example
org" ltREMEDIESgtltcorrect/gtlt/REMEDIESgt
ltIMG src"http//www.PrivacySeal.example.org/Logo.
gif"/gt lt/DISPUTESgtlt/DISPUTES-GROUPgt
ltSTATEMENTgt ltPURPOSEgtltadmin/gtltdevelop/gtlt/PURPO
SEgt ltRECIPIENTgtltours/gtlt/RECIPIENTgt
ltRETENTIONgtltstated-purpose/gtlt/RETENTIONgt
ltDATA-GROUPgt ltDATA ref"dynamic.clickstrea
m"/gt ltDATA ref"dynamic.http"/gt
ltDATA-GROUPgt lt/STATEMENTgt lt/POLICYgt
27
Example Policy Reference File
ltMETA xmlns"http//www.w3.org/2000/P3Pv1"gt ltPOLIC
Y-REFERENCESgt ltEXPIRY max-age"172800" /gt lt!-
relative expiry 2 days --gt ltPOLICY-REF
about"/P3P/Policy1.xml"gt ltINCLUDEgt/lt/INCLUDEgt
ltEXCLUDEgt/catalog/lt/EXCLUDEgt
ltEXCLUDEgt/cgi-bin/lt/EXCLUDEgt
ltEXCLUDEgt/servlet/lt/EXCLUDEgt lt/POLICY-REFgt
ltPOLICY-REF about"/P3P/Policy2.xml"gt
ltINCLUDEgt/catalog/lt/INCLUDEgt lt/POLICY-REFgt
ltPOLICY-REF about"/P3P/Policy3.xml"gt
ltINCLUDEgt/cgi-bin/lt/INCLUDEgt
ltINCLUDEgt/servlet/lt/INCLUDEgt
ltEXCLUDEgt/servlet/unknownlt/EXCLUDEgt
lt/POLICY-REFgt lt/POLICY-REFERENCESgt lt/METAgt
28
Acknowledgements

• My thanks to Lorrie Cranor of ATT and Marc
  Langheinrich of ETH Zentrum for contributing to
  this presentation