P3P A New Standard in Online Privacy

1
P3PA New Standard in Online Privacy
Overview and Demos from Summer 2000

• http//www.w3.org/P3P/

2
P3P1.0 A first step

• Offers an easy way for web sites to communicate
  about their privacy policies in a standard
  machine-readable format
• Can be deployed using existing web servers
• This will enable the development of tools (built
  into browsers or separate applications) that
• Provide snapshots of sites policies
• Compare policies with user preferences
• Alert and advise the user

3
P3P is part of the solution

• P3P1.0 helps users understand privacy policies
  but is not a complete solution
• Seal programs and regulations
• help ensure that sites comply with their policies
• Anonymity tools
• reduce the amount of information revealed while
  browsing
• Encryption tools
• secure data in transit and storage
• Laws and codes of practice
• provide a base line level for acceptable policies

4
Using P3P on your Web site

• Formulate privacy policy
• Translate privacy policy into P3P format
• Use a policy generator tool
• Place P3P policy on web site
• One policy for entire site or multiple policies
  for different parts of the site
• Associate policy with web resources
• Place P3P policy reference file (which identifies
  location of relevant policy file) at well-known
  location on server
• Configure server to insert P3P header with link
  to P3P policy reference file or
• Insert link to P3P policy reference file in HTML
  content

5
P3P policies

• Machine-readable (XML) version of web site
  privacy policies
• Use P3P Vocabulary to express data practices
• Use P3P Base Data Set to express type of data
  collected
• Capture common elements of privacy policies but
  may not express everything (sites may provide
  further explanation in human-readable policies)

6
The P3P vocabulary

• Who is collecting data?
• What data is collected?
• For what purpose will data be used?
• Is there an ability to opt-in or opt-out of some
  data uses?
• Who are the data recipients (anyone beyond the
  data collector)?

• To what information does the data collector
  provide access?
• What is the data retention policy?
• How will disputes about the policy be resolved?
• Where is the human-readable privacy policy?

7
P3P informs Web surfers
privacymanagerbutton
8
Transparency

• P3P clients can check a privacy policy each time
  it changes
• P3P clients can check privacy policies on all
  objects in a web page, including ads and
  invisible images

http//www.att.com/accessatt/
http//adforce.imgis.com/?adlink2685231146ADF
ORCE
9
A simple HTTP transaction
WebServer
10
with P3P 1.0 added
WebServer
11
P3P today

• Intuitive promotes a seamless browsing
  experiences while addressing privacy concerns
• Transparent makes privacy policies clear to Web
  users
• Flexible compatible with both regulatory and
  self-regulatory approaches, and with other
  technology tools
• Global developed with international diversity
  in mind
• End-to-End provides tools to more easily create
  policies and checks sites for privacy assurance
  seals
• Expandable future versions could support
  automatic negotiation of privacy agreements and
  digital signature-based authentication
• Available demos currently available

12
P3P enabled web sites

• www.aol.com
• www.att.com
• www.cdt.org
• www.engage.com
• www.hp.com
• www.ibm.com
• www.idcide.com

• www.microsoft.com
• www.pg.com
• www.ttuhsc.edu
• www.youpowered.com
• www.vineyard.net
• www.w3.org
• www.whitehouse.gov

And many more.
13
P3P User Agent Demos

• Microsoft/ATT P3P Browser Helper Object
• Idcide Privacy Companion
• YOUpowered Orby Privacy Plus

14
Microsoft/ATT P3P browser helper object

• A prototype tool designed to work with Microsoft
  Internet Explorer Browser
• Not yet fully tested, still missing some features

15
Preference settings
16
(No Transcript)
17
When preferences are changed to Disallow
profiling, the privacy checkwarns us that this
site profiles visitors
18
IDcide Privacy Companion

• A browser plug-in that adds functionality to
  Netscape or Internet Explorer browsers
• Includes icons to let users know that sites use
  first- and/or third-party cookies
• Enables users to select a privacy level that
  controls the cookie types allowed (1st or 3rd
  party)
• Prevents data spills to 3rd parties through
  referer
• Lets users view tracking history
• Prototype P3P-enabled Privacy Companion allows
  for more fine-grained automatic decision making
  based on P3P policies
• http//www.idcide.com

19
IDcide P3P Icons
Searching for a P3P policy
No P3P policy found
P3P policy isNOT acceptable
P3P policy isacceptable
20
Double clicking on the P3P icon indicates
where the sites policy differs from the users
preferences
21
YOUpowered Orby Privacy Plus

• A tool bar that sits at the top of a users
  desktop and allows a user to
• Accept or deny cookies while surfing
• Decide how, when and where to share personal
  information
• Store website passwords
• Enjoy the convenience of "one-click" form-fill
• P3P features in prototype automatically rate web
  sites based on their P3P policies

22
(No Transcript)
23
Orby cookie prompt
24
Orby preference setting menu
25
Policy Generator Demos

• IBM P3P Policy Editor
• PrivacyBot.com
• YOUPowered Consumer Trust Policy Manager
  Wizard

26
IBM P3P Policy Editor

• Allows web sites to create privacy policies in
  P3P and human-readable format
• Drag and drop interface
• Available from IBM AlphaWorks site
  http//www.alphaworks.ibm.com/tech/p3peditor

27
Sites can list the typesof data theycollect
And view the correspondingP3P policy
28
Propertieswindows allowssites to specify
detailed informationabout how eachtype of data
isused.
29
PrivacyBot.com
Allows webmasters to fill out an online
questionnaire to automatically create a
human-readable privacy policy and a P3P policy
30
YOUpowered Consumer Trust Policy Manager wizard
31
For more information about P3P, please visit our
web site

• http//www.w3.org/P3P/