P3P: Privacy Primer
Pages: 1, 2
This section was contributed by Lorrie Cranor of AT&T Labs--Research. It is copyright AT&T and reprinted with permission.
This section provides an overview of how P3P works and how you can obtain and use it. For more information about P3P, see http://www.w3.org/P3P/. That site includes pointers to the complete P3P specification, lists of P3P software and P3P-enabled web sites, and more detailed instructions for using P3P on your web site. For a complete discussion of P3P and how you can use it to best advantage, see the forthcoming book, P3P, by Lorrie Cranor.
How P3P Works
The P3P specification includes:
- a standard vocabulary for describing a web site's data practices
- a set of base data elements that web sites can refer to in their P3P privacy policies
- a protocol for requesting and transmitting web site privacy policies
The P3P protocol is a simple extension to the HTTP protocol. As shown in Figure 3, P3P user agents use standard HTTP requests to fetch a P3P policy reference file from a "well-known location" on the web site to which a user is making a request. The policy reference file indicates the location of the P3P policy file that applies to each part of the web site. There might be one policy for the entire site, or several different policies, each of which covers a different part of the site. The user agent can then fetch the appropriate policy, parse it, and take action according to the user's preferences.
P3P also allows sites to place policy reference files in locations other than the well-known location. In these cases, the site must declare the location of the policy reference file using a special HTTP header or by embedding a <LINK> tag in the HTML files to which the P3P policies apply.
Here's a plain English example of the kind of disclosure a web site might make in a P3P policy:
Steve's Store strives to protect your privacy. When you come to our site to browse our catalog, we will not ask you to tell us who you are, and we will use data about your visit only to help us improve and secure our site. When you browse our site, we collect basic information about your computer and connection. We purge this information on a weekly basis. We also collect aggregate information on what pages consumers visit on our site.
Steve's Store is a licensee of the PrivacySealExample Program. The PrivacySealExample Program ensures your privacy by holding web site licensees to high privacy standards and confirming with independent auditors that these information practices are being followed.
And here's what this policy would look like using the P3P syntax and encoding:
<DATA ref="#business.name">Steve's Store</DATA>
123 Steve Street</DATA>
To help you estimate how much work it will be for you to deploy P3P on your web site, here is an outline of the basic steps involved.
- Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site.
- Create a P3P policy (or policies) for your site.
- Create a policy reference file for your site.
- Most of the policy generator tools will help you create a policy reference file for your site too. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances you will have just one policy reference file for your entire site. However, if you have a very large number of policies on your site or if you don't wish to provide information that would reveal the structure of your site (perhaps due to security considerations if parts of your site are password protected), you may wish to have multiple policy reference files.
- Configure your server for P3P.
- On most sites this can be done by simply placing the P3P policy and policy reference files on the web server in the proper locations. However, some sites will want to configure their servers to send a special P3P header with every HTTP response, and some will want to add <LINK> tags to their HTML content. Some sites will also want to send compact versions of P3P policies with SET_COOKIE requests.
- Test your site to make sure it is properly P3P enabled.
Your policy should include enough detail to answer the questions you will have to answer to create a P3P policy. Here's a basic outline of the points that you should cover:
- The name and contact information for your company or organization.
- A statement about the kind of access you provide (do you let people find out what information you hold about them, and if so, how can they get this access?).
- A description of how collected data is used, and whether individuals can opt-in or opt-out of any of these uses.
- Information about whether data may be shared with other companies, and if so, under what conditions and whether or not consumers can opt-in or opt-out of this.
- Information about your site's data retention policy, if any.
- Information about how consumers can take advantage of opt-in or opt-out opportunities.
P3P doesn't cover web site security practices, but most privacy policies also include a statement about the site's commitment to security. And web sites with content aimed at children often describe their policy with respect to children's data.
Generating a P3P Policy and Policy Reference File
One good P3P policy generator you may want to try is the P3P Policy Editor from IBM. This tool features a drag-and-drop interface, shown in Figure 4, that lets you edit P3P policies by dragging icons representing P3P data elements and data categories into an editing window. The tool also has pop-up windows that let you set the properties associated with each data element (purpose, recipient, etc.) and also fill out general information about the site's privacy practices. You can view the XML that has been created as you add each data element, as well as a corresponding human-readable version of the policy. There is also a useful errors tab that indicates problems with your policy, such as leaving out information in required fields. The tool comes with good documentation and a set of templates for typical web sites. This tool can also create policy reference files. It is available for free download from the IBM Alphaworks web site at http://www.alphaworks.ibm.com/tech/p3peditor.
The P3P specification has designated /w3c/p3p.xml as the "well-known location" for policy reference files. P3P user agents will check this location automatically for a policy reference file at every site they visit. If they can't find a policy reference file at a site, they will keep rechecking once every 24 hours if the user returns to that site.
Most web sites should be able to place their policy reference file at the well-known location without a problem. However, for sites that do not wish to do this, two alternatives are offered: sites can be configured to send a special P3P header with every HTTP response, or <LINK> tags can be embedded in HTML documents that give the location of the policy reference file.
The HTTP header alternative is most useful for sites that have decided to use multiple policy reference files. It allows sites to send a pointer to the policy reference file applicable to each request. The downside of using the HTTP header instead of the well-known location is that there is no way for a user agent to know a site's policy before requesting a resource. Thus, some user agents may suppress cookies, referer headers, or other information until they receive the P3P response header.
P3P-enabled web sites have the option of providing short summaries of their policies with respect to cookies in HTTP response headers that accompany SET_COOKIE headers. These compact policies are designed as an optimization to allow for cookie processing to proceed at the same time that a full P3P policy is being evaluated. Sites can only use compact policies if they set cookies, and if their cookie-related statements in their full P3P policy do not include mandatory extensions. While the compact policy is entirely optional for P3P-enabled web sites, note that some of the early P3P user agent implementations rely heavily on the compact policy--for example, the Microsoft Internet Explorer 6 P3P user agent.
A site that uses compact policies would have a policy reference file and a full P3P policy just like any other P3P-enabled web site. In addition, the site would configure its web server to include a P3P header with all of its responses that contain SET_COOKIE requests (or with every response). Here is an example of what such a server response might look like:
HTTP/1.1 200 OK
CP="NON DSP ADM DEV PSD CUSo OUR IND STP PRE NAV UNI"
Most of the P3P policy generator tools will also generate compact policies.
Simple P3P-Enabled Web Site Example
Many sites, including personal home pages and sites designed primarily to provide information (as opposed to those designed to sell things or provide interactive services), have very simple privacy policies. They tend to collect minimal amounts of data, and generally will either commit to using that data in very limited ways, or make no commitment that might limit future use of that data. Furthermore, for these simple sites one P3P policy is probably sufficient for the entire site.
Example 1 is a policy reference file for a simple site named Example.Com that has one policy for the entire site. This policy reference file is placed at the well-known location (/w3c/p3p.xml). This file also includes the site's P3P policy. The policy reference file and policy expiry are set to 10 days. The policy for this site also applies to all the cookies set by this site. Example.com keeps typical web logs. These logs are kept indefinitely and are used to diagnose problems with the web site. They are not shared with other companies; however, they are sometimes analyzed in order to gain insights into how people are using the web site.
Example 1: A policy reference file for a simple site that includes an inline policy
<EXPIRY max-age="864000"/> <!-- 10 days -->
<COOKIE-INCLUDE>* .example.com *</COOKIE-INCLUDE>
<POLICY discuri = "http://www.example.com/privacy/policy.html"
<EXPIRY max-age="864000"/> <!-- 10 days -->
<DATA ref="business.name">Example Corp.</DATA>
<!-- it's a good idea to include an email address or
other contact information here as well -->
<ACCESS><nonident/></ACCESS> <!-- no identified data is collected -->
<!-- if the site has a dispute resolution procedure that it follows,
a DISPUTES-GROUP should be included here -->
1. For information about where the "well-known location" resides, see the section later in this article, "Helping User Agents Find Your Policy Reference File."
Simson Garfinkel is a developer with 24 years of programming experience, the author or coauthor of 14 books, an entrepreneur, and a journalist. He is the founder and Chief Technology Officer of Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools.
Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.
Return to the O'Reilly Network.