P3P

1. P3P 20031030 Ro Young-jin

2. What Is P3P? • Platform for Privacy Preference Project • Developed by W3C • Provides a standard way for Web sites to communicate for the collection, use, and distribution of personal information • P3P-enabled Web Sites & Browsers • P3P-enabled web sites make a machine-readable format snapshot of how a site handles personal information about its users • P3P-enabled browsers read this snapshot then compare it to the consumer’s own set of privacy preference

3. How P3P Works?

4. Protocol in P3P

5. PICS • PICS (Platform for Internet Content Selection) • P3P is an outgrowth version of PICS • PICS is used for regulate some showing of inappropriate Web sites • How PICS works? • Web developer inserts some HTML tag which signs the level of the Web site • Web browser and filtering software read the tag • Determine allow to show the Web site or not by some rules made already

6. PICS Structure ( PICS-1.1           <service url> [option...]            labels [option...] ratings (<category> <value> ...)                   [option...] ratings (<category> <value> ...)                   ...            <service url> [option...]            labels [option...] ratings (<category> <value> ...)                  [option...] ratings (<category> <value> ...)                   ...            ...)

7. P3P vs. PICS • P3P uses XML ⇔ PICS uses LISP S-expression • P3P has no provisions for third-party rating services • P3P statements are not about the content of a web site, but about its practices • P3P statements of a Web site is related to a Web site's written privacy policy

8. P3P in Internet Explorer 6.0

9. Privacy Policies

10. P3P Structure <META xmlns="http://www.w3.org/2000/12/P3Pv1"> <POLICY-REFERENCES> <EXPIRY max-age="864000"/> <!-- 10 days --> <POLICY-REF about="#policy1"> <INCLUDE>/*</INCLUDE> <COOKIE-INCLUDE>* .example.com *</COOKIE-INCLUDE> </POLICY-REF> </POLICY-REFERENCES> <POLICIES> <POLICY discuri = "http://www.example.com/privacy/policy.html" name="policy1"> <EXPIRY max-age="864000"/> <!-- 10 days --> <ENTITY> <DATA-GROUP> <DATA ref="business.name">Example Corp.</DATA> <!-- it's a good idea to include an email address or other contact information here as well --> </DATA-GROUP> </ENTITY>

11. P3P Structure (Continued) <ACCESS><nonident/></ACCESS> <!-- no identified data is collected --> <!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here --> <STATEMENT> <PURPOSE><current/><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/><RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES> </META>

12. P3P Editor • http://www.alphaworks.ibm.com/tech/p3peditor

13. Drawbacks of P3P • Troublesome because of ‘Cookie’ configuration • Many people do not know about ‘Cookie’ well • Popup message for warning message • Difficulty of setting for privacy • Hard to know how much of regulation is needed • Many Web sites do not obey P3P • If there are only few sites keep P3P, using P3P is not effective for users

14. References • http://www.w3.org/P3P/#Enable • http://www.w3.org/PICS/ • http://www.oreillynet.com/pub/a/network/excerpt/p3p/p3p.html • Cranor, L.F.; P3P: making privacy policies more useful. Security & Privacy Magazine, IEEE, Volume 1, Issue 6, Nov-Dec 2003 Page(s): 50-55 • Karjoth, G.; Schunter, M.; Van Herreweghen, E.; Waidner, M.; Amending P3P for clearer privacy promises. Database and Expert Systems Applications, 2003. Proceedings. 14th International Workshop on 1-5 Sept. 2003 Page(s):445 - 449