1 / 46

Getting Your Web Site P3P Compliant

Getting Your Web Site P3P Compliant. Joshua Freed <jfreed@neted.org> http://www.neted.org. P3P Deployment. Planning for deployment Understanding how policies are applied to sites Decisions to make Developing the policies and policy reference files How to develop them Tools to help

ozzy
Download Presentation

Getting Your Web Site P3P Compliant

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Your Web Site P3P Compliant Joshua Freed <jfreed@neted.org> http://www.neted.org

  2. P3P Deployment • Planning for deployment • Understanding how policies are applied to sites • Decisions to make • Developing the policies and policy reference files • How to develop them • Tools to help • Deployment and testing • How to deploy • Testing the deployment

  3. The Biggest Challenge • Toughest and most important aspect: • Get a clear understanding of what information site collects • Ensuring that your privacy statement accurately reflects these actions

  4. Planning for Deployment

  5. Applying policies to sites • P3P policies can be applied broadly or narrowly • As broad as an entire site • As narrow as a single URL on a site • Maximum is a single hostname • P3P policies are applied to "HTTP entities" • That is, URLs, not pages • A page is typically many "entities" (frameset, framed content, graphics, style sheets, ...) • It is OK to overstate a site's practices, but not understate them

  6. Applying policies to cookies • Can be applied broadly or narrowly: • Can apply to all cookies on a site • Or, can specify applicable cookies by name, domain of use, or path of use • Domain/path of use are set by the cookie (hosts to send the cookie to, path within that host to send the cookie to) • Narrow scope for cookies only useful if you are willing for visitors to accept some cookies but not all cookies

  7. How is it done? • P3P uses a policy reference file which: • Lists the P3P policies used by the site • States what parts of the site and what cookies are covered by each policy • A policy reference file can only cover resources on that host • Each host needs its own policy reference file • The policies themselves can be on another host

  8. GET /w3c/p3p.xml HTTP/1.1 Host: foo.com Request Policy Reference File Send Policy Reference File Request P3P Policy Send P3P Policy GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page PRF Request in Action Web Server

  9. Policy Reference File Contents • Allow specification of which policy applies to which resources on a site • <EXPIRY>:Determines how long PRF is valid • <POLICY-REF>:URL of policy • <INCLUDE>, <EXCLUDE>:URL prefixes (local) to which policy applies or doesn‘t apply • <COOKIE-INCLUDE>, <COOKIE-EXCLUDE>:Associates or disassociates cookies with policy • <METHOD>:Methods to which policy applies

  10. Locating Policy Reference Files • There are three ways to locate a PRF: • Publish it in the well-known location, /w3c/p3p.xml • Send an HTTP header which gives the location of the policy reference file • Include a link to the policy reference file in the site's HTML • Well-known location is fastest for clients • HTML link is slowest for clients (must first fetch and parse the HTML page) • HTTP header falls in between these two

  11. More on Locating Policy Reference Files • If possible, use just one reference file per site • Multiple are allowed, but this is harder to manage • Whenever possible, use the well-known location • But the entire host must be under a single organization • Use the HTTP header method if you control the site's configuration • Use HTML links only as a last resort • When you don't control the entire site, and can't change the server configuration

  12. Using Compact Policies • Compact policy is sent in an HTTP header • Typically done by configuring server to send header • No policy reference file mechanism for CPs • To put different CPs on different parts of the site, server must send the appropriate CP • Compact policy applies to all cookies in the current response • Compact policy applies to that cookie for the life of the cookie

  13. How Many Policies? • Most organizations will use a small number of policies (less than 5) • Using more than this quickly gets unmanageable • At a minimum, try to split your site into two: • Parts of the site which require personally identifiable information (PII) • Parts of the site which don't require PII • This must be distinguishable by URL or hostname

  14. Policy Lifetime and Updates • Policy in effect when the data is collected applies as long as you hold the data • Policy and reference file lifetime covers how long clients can cache the file • Doesn't use HTTP caching rules; lifetimes are built directly into policy and reference files • Strike a balance between cacheability and flexibility • Compact policy lifetime is the entire lifetime of the cookie • Don't use compact policies if using long-lived cookies!

  15. Importance of Standards • Standard practices are the single biggest aid to P3P deployment • They also make privacy management easier in an organization • Standards to consider: • Company-wide privacy policy • Standardized opt-in/opt-out text and method • Acceptable data collection standards • Cookie naming and lifetime standards

  16. Third-party Content • If your site uses third-party content, they will also need to deploy P3P • The content owner will need to do this; your sites can't give the policy for content from other hosts • Third-party cookies will be blocked by IE6 unless they have P3P compact policies • Third-party is based on hostnames • Any content imbedded within a page from a different domain is "third party" • Distinction made by IE, not part of P3P

  17. Developing the Files

  18. Inside a P3P Policy • The really hard work • Description of the major parts of a P3P policy • How to avoid writing XML by hand

  19. The Really Hard Work • Understanding your data collection and use practices • What data do you use? • What do you use it for? • Who else can see the data? • When a user opts in/out, what does this cover? • This is a business-process task, not a technical task • Involve business people in this step • Consider outside consulting assistance

  20. P3P Vocabulary: <ENTITY> • Describes the organization collecting the data • Uses the P3P dataschema to structure description of collector • Required to include at least one way to contact the organization (phone, post, or e-mail)

  21. P3P Vocabulary: <DISPUTES> • Used to list dispute-resolution mechanisms available to visitors • In the event user thinks the policy has been violated • Can include: • Company's customer service department • Web privacy seals (TRUSTe, BBBOnline, etc.) • Relevant legislation, for regulated businesses

  22. P3P Vocabulary: <ACCESS> • Describes what type of data the user will be able to access (and possibly update) in the future • Does not indicate how the user will do this • The site's human-readable privacy policy must explain how the user can access their information • P3P does not include a mechanism to automate data access or update

  23. P3P Vocabulary: <STATEMENT> • Used to group information about types of data • Same practices apply to all data listed in the group

  24. P3P Vocabulary: <PURPOSE> • Indicates what the site will do with the information • Includes information about user options • Purposes include attribute required (always, opt-in, or opt-out) • P3P purposes: <current/> <admin/> <develop/> <tailoring/> <pseudo-analysis/> <pseudo-decision/> <individual-analysis/> <individual-decision/> <contact/> <historical/> <telemarketing/> <other-purpose/>

  25. P3P Vocabulary: <RECIPIENT> • Indicates who will receive the information • Includes information about user options • Recipients include attribute required (always, opt-in, or opt-out) • P3P recipients: <ours> <delivery> <same> <other-recipient> <unrelated> <public>

  26. P3P Vocabulary: <RETENTION> • Indicates how long the site will keep the information • Described in general terms only, not specific amounts of time • Human-readable policy is required to explain policy for starred values • P3P retention values: <no-retention/> <stated-purpose/> * <legal-requirement/> * <business-practices/> * <indefinitely/>

  27. P3P Vocabulary: <DATA> • Lists the data collected by the site under these practices • Uses data elements (or categories) from the base dataschema or a custom schema in the policy • Almost all base data elements have an assigned category • Sites can describe the data they collect using either specific data elements, or simply by categories of data

  28. P3P Vocabulary:<CATEGORIES> • <physical>: Physical contact information • <online>: Online contact information • <uniqueid>: Unique identifiers • <purchase>: Purchase information • <financial>: Financial information • <computer>: Computer information • <navigation>: Navigation and click-stream data • <interactive>: Interactive data • <demographic>: Demographic and socioeconomic data • <content>: Content • <state>: State management mechanisms • <political>: Political information • <health>: Health information • <preference>: Preference data • <government>: Government-issued identifiers • <other-category>: other

  29. P3P Vocabulary: <TEST> • Used to indicate policy is for testing purposes • Can be used to verify that the site deployment was done correctly • Clients will ignore policies that include this element

  30. Creating a Reference File • If one policy covers the entire site, this is trivial • Examine the server's configuration • Look for directory trees where server-side executables are allowed or used • Map these to the correct policy • Map "everything else" to a default policy • Reference files are processed top to bottom • Place most specific entries first, most general last

  31. Do I have To Write All That? • Yes and no... • You need to understand what will go into a P3P policy...but you don't have to write it in 'vi'. • Use a policy editor which will create the XML for you • No need to actually code the XML directly • Policy editor will also create the compact version for sites which are using compact policies • IBM & Microsoft have free policy editors: http://www.alphaworks.ibm.com/tech/p3peditor http://www.microsoft.com/privacy/wizard/

  32. IBM P3P Policy Editor

  33. IBM P3P Policy Editor

  34. Microsoft P3P Privacy Wizard

  35. Microsoft P3P Privacy Wizard

  36. Deployment

  37. Deploying P3P on a Site • Publish policy file(s) and reference file • Add HTTP header giving location of reference file (if using HTTP header for this) • Add HTTP header containing compact policy (if using compact policies) • Can be combined with previous step • Add link tags to HTML with location of reference file (if using link tags) • Test deployment

  38. Testing the Deployment • Use the W3C's P3P validator: • http://www.w3.org/P3P/validator • Test with Internet Explorer 6 • Most useful if your site is using third-party cookies • Also view the privacy summary, to see how IE renders your P3P policy

  39. Deployment resources • P3P Editors: • http://www.alphaworks.ibm.com/tech/p3peditor • http://www.microsoft.com/privacy/wizard • P3P Deployment Guide: • http://www.w3.org/TR/p3pdeployment • P3P Validator: • http://www.w3.org/P3P/validator • P3P Toolbox: http://www.p3ptoolbox.org (Coming Soon!)

  40. Acknowledgments • My thanks to Martin Pressler-Marshall of IBM for his assistance and contribution to this presentation

  41. Conclusion • You should now understand what's involved in deploying P3P for your organization • Tackle it on your own if that's appropriate • Contact Josh Freed <jfreed@neted.org> for any questions or information about implementation assistance • Any questions?

  42. Examples

  43. Example Privacy Policy • At CatalogExample, we care about your privacy. When you come to our site to look for an item, we will only use this information to improve our site and will not store it in an identifiable way. • CatalogExample is a licensee of the PrivacySealExample Program. … • Questions regarding this statement should be directed to: CatalogExample 1-248-392-6753 • When you browse through our site we collect: • The basic information about your computer and connection to make sure that we can get you the proper information and for security purposes • Aggregate information on what pages consumers access or visit to improve our site • We purge the browsing information that we collect regularly

  44. Example Privacy Policy in P3P <POLICY xmlns="http://www.w3.org/2000/12/P3Pv1" discuri="http://www.catalog.example.com/Privacy.html"> <ENTITY><DATA-GROUP><DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.loccode"> 248</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.number"> 3926753</DATA> </DATA-GROUP></ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.exampleorg" <REMEDIES><correct/></REMEDIES> <IMG src="http://www.PrivacySeal.example.org/Logo.gif"/> </DISPUTES></DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> <DATA-GROUP> </STATEMENT> </POLICY>

  45. Example Policy Reference File <META xmlns="http://www.w3.org/2000/P3Pv1"> <POLICY-REFERENCES> <EXPIRY max-age="172800" /> <!–- relative expiry: 2 days --> <POLICY-REF about="/P3P/Policy1.xml"> <INCLUDE>/*</INCLUDE> <EXCLUDE>/catalog/*</EXCLUDE> <EXCLUDE>/cgi-bin/*</EXCLUDE> <EXCLUDE>/servlet/*</EXCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy2.xml"> <INCLUDE>/catalog/*</INCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy3.xml"> <INCLUDE>/cgi-bin/*</INCLUDE> <INCLUDE>/servlet/*</INCLUDE> <EXCLUDE>/servlet/unknown</EXCLUDE> </POLICY-REF> </POLICY-REFERENCES> </META>

  46. Joshua Freed <jfreed@neted.org> http://www.neted.org

More Related