graphic with four colored squares
Cover page images (keys)

P3P

22 Aug 2005

Ivan Herman, W3C

P3P

(If your browser has proper implementation of the object element of XHTML (e.g., Mozilla?s Firefox) and you have a SVG plugin installed, you might want to use the same slideset using SVG. Some of the images may have added interaction and they also rescale better?)

Table of Contents:

  1. Information Privacy
  2. Personal Information
  3. P3P
  4. Original Idea
  5. P3P 1.0: A First Step
  6. How P3P Works
  7. P3P 1.0 Specification Defines
  8. Future Versions of P3P
  9. P3P is a Partial Solution
  10. Accessing P3P Site Policy
  11. P3P Architecture
  12. Implementing a P3P 1.0 Server
  13. Implementing a P3P 1.0 Client
  14. Location of Agent
  15. Some P3P Client Ideas
  16. P3P Policies
  17. The P3P Vocabulary
  18. The P3P Base Data Schema
  19. Example Privacy Policy
  20. (Partial) P3P/XML Encoding
  21. Elements
  22. Examples of Purpose
  23. Examples of Recipient
  24. Examples of Data
  25. Data Categories
  26. Data Categories (cont)
  27. More About Encoding
  28. Reference Syntax
  29. HTTP Example
  30. Link Example
  31. P3P Implementations
  32. AT&T Privacy Minder

Information Privacy

Personal Information

P3P

Original Idea

P3P 1.0: A First Step

How P3P Works

Figure showing how P3P negotiation works

P3P 1.0 Specification Defines

Future Versions of P3P

P3P is a Partial Solution

Accessing P3P Site Policy

P3P Architecture

P3P Architecture

Implementing a P3P 1.0 Server

Implementing a P3P 1.0 Client

Location of Agent

Some P3P Client Ideas

P3P Policies

The P3P Vocabulary

The P3P Base Data Schema

Example Privacy Policy

The CoolCatalog of 123 Main Street, Bethesda, MD 20814, USA, makes the following statement for the Web page at http://www.TheCoolCatalog.com/catalog/. We have a privacy seal from PrivacySeal.org. Our privacy policy is posted at http://www.TheCoolCatalog.com/PrivacyPractice.html. We do not provide access capabilities to information we have about you.

We use cookies and collect your gender, information about your clothing preferences, and (optionally) your home address to customize our entry catalog pages and for our own research and product development. We retain this information indefinitely.

We also maintain server logs that include information about visits to the http://www.TheCoolCatalog.com/catalog/ page, and the types of browsers our visitors use. We use this information in order to maintain and improve our web site. We retain this information indefinitely.

(Partial) P3P/XML Encoding

<POLICY xmlns="http://www.w3.org/2000/P3Pv1" entity="TheCoolCatalog,
   123 Main Street, Bethesda, MD 20814, USA">
   <DISPUTES-GROUP><DISPUTES resolution-type="independent"
     service="http://www.PrivacySeal.org" description="PrivacySeal.org"
     image="http://www.PrivacySeal.org/Logo.gif"/></DISPUTES-GROUP>
   <DISCLOSURE discuri="http://www.TheCoolCatalog.com/PrivacyPractice.html"/>
   <STATEMENT>
     <RECIPIENT><ours/></RECIPIENT>
     <PURPOSE><custom/><develop/></PURPOSE>
     <RETENTION><indefinitely/></RETENTION>
     <DATA-GROUP>
       <DATA name="dynamic.cookies" category="state"/>
       <DATA name="dynamic.miscdata" category="preference"/>
       <DATA name="user.gender"/>
       <DATA name="user.home." optional="yes"/>
     </DATA-GROUP>
   </STATEMENT>
   ...
</POLICY>

Elements

POLICY
Defines the legal entity making the declaration
DISCLOSURE
General privacy disclosures about retention, access, renegotiate etc
ASSURANCE
Parties that attest that the organisation will stick to its policy
STATEMENT
Describes the data practice with regard to whether information is identifiable, purpose it is used for, which recipient gets the information

Examples of Purpose

current
Completion and support of current activity (keep email so that can send acknowledgement)
admin
Web site and system administration
custom
Customization of site to individuals
research
Generally to evaluate the site in order to improve it
contact
Contacting Visitors later for Marketing or Selling
other
Should be explained!

Examples of Recipient

ours
Only available to us and our agents
same
Available to organisations like us
other
Organisations different from us who may use the information differently
published
Possibly will be made public to all

Examples of Data

name
Name of the data element
category
The type of data element
optional
Indicates whether site requires the information

Data Categories

Divided into categories to make user agents easy to implement

physical
Contact information: phone, address etc
online
Contact information: email address
uniqueid
Unique identifiers: social security number
financial
Bank account number, Visa number
computer
IP number, domain name, browser type, operating system
navigation
Which pages visited, how long you stayed there

Data Categories (cont)

pref
Favourite colour, likes jazz
demograph
Gender, age, income
content
Emails, Chat conversations

More About Encoding

Reference Syntax

HTTP Example

HTTP GET requests a page from coolcatalog site:

GET http://coolcatalog.com/index.html HTTP/1.1 Host: coolcatalog.com

Server returns:

HTTP/1.1 200 OK
P3P: policyref="http://coolcatalog.com/P3P/policies.p3p"
 - - -

States that policy can be found at the coolcatalog url.

Needs a P3P aware server

Link Example

The index.html file may include:

<link rel="P3Pv1" href="http://coolcatalog.com/P3P/policies.p3p">

States that policy can be found at the coolcatalog url.

Client can retrieve the policy file separately.

P3P Implementations

AT&T Privacy Minder

ATT privacy reminder dump