Hack27.Establish a P3P Privacy Policy


Hack 27. Establish a P3P Privacy Policy

The convergence of privacy concerns and widespread use of cookies necessitates a published commitment to privacy on your part. The Platform for Privacy Preferences provides an easy way to let your visitors know what data you're collecting and how you plan on using it.

According to the World Wide Web Consortium, the Platform for Privacy Preferences (P3P) initiative provides "a simple, automated way for users to gain more control over the use of personal information on web sites they visit." By allowing site operators to answer a standardized set of questions covering their site's privacy policy [Hack #26], P3P provides a mechanism for reporting your site's commitment to privacy so it can be compared to the visitor's expectations. By simplifying the interface to the browser's privacy controls via a set of predefined settings (ranging from "low" to "high" with "accept all cookies" and "block all cookies" options), P3P is helping consumers make better decisions about first- and third-party cookie acceptance.

2.16.1. Sounds Great, How Do I Set One Up?

Once you decide you want to set up a P3P policyand if you haven't already done this, you need to immediatelythe rest is relatively easy and can be done in six steps.

2.16.1.1 Step one: Create a written privacy policy.

Before you can codify anything, you have to have a privacy policy [Hack #26]. Make sure you've carefully outlined what data you're collecting, where you're collecting it, what you do with that information, who has access to the data, and how long you plan on keeping it around. You want your privacy policy to cover every aspect of data collection and sharing, not just regarding your web measurement program.

2.16.1.2 Step two: Determine which policies apply to which pages.

You'll most likely need different privacy policies for different pages and different visitor activities. You may want to establish a different policy for visitors who browse the site that explicitly states that you're using cookies to track visitor activity, and a more detailed policy for pages from which you're collecting personal information.

2.16.1.3 Step three: Select a P3P policy generator.

Policy generators are applications that will assist you in converting the information you've assembled in steps one and two into a machine-readable policy. The generator is going to be interested in who you are and how you can be contacted, the location of your written policy on your web site, assurances that your commitment to privacy is as you say it is, and information about the data elements you're collecting, including your web measurement.

While a more complete list of policy generators is available at p3ptoolbox.org, the following are generators recommended by the W3C:


IBM P3P Policy Generator

http://www.alphaworks.ibm.com/tech/p3peditor


privacybot.com

http://www.privacybot.com/


IAjapan's Privacy Policy Wizard (also available in Japanese)

http://fs.pics.enc.or.jp/p3pwiz/p3p_en.html


P3PEdit

http://policyeditor.com/


Customer Paradigm's P3P Privacy Policy Creation

http://www.customerparadigm.com/p3p-privacy-policy3.htm

2.16.1.4 Step four: Enter the information.

Once you've selected a policy generator, simply follow the steps sequentially to generate your policy. Make sure you use any error-checking facilities the generator has to ensure accuracy and, if you've determined that you need more than one policy, save each as sequential filenames (e.g., policy1.xml, policy2.xml, policy3.xml, etc.).

2.16.1.5 Step five: Create a policy reference file.

The generator should allow you to generate a policy reference file (called p3p.xml)that describes how each individual policy is applied to documents and directories on your web server. The following is an example policy reference file taken from the W3C's document on creating P3P policies and the basis for this hack:

  <META xmlns="http://www.w3.org/2001/09/P3Pv1">   <POLICY-REFERENCES>    <POLICY-REF about="/P3P/Policy3.xml">      <INCLUDE>/cgi-bin/</INCLUDE>      <INCLUDE>/servlet/</INCLUDE>      <EXCLUDE>/servlet/unknown</EXCLUDE>  </POLICY-REF>  <POLICY-REF about="/P3P/Policy2.xml">     <INCLUDE>/catalog/</INCLUDE>  </POLICY-REF>  <POLICY-REF about="/P3P/Policy1.xml">    <INCLUDE>/*</INCLUDE>    <EXCLUDE>/servlet/unknown</EXCLUDE>    </POLICY-REF>  </POLICY-REFERENCES> </META> 

This file and the associated policies should then be uploaded to a directory called /wc3 off of your web server's root directory. You should also, at this point, set up your web server to return a compact policy (CP) with each document's headers. A complete treatment of the fields used in the CP is available at http://www.microsoft.com/presspass/press/2001/mar01/PrivacyToolsIEfs.asp, but the header modification will look something like this (taken from http://www.w3.org/TR/p3pdeployment#Using_HTTP_Headers at the World Wide Web Consortium's description of P3P):

   HTTP/1.1 200 OK   P3P: policyref="http://www.yoursite.com/w3c/p3p.xml",    CP="NON DSP COR CURa ADMa DEVa CUSa TAIa OUR SAMa IND"   Content-Type: text/html  Content-Length: 8104  Server: CC-Galaxy/1.3.18 

The emphasized code shows how the compact policy is rendered to the browser so determination about third-party cookies can be made as the page is loaded and rendered.

2.16.1.6 Step six: Validate your policy.

To validate your policy, you can either see the list of policy validators at p3ptoolbox.org or use the W3C's validator at http://www.w3.org/P3P/validator.html. You are able to enter any URL from your web site into the URI box to make sure a policy has been properly set for that page (Figure 2-10).

Figure 2-10. Policy validation


It is worth noting that if you're an Internet Explorer user, you can view any web site's privacy policy via the View Privacy Policy report in the menu bar.

2.16.2. Wait, How Do I Deliver the Compact Policy?

The compact policy tokens must be sent as a part of a P3P HTTP header sent by the web server within the HTTP response for the object attempting to set a cookie in a third-party context. The following steps describe possible implementation for Microsoft IIS and Apache web servers.

For Microsoft Internet Information Server:

  1. Open the Internet Services Manager (Microsoft Management Console).

  2. Expand the Default Web Site or a specific web site under Internet Information Services.

  3. Right-click on the web site, page, or object (image, JavaScript file, etc.) of which you wish to add the P3P HTTP header in the pop-up menu and select Properties.

  4. Select the HTTP Headers dialog tab.

  5. Click the Add Custom HTTP Header button.

  6. In the "custom header" field, enter P3P.

  7. In the "custom header value" field, enter your compact policy exactly as follows:

      policyref="http://www.mysite.com/w3c/policy1.xml", CP=" NOI DSP COR PSA P SAa OUR  IND COM NAV STA" 

2.16.2.1 Apache Web Server.

A compact policy HTTP header response can be added by including the following line in the appropriate configuration file (httpd.conf or .htaccess):

 Header append P3P "policyref=\"\http://www.mysite.com/w3c/policy1.xml\"\, CP= "NOI DSP COR PSA PSAa OUR IND COM NAV STA" 

Apache's mod_headers module needs to be included to push headers to the browser. Make sure that you're using mod_ headers if you notice that the CP headers are not pushed.


For a little more information on implementation, you might take a look at http://www.w3.org/TR/p3pdeployment.

If you wish to implement a P3P policy on a per-HTML page basis (within the HTML code itself), Table 2-4 illustrates examples of such document headers in various languages.

Table 2-4. How to set P3P compact policies on a variety of application delivery platforms

Language

Code

HTML

<META http-equiv="P3P" content="policyref='http://www.mysite.com/w3c/policy1.xml', CP='NOI DSP COR PSA PSAa OUR IND COM NAV STA'">

PHP

Header("P3P: policyref='http://www.mysite.com/w3c/policy1.xml',CP='NOI DSP COR PSA PSAa OUR IND COM NAV STA'")

ASP

Response.AddHeader "P3P","policyref='http://www.mysite.com/w3c/policy1.xml'","CP='NOI DSP COR PSA PSAa OUR IND COM NAV STA'"

JSP

Response.setHeader("P3P","http://www.mysite.com/w3c/policy1.xml","CP='NOI DSP COR PSA PSAa OUR IND COM NAV STA'")


Obviously, the last few code examples cover the setting of P3P HTTP headers for the document as a whole. Since most page-tagbased data collection solutions rely on the request-response headers of an embedded object such as an image or JavaScript file, the server-side P3P HTTP header response mechanism described above is the method to use.

2.16.3. Consequences of Omitting a Privacy Policy

Despite the fact that five of the six steps described above are pretty trivial (writing your privacy policy in the first place can take time, but you really need to do it anyway), you may decide to blow this off. I mean, what's the worst that could happen?

2.16.3.1 The "red eye".

The red eye is a small icon that appears in the lower-right corner of your P3P-compliant browser that lets you know that the site you're visiting is in some way violating your privacy expectations (Figure 2-11). Obviously, if you don't have a policy, you'll be serving many red eyes; they're served with greater or lesser frequency, depending on the type of information you're trying to collect and your use of cookies.

Figure 2-11. Privacy violation warning


2.16.3.2 Visitors will wonder why you don't care about their privacy.

More and more people have become attuned to P3P, thanks to the relatively easy Internet Explorer implementation (if not explained well from a consumer-benefit standpoint), and have become used to watching for the red eye and complaining when they see it. Because these policies are so easy to set up, there really is no excuse for not doing so. Trying to hide from your use of firstand third-party cookies for web measurement is a lousy ideaone that will eventually return to haunt you.

2.16.3.3 Eventually, the press will wonder why you don't care.

As demonstrated in an August 2000 debacle over the lack of adequate customer notice, the media does actually care when companies aren't very careful about how they collect information.[5] Depending on how big you are and how closely people are watching you, failing to establish a P3P policy that describes your use and collection of web measurement and personal identification could create a PR nightmare that you really don't want.

[5] See the Wired article "Lack of Notice Snags E-Service," by Chris Oakes, August 2, 2000 at http://www.wired.com/news/business/0,1367,37949,00.html.

For more information on creating a P3P policy, see either the W3C's P3P 1.0 Specification (http://www.w3.org/TR/P3P/) or description of how to make your site P3P-compliant (http://www.w3.org/P3P/details.html), or Microsoft's take on P3P as it relates to Internet Explorer (http://www.microsoft.com/presspass/press/2001/mar01/PrivacyToolsIEfs.asp). You may also want to pick up Lorrie Cranor's Web Privacy and P3P (O'Reilly).

Eric T. Peterson with Aaron Bird, Stephen Turner, Jim MacIntyre, and Jay McCarthy



    Web Site Measurement Hacks
    Web Site Measurement Hacks: Tips & Tools to Help Optimize Your Online Business
    ISBN: 0596009887
    EAN: 2147483647
    Year: 2005
    Pages: 157

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net