Section 22.2. The Platform for Privacy Preferences (P3P)

22.2. The Platform for Privacy Preferences (P3P)

In April 2002, the World Wide Web Consortium (W3C) published the Platform for Privacy Preferences 1.0 (P3P 1.0) Specification , which defines a standard way of encoding web site privacy policies in an XML format, as well as mechanisms for locating and transporting these policies.^[10] P3P was designed so that web sites can adopt it easily without the need to change their web server software. Two years after P3P 1.0 was published, 1 in 3 of the top 100 web sites and 1 in 4 of the top 500 web sites had adopted it.^[11]

^[10] Lorrie Cranor, Marc Langheinrich, Massimo Marchiori, Martin Presler-Marshall, and Joseph Reagle, "The Platform for Privacy Preferences 1.0 (P3P 1.0) Specification," W3C Recommendation (Apr. 16, 2002); http://www.w3.org/TR/P3P/.

^[11] Ernst & Young, P3P Dashboard Report (May 2004); http://www.ey.com/global/download.nsf/US/P3P_Dashboard_-_May_2004/$file/E&YP3PDashboardMay2004.pdf.

22.2.1. How P3P Works

A privacy policy encoded according to the P3P 1.0 Specification is referred to as a P3P policy. P3P policies include eight major components. Each component is represented as an XML element. Some of these XML elements also have subelements, and some of them are described by XML attributes. For example, the use of collected data is represented by the "purpose" element. The specification defines 11 purpose subelements, each representing a data use. In addition, each of these purpose subelements has a "required" attribute that indicates whether the data may be used for this purpose all the time, on an opt-in basis, or on an opt-out basis.

Figure 22-1 gives an overview of the major P3P policy components. The purpose, data, recipients, retention, and consequence elements are bundled together into a structure called a P3P statement. A P3P policy contains one or more statements. Sites use the statement structure to indicate types of data that are treated in similar ways. For example, a site might have one statement to describe the information it stores in logfiles, and one statement to describe the information it collects from individuals who make purchases at the site. A P3P policy for a site with a relatively simple privacy policy is shown in Figure 22-2. This policy includes only one statement.

Figure 22-1. The major components of a P3P policy

Figure 22-2. Example P3P policy

The P3P policy syntax is extensible, allowing for the addition of new required or optional policy components without necessitating a new version of the P3P Specification.

The P3P 1.0 Specification also includes syntax for a P3P compact policy, an abbreviated version of an XML P3P policy that describes a web site's data practices with respect to cookies. Compact policies consist of combinations of three-letter tokens, many of which can be modified by a compact version of the required attribute. Fifty-two such tokens are specified. P3P compact policies are optional for P3P-enabled web sites; they are used by some P3P user agents to facilitate rapid cookie-blocking decisions without the need to fetch a complete P3P policy and load it into an XML parser. Web sites that have compact policies must also have full P3P policies. However, web sites with full policies are not required to have compact policies. Indeed, sites that don't have cookies have no need for compact policies at all. Because the P3P policy in Figure 22-2 does not mention cookies, there is no corresponding compact policy. A web site that uses cookies to tailor site content each time a user returns to that site (unless the user opts out) might have a compact policy that looks something like this:

     CP="NON DSP ADM DEV PSDo OUR PRE NAV UNI STA" 

These 10 P3P compact policy tokens have the following meanings:

NON

We do not give you access to our information about you.

DSP

Our full P3P policy includes ways to resolve privacy-related disputes with us.

ADM

We may use your information to perform web site and system administration.

DEV

We may use your information for research and development, but without connecting any information to you.

PSDo

We may use your information to make decisions that directly affect you without identifying youfor example, to display content or ads based on links you clicked on previouslyunless you opt-out.

OUR

We may share your information with companies that help us fulfill your requests (for example, shipping a product to you), but these companies must not use your information for any other purpose.

PRE

We may collect information about your tastes or interests.

NAV

We may collect information about which pages you visited on this web site and how long you stayed at each page.

UNI

We may collect web site login IDs and other identifiers (excluding government IDs and financial account numbers).

STA

We may use cookies and mechanisms that perform similar functions.

A P3P policy reference file is an XML-encoded file that is used to indicate the parts of a web site to which a P3P policy applies. Policy reference files specify the location of one or more P3P policies and a URL or set of URLs to which each applies. Most web sites place their policy reference files at a standard well-known location: /w3c/p3p.xml. Thus, P3P user agents can make an HTTP GET request for this file in order to learn the location of the P3P files on a web site. After parsing this file, P3P user agents can make additional GET requests to obtain P3P policy files. As P3P policies generally apply to many (or all) URLs on a site, it is not necessary for user agents to fetch these files every time a user requests a new page on a site. By default, P3P files have a lifetime of 24 hours, meaning that if a user returns to a site within one day, no new P3P files need to be fetched. Optionally, P3P policies may be embedded in policy reference files to simplify site administration and reduce the number of round trips necessary to retrieve P3P files from a site.

While the vast majority of web sites use the well-known location,^[12] P3P 1.0 also supports two additional mechanisms for locating policy reference files . Webmasters can place policy reference files at arbitrary locations on their sites and reference them through links embedded in HTML content or in special P3P HTTP headers. P3P HTTP headers are also used to transport P3P compact policies. P3P 1.1 is expected to introduce mechanisms for binding P3P policies to arbitrary XML elements so as to facilitate locating P3P policies for XForms and web services applications.

^[12] Simon Byers, Lorrie Cranor, and David Kormann, "Automated Analysis of P3P-Enabled Web Sites," Proceedings of the Fifth International Conference on Electronic Commerce (ICEC 2003) (Pittsburgh, PA, Oct. 1-3, 2003); http://lorrie.cranor.org/pubs/icec03.html.

A separate W3C specification called A P3P Preference Exchange Language (APPEL) provides syntax for encoding user preferences about privacy.^[13] APPEL is a rule-based language encoded in XML. P3P user agents can compare APPEL-encoded preferences with a P3P policy to determine whether a site's policy matches a user's preferences; however, P3P user agents are not required to use APPEL. Unlike the P3P 1.0 Specification, APPEL is not an official W3C Recommendation and is considered somewhat experimental. Nonetheless, it is used in several P3P software implementations.

^[13] Lorrie Cranor, Marc Langheinrich, and Massimo Marchiori, "A P3P Preference Exchange Language 1.0 (APPEL1.0)," W3C Working Draft (April 15, 2002); http://www.w3.org/TR/P3P-preferences/.

22.2.2. P3P User Agents

Most Windows computer users are probably already using P3P user agents without realizing it. That is because the Microsoft Internet Explorer 6 and Netscape Navigator 7 web browsers include basic P3P functionality. When I speak to an audience about privacy, I often ask for a show of hands to see how many people use these browsers and how many of them are aware of the P3P features. While most audience members typically use these browsers, very few are aware of the P3P features. Thus, it appears that the vast majority of these people are using P3P features at their default settings without customizing them to reflect their personal privacy preferences.

IE6 checks the HTTP headers sent with cookies for P3P compact policies automatically. Under IE6's default setting, cookies without compact policies may be blocked if they are set by a "third-party" web sitethat is, if they are associated with an advertisement or other content embedded in a web page that is served from a different domain from the page in which it is embedded. Other cookies may be blocked or restricted depending on the substance of a compact policy and the user's cookie settings. As shown in Figure 22-3, a small icon featuring a picture of an eye with a do-not-enter sign appears in the lower-right corner of the browser window when a cookie is blocked or restricted. While users may not notice this icon and may be unaware of this P3P feature, web sites that set third-party cookies are becoming increasingly aware of it. When blocked cookies start interfering with the functionality of their web site, many webmasters quickly add P3P policies and compact policies to their sites.^[14]

^[14] Lorrie Cranor, "Help! IE6 is Blocking My Cookies," O'Reilly Network (Oct. 2002); http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html.

Figure 22-3. IE6 icon indicating cookie is blocked or restricted

IE6 also offers a "privacy report" feature that users can select from the browser's View menu. Selecting this feature causes the browser to check for a site's full P3P policy. If the browser is able to fetch the policy, it parses the XML and displays a human-readable representation of the policy, as shown in Figure 22-4.

Figure 22-4. First screen of the IE6 privacy report for Microsoft.com

Navigator 7 has P3P features similar to those in IE6. It employs a slightly different cookie interface and default settings. Netscape can also generate a human-readable version of a site's P3P policy, as shown in Figure 22-5. The Netscape version of a P3P policy is shorter and uses sentence fragments and bulleted lists where IE6 uses complete sentences and paragraphs.

I led the development of AT&T Privacy Bird , an IE5/6 add-on available as a free download from http://privacybird.com/. Once installed, a bird icon appears on the right side of the IE6 title bar, as shown in Figure 22-6. Privacy Bird checks for P3P policies at every site a user visits and compares them with the privacy preference settings the user has configured through a menu accessed by clicking on the bird. At sites that match a user's privacy preferences, the bird icon turns green; at sites that do not match, the icon turns red; and at sites that are not P3P enabled, the icon turns yellow. Symbols in the bird's song "bubble"

Figure 22-5. First screen of the Netscape Navigator 7 privacy report for Microsoft.com

also help distinguish these three icons. In addition, users can optionally configure Privacy Bird to play distinctive sounds corresponding to the appearance of each icon.

Figure 22-6. The Privacy Bird "green bird" icon and My Preferences menu

Privacy Bird can also generate and display a human-readable version of a site's P3P policy. Similar to the Netscape version, this version also uses short phrases and bulleted lists.

Privacy Bird offers more configuration options than IE6 and Netscape 7, and it allows users to import APPEL preference files. However, Privacy Bird (version beta 1.2) does not have cookie-blocking capabilities.^[15]

^[15] We originally planned to implement cookie blocking in Privacy Bird, but discovered that it is fairly difficult to get this to work in a browser helper object. Martin discusses this problem in the context of Bugnosis. See Chapter 23, this volume.