![Page 1: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/1.jpg)
P3P - Platform for Privacy Preference
Barkha J. HermanFlorida Atlantic University
![Page 2: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/2.jpg)
Introduction
W3C Emerging standardAllows users to control how personal info is used by web sitesUses XML and RDF to express policiesHTTP for transport
![Page 3: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/3.jpg)
Background
Recommendation proposed by W3CIssue with usage of cookies / data
collection by web sites.Working group est. 1997.Specification 1.0 published April
2002Future – CC/PP, XML Signatures.
![Page 4: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/4.jpg)
Why P3P?
Privacy - top concern of individualsPrivacy issues impeding growthEarly attempts on disclosure
lengthy and confusingNeed for consistency, simplicity,
transparencyGlobal solution for global market
![Page 5: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/5.jpg)
What does it address?
Who is collecting this data? Exactly what information is being collected? For what purposes? Which information is being shared with others? And who are these data recipients? Can users make changes in how their data is used? How are disputes resolved? What is the policy for retaining data? And finally, where can the detailed policies be found in "human readable" form?
![Page 6: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/6.jpg)
How does it work
Policies are expressed in XML – machine readable
Policies are transferred over HTTPRetrieval can be automatedPolicy verification is seamlessPrivacy Reports are viewable by
client – human readable
![Page 7: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/7.jpg)
How does it work?
![Page 8: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/8.jpg)
Enabling – Server side
Create a policy filePublish it in the default directory (/w3c/p3p.xml)Optionally, include reference in the HTTP headerOptionally, include compact notation in the http header
![Page 9: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/9.jpg)
Enabling – Client side
User Agent checks for policyUser agent compares against set policyIf match, user agent gets page and displaysIf no match, page (or cookie) is rejectedUser Agent displays privacy report
![Page 10: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/10.jpg)
P3P reference in http header
HTTP/1.1 200 OKDate: Wed, 17 Mar 2004 20:23:59 GMTServer: Apache/1.3.28 (Unix) PHP/4.2.3Content-Location: Overview.htmlVary: negotiate,acceptTCN: choiceP3P:
policyref="http://www.w3.org/2001/05/P3P/p3p.xml" Cache-Control: max-age=600Expires: Wed, 17 Mar 2004 20:33:59 GMT
Last-Modified: Tue, 16 Mar 2004 14:59:42 GMT
![Page 11: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/11.jpg)
Compact notation in Http header
HTTP/1.0 200 OKDate: Wed, 17 Mar 2004 20:22:13 GMTContent-Length: 428Content-Type: text/htmlExpires: Wed, 17 Mar 2004 20:52:13 GMTCache-Control: max-age=1800Server: Microsoft-IIS/5.0P3P: CP="CAO CURa ADMa PSAo PSDo IVAo IVDo OUR
BUS PHY ONL PUR COM NAV INT DEM CNT STA PRE“IISExport: This web site was exported using IIS Export
v2.2Content-Location: http://www.oldnavy.com/taghtml
/default.html
Last-Modified: Tue, 03 Jun 2003 20:35:10
![Page 12: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/12.jpg)
Example Policy File<?xml version="1.0" ?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"> <EXPIRY max-age="604800" /> <POLICY name="public"
discuri="http://www.w3.org/Consortium/Legal/privacy-statement#Public">
<ENTITY><DATA-GROUP> <DATA ref="#business.name">World Wide Web Consortium</DATA> <DATA ref="#business.contact-info.postal.name">MIT/LCS</DATA> <DATA ref="#business.contact-info.postal.street">545 Technology
Square</DATA> <DATA
ref="#business.contact-info.postal.postalcode">02143</DATA> <DATA ref="#business.contact-info.postal.city">Cambridge
MA</DATA> <DATA ref="#business.contact-info.postal.country">USA</DATA> <DATA ref="#business.contact-info.postal.name">INRIA/Sophia
Antipolis</DATA>
![Page 13: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/13.jpg)
…Continued <DATA ref="#business.contact-info.postal.street">2004 Routes des
Lucioles</DATA> <DATA ref="#business.contact-info.postal.postalcode">F-06902</DATA> <DATA ref="#business.contact-info.postal.city">Sophia Antipolis</DATA> <DATA ref="#business.contact-info.postal.country">FRANCE</DATA> <DATA ref="#business.contact-info.postal.name">Keio University</DATA> <DATA ref="#business.contact-info.postal.street">Shonan Fujisawa
Campus</DATA> <DATA ref="#business.contact-info.postal.postalcode">252-8520</DATA> <DATA ref="#business.contact-info.postal.city">5322 Endo, Fujisawa-shi,
Kanagawa</DATA> <DATA ref="#business.contact-info.postal.country">JAPAN</DATA> <DATA ref="#business.contact-info.online.email">[email protected]</DATA> <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephone.loccode">617</DATA> <DATA
ref="#business.contact-info.telecom.telephone.number">2532613</DATA>
![Page 14: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/14.jpg)
…Continued <DATA
ref="#business.contact-info.online.email">[email protected]</DATA> <DATA ref="#business.contact-info.online.uri">http://www.w3.org/</DATA> <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA> <DATA
ref="#business.contact-info.telecom.telephone.loccode">617</DATA> <DATA ref="#business.contact-
info.telecom.telephone.number">2532613</DATA> </DATA-GROUP> </ENTITY><ACCESS> <nonident /> </ACCESS><DISPUTES-GROUP><DISPUTES resolution-type="service" service="http://www.w3.org/" short-
description="[email protected]"> <LONG-DESCRIPTION>The Webmaster and our Communications Team will
carefully consider the input and correct errors. If you discover privacy invasive behavior, please don't hesitate to contact us.</LONG-DESCRIPTION>
![Page 15: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/15.jpg)
…Continued <<IMG src="http://www.w3.org/Icons/WWW/w3c_home" width="72"
height="48" alt="Logo World Wide Web Consortium" /> <REMEDIES> <correct /> </REMEDIES> </DISPUTES> </DISPUTES-
GROUP><STATEMENT> <CONSEQUENCE>We collect normal Web-Logs. They are used for
Server administration, Web protocol research, Statistics of usage and Security.</CONSEQUENCE>
<PURPOSE> <current /> <admin /> <develop /> </PURPOSE> <RECIPIENT> <ours /> </RECIPIENT> <RETENTION> <indefinitely /> </RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream" /> <DATA ref="#dynamic.http.useragent" /> <DATA ref="#dynamic.http.referer" /> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES>
![Page 16: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/16.jpg)
User Agent support
IE 6.0 – supports compact notation only
Netscape 7.0 – complete support for 1.0
AT&T Privacy bird plugin – 1.0 support
![Page 17: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/17.jpg)
Editors
P3PEditP3PEditorPrivacyBotPrivacy Policy Editor – web basedAlphaWorks P3P Editor
![Page 18: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/18.jpg)
Validators
http://www.w3.org/P3P/validator.html
(only game in town)
![Page 19: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/19.jpg)
APPEL – A P3P Preference Exchange Language 1.0 (APPEL1.0)
W3C working draft that specifies a language for describing sets of preferences about P3P policies.Rule-set for expressing P3P
<appel:RULE behavior="request" description="My Bank collects data only for itself and its agents"> <appel:REQUEST-GROUP>
<appel:REQUEST uri="http://www.my-bank.com/*"/> </appel:REQUEST-GROUP> <p3p:POLICY>
<p3p:STATEMENT> <p3p:RECIPIENT appel:connective="or-exact">
<p3p:ours/> </p3p:RECIPIENT> </p3p:STATEMENT>
</p3p:POLICY> </appel:RULE>
![Page 20: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/20.jpg)
P3P vs. OPS
The Open Profiling Standard - proposal co-authored by Netscape, Firefly, and VeriSign. This specification proposed a means for the exchange of user profile information -- how to store and release, under the user's permission, data which is often requested or required by a Web site.Eventually, the P3P working groups decided not to include a data transfer protocol as part of P3Pv1.
![Page 21: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/21.jpg)
P3P – Digital Signature assurance
W3C Note – Not a specificationThe design philosophy and requirements of this
specification are to:Define what it means for a P3P Policy to be assured via an XML Signature. Provide detached signatures for P3P Policies and Assurances.
Enveloping signatures MAY contain the P3P Policy Reference. This can be convenient in that all the files are included together, but this has the following two disadvantages: the Signature is the root element, and XPointer is required to select portions of the document.
Enveloped signatures are prohibited by P3P's content model.
Be concise and unambiguous.
![Page 22: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/22.jpg)
Critiques
Weak on Company dataLack of EnforcementPolicy changes do not reflect
collected data
![Page 23: P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University](https://reader035.vdocuments.us/reader035/viewer/2022081516/56649c7d5503460f9493280f/html5/thumbnails/23.jpg)
Future…
Version 1.x Allow policy choice Explicit agreement Non repudiation (DSig?)
CC/PP – now Device Independent WG Composite Capability Preference
Profiles