U.S. Department of Commerce Web Advisory Group

http://www.osec.doc.gov/webresources/

Privacy Provisions of the E-Government Act of 2002

Section 208

Privacy Policy Requirement Changes

• The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy"

• The privacy policy statements of all Commerce Web sites must notify Web site visitors of their rights under the Privacy Act. This requirement applies regardless of whether the Web site uses or collects any Privacy Act information, or indeed, any information at all.

• The privacy policy statement must inform users how to grant consent to use of voluntarily-provided information.

• When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary.

• The privacy policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records, and, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems

• The policy on use of persistent cookies is extended to include any persistent tracking technology. Therefore, prior to use of any such technology, approval must be obtained from the Secretary of Commerce in the same fashion as for persistent cookies.

• Both a “human readable” Privacy Policy and agency use of machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences.

Isn’t the Text Version Enough?

Isn’t the Text Version Enough?• Most users do not see the text privacy policy

until after they have visited one or more of the site’s pages.

• Text privacy policies are sometimes difficult for users to locate, too lengthy for users to read, difficult to understand, and can change without notice.

Machine-Readable Policy

Machine-Readable Policy• The Platform for Privacy Preferences

Project (P3P) is the standard for machine-readable Privacy Policy.

• P3P enables web sites to translate their privacy practices into a standardized format (Extensible Markup Language - XML) that can be retrieved automatically and easily interpreted by a user's browser.

What Does P3P Address?

• Who is collecting data?

• What data is collected?

• For what purpose will data be used?

• Is there an ability to opt-in or opt-out of some data uses?

• Who are the data recipients (anyone beyond the data collector)?

• To what information does the data collector provide access?

• What is the data retention policy?

• How will disputes about the policy be resolved?

• Where is the human-readable Privacy Policy?

What Does P3P Address?

What P3P Does Not Address

What P3P Does Not Address• P3P does not set minimum standards for

privacy; nor can it monitor compliance with stated policy.– Certain types of “cookies” can be blocked

based on type of cookie but not based on content of information in them.

• Implementation varies among browsers.– None go beyond cookies at this time.

The Machine Readable Privacy Policy - XML

• An XML format for expressing a privacy policy– Using a standard P3P base data schema

• The policy reference file includes the following statements:– The URL where a P3P policy is found– The URLs or regions of URL-space included or

excluded by this policy– The cookies that are or are not covered by this policy– The period of time for which these claims are

considered to be valid

The Machine Readable Privacy Policy (XML Format)

Location of the machine readable file

The location of the machine readable policy file can be indicated using one of

the following: :

At the server level:– may be located in a predefined "well-known" location

(well known to the browser), • http://www.agency.gov/w3c/p3p.xml

– through an HTTP headerAt the web page level

– a document may indicate a policy reference file through an HTML link tag or XHTML link tag

Machine Readable Policy Tools

Machine Readable Policy Tools Free editor tools• HiSoftware P3P Builder

– www.hisoftware.com/access/valueaddp3p.html

• IBM alphaWorks P3P Policy Editor– www.alphaworks.ibm.com/tech/p3peditor

Validator Tool• www.w3.org/P3P/validator.html

How Does P3P Work?

How Does P3P Work?

How Users Are Notified

How Users Are NotifiedWeb Browser Alerts

Web visitors who want to take advantage of P3P enabled sites have to set their personal privacy

preferences in their web browser.

Browser Support

Browser SupportBrowser implementation of P3P is concerned with the issue of

cookies

When the browser encounters a cookie from a web page that either does not have a compact P3P policy, or that has a

P3P policy that does not match the user’s privacy preferences, the user is alerted via icons.

• Browsers supporting Compact P3P Policy:– Netscape 7– Mozilla– Internet Explorer 6– AT&T Privacy Bird (Plug-in for Internet Explorer)

Cookies

Cookies• Cookies are information stored by a server on a

visitor’s computer during their first visit to the site and used on subsequent visits to the site.

• This may be information obtained without asking (e.g., viewing habits), or information provided by the user (name, preferences).

• The server records this information in a text file and stores this file on the visitor's hard drive.

• What do your cookies say about you? Search your computer for the cookie files – You might be surprised.

Example of Cookies

Example of Cookies# Netscape HTTP Cookie File# http://www.netscape.com/newsref/std/cookie_spec.html# This is a generated file! Do not edit.

home.frontiernet.net FALSE / FALSE 1089259125 regionid 1home.frontiernet.net FALSE / FALSE 1089259125 stateabb WVhome.frontiernet.net FALSE / FALSE 1089259125 npa 304home.frontiernet.net FALSE / FALSE 1089259125 city Charles+Town.mp3.com TRUE / FALSE 1293839999 RMID 8c5a18333f09c160.2o7.net TRUE / FALSE 1234755376 s_vi_bzbx7Bmfehkf [CS]v4|3F09DC8800001DFF-

A000A4A00000001|4032DDB1[CE].2o7.net TRUE / FALSE 1234755376 s_vi_nvnwhg [CS]v4|3F09DC8800001DFF-

A000A4A00000001|4032DDB1[CE].2o7.net TRUE / FALSE 1220907114 s_vi_cx7Bczccdfx60x7Fl [CS]v3|3F09DC8800001DFF-

A000A4A00000001|3F5F8EC2|3F09DC88|3F5F8EC3|3F5F8EFE|2|4|0|0||ltx0AGKIx04cEPASEx5Dx1Ex04lKIAx04EJx40x04lKIAx04kBBMGA|ltx0AGKIx04cEPASEx5Dx1Ex04lKIAx04EJx40x04lKIAx04kBBMGA||||[CE]

.2o7.net TRUE / FALSE 1220907114 s_sv_cx7Bczccdfx60x7Fl [CS]v2|3F5F8EFE|[CE]

.2o7.net TRUE / FALSE 1234755376 s_vi_cx7Bczxxfifx60x7Fl [CS]v4|3F09DC9B00003CC3-A000A4F00000001|4032DDB1[CE]

www.tigerdirect.com FALSE / FALSE 1089172972 MyEmail myname%40domain%2Enet.bizrate.com TRUE / FALSE 1373027937 br 105766790547740314.bizrate.com TRUE / FALSE 1373027937 eval 105766790547766748.bizrate.com TRUE / FALSE 1373027937 survey 23939_2003_Jul_8

These cookies contain personal information such as the city and state (Charles Town WV), area code (304), and even e-mail address (myname%40domain%2Enet or myname@domain.net)

Location of Cookie Files

Location of Cookie Files• In Internet Explorer cookie files are in the

“cookies” folder:– C:\Documents and Settings\user\Cookies

How to Delete Cookies From Internet Explorer - Microsoft Knowledge

Base

http://support.microsoft.com/default.aspx?scid=kb;EN-US;278835

•In Netscape cookies are stored in a file named “cookie.txt”

How Cookies and Browsers Interact

How Cookies and Browsers Interact• By default, browsers allow the use of cookies.• You can change your privacy settings so that your

browser– Will ask you before placing a cookies on your

computer, or– Will prevent the browser from accepting any

cookies, or– Will handle First- and Third- Party cookies

differently • You can specify how you want to handle cookies

from individual web sites or all web sites

Persistent Cookie

Persistent Cookie

• stored on your computer• remains there when you close your browser• can be read by the web site that created it

when you visit that site again.

Temporary or Session Cookie

Temporary or Session Cookie

• stored on your computer

• retained only for your current browsing session

• deleted from your computer when you close your web browser.

Unsatisfactory Cookie

Unsatisfactory Cookie

• might allow access to personally identifiable information

• information could be used for a secondary purpose without your consent.

First-Party Cookie

First-Party Cookie

• either originates on or is sent to the web site you are currently viewing

• commonly used to store information such as your preferences, for use when you re-visit the site

Third-Party Cookie

Third-Party Cookie

• either originates on or is sent to a web site different from the one you are currently viewing

• commonly used to track your web page use for advertising or other marketing purposes

– Example: site xyz.com uses content from site 123.com. Site 123.com uses a cookies to track web page views and use by visitors to xyz.com

Setting Netscape 7 Preferences

Setting Netscape 7 Preferences

Netscape 7 Notification

A warning appears when the browser encounters a cookie that either does not have a compact P3P policy or has a P3P policy that does not match the browser preferences

Netscape 7 Notification

Setting Mozilla Preferences

Setting Mozilla Preferences

Setting IE 6 Preferences

Setting IE 6 Preferences

IE6 Notification

A warning appears when the browser encounters a cookie that either does not have a compact P3P policy or has a P3P policy that does not match the browser preferences

IE6 Notification

IE 6 Privacy Reports

IE 6 Privacy Reports

AT&T Privacy Bird

AT&T Privacy Bird A free plug-in for Internet Explorer 6

Green Bird Yellow Bird Red BirdAudible Notifications:

To Assist DOC Web Developers

To Assist DOC Web Developers• Web Advisory Group will post guidance on

the WAG site to help webmasters meet the December 2004 deadline (http://www.osec.doc.gov/webresources/) – Links to various tools we have tested– Examples– “How to" information– Reference materials (W3C)

Reference Materials

• W3C Platform for Privacy Preferences (P3P) Project– http://www.w3.org/P3P/

• W3C P3P - 1.0 Specifications– http://www.w3.org/TR/P3P/

• W3C References for P3P Implementations– http://www.w3.org/P3P/implementations

• P3P Toolbox– http://www.p3ptoolbox.org/

Ron Jones

National Weather Service

Office of the CIO

(301) 713-1381 x130

Ronald.C.Jones@noaa.gov