P3PP3PA New Standard in A New Standard in

Online PrivacyOnline Privacy

http://www.w3.org/P3P/

Overview and Demos from Summer 2000Overview and Demos from Summer 2000

2

P3P1.0 – A first stepP3P1.0 – A first step Offers an easy way for web sites to

communicate about their privacy policies in a standard machine-readable formatCan be deployed using existing web servers

This will enable the development of tools (built into browsers or separate applications) that:Provide snapshots of sites’ policiesCompare policies with user preferencesAlert and advise the user

3

P3P is part of the solutionP3P is part of the solutionP3P1.0 helps users understand privacy policies

but is not a complete solution

Seal programs and regulations help ensure that sites comply with their policies

Anonymity tools reduce the amount of information revealed while

browsing

Encryption tools secure data in transit and storage

Laws and codes of practice provide a base line level for acceptable policies

4

Using P3P on your Web siteUsing P3P on your Web site1. Formulate privacy policy

2. Translate privacy policy into P3P format Use a policy generator tool

3. Place P3P policy on web site One policy for entire site or multiple policies for different parts of

the site

4. Associate policy with web resources: Place P3P policy reference file (which identifies location of

relevant policy file) at well-known location on server; Configure server to insert P3P header with link to P3P policy

reference file; or Insert link to P3P policy reference file in HTML content

5

P3P policiesP3P policies Machine-readable (XML) version of web site

privacy policies

Use P3P Vocabulary to express data practices

Use P3P Base Data Set to express type of data collected

Capture common elements of privacy policies but may not express everything (sites may provide further explanation in human-readable policies)

6

The P3P vocabularyThe P3P vocabulary Who is collecting data?

What data is collected?

For what purpose will data be used?

Is there an ability to opt-in or opt-out of some data uses?

Who are the data recipients (anyone beyond the data collector)?

To what information does the data collector provide access?

What is the data retention policy?

How will disputes about the policy be resolved?

Where is the human-readable privacy policy?

7

P3P informs Web surfersP3P informs Web surfers

privacymanagerbutton

8

TransparencyTransparency P3P clients can

check a privacy policy each time it changes

P3P clients can check privacy policies on all objects in a web page, including ads and invisible images

http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE

http://www.att.com/accessatt/

9

A simple HTTP transactionA simple HTTP transactionWeb

ServerGET /index.html HTTP/1.1Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

10

… … with P3P 1.0 addedwith P3P 1.0 addedWeb

ServerGET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File

Send Policy Reference File

GET /index.html HTTP/1.1Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

Request P3P Policy

Send P3P Policy

11

P3P todayP3P today Intuitive – promotes a seamless browsing experiences

while addressing privacy concerns

Transparent – makes privacy policies clear to Web users

Flexible – compatible with both regulatory and self-regulatory approaches, and with other technology tools

Global – developed with international diversity in mind

End-to-End – provides tools to more easily create policies and checks sites for privacy assurance seals

Expandable – future versions could support automatic negotiation of privacy agreements and digital signature-based authentication

Available – demos currently available

12

P3P enabled web sitesP3P enabled web sites www.aol.com

www.att.com

www.cdt.org

www.engage.com

www.hp.com

www.ibm.com

www.idcide.com

www.microsoft.com

www.pg.com

www.ttuhsc.edu

www.youpowered.com

www.vineyard.net

www.w3.org

www.whitehouse.gov

And many more….

P3P User Agent DemosP3P User Agent Demos

Microsoft/AT&T P3P Browser Helper Object

Idcide Privacy Companion

YOUpowered Orby Privacy Plus

14

Microsoft/AT&T P3P browser helper Microsoft/AT&T P3P browser helper objectobject

A prototype tool designed to work with Microsoft Internet Explorer Browser

Not yet fully tested, still missing some features

15

Preference settings

16

17

When preferences are changed toDisallow profiling, the privacy checkwarns us that this site profiles visitors

18

IDcide Privacy CompanionIDcide Privacy Companion A browser plug-in that adds functionality to Netscape

or Internet Explorer browsers

Includes icons to let users know that sites use first- and/or third-party cookies

Enables users to select a privacy level that controls the cookie types allowed (1st or 3rd party)

Prevents data spills to 3rd parties through “referer”

Let’s users view tracking history

Prototype P3P-enabled Privacy Companion allows for more fine-grained automatic decision making based on P3P policies

http://www.idcide.com

19

Searching for a P3P policy

No P3P policy found

P3P policy isNOT acceptable

P3P policy isacceptable

IDcide P3P Icons

20

Double clicking on the P3P icon indicates wherethe site’s policy differs from the user’s preferences

21

YOUpowered Orby Privacy YOUpowered Orby Privacy PlusPlus

A tool bar that sits at the top of a user’s desktop and allows a user toAccept or deny cookies while surfing Decide how, when and where to share

personal information Store website passwords Enjoy the convenience of "one-click" form-fill

P3P features in prototype automatically rate web sites based on their P3P policies

22

TrustMeter

23

Orby cookie prompt

24

Orby preference setting menu

Policy Generator DemosPolicy Generator Demos

IBM P3P Policy Editor

PrivacyBot.com

YOUPowered Consumer Trust Policy Manager Wizard

26

IBM P3P Policy EditorIBM P3P Policy Editor

Allows web sites to create privacy policies in P3P and human-readable format

Drag and drop interface

Available from IBM AlphaWorks site: http://www.alphaworks.ibm.com/tech/p3peditor

27

Sites can list the typesof data theycollect

And view the correspondingP3P policy

28

Propertieswindows allowssites to specify detailed informationabout how eachtype of data isused.

29

PrivacyBot.comPrivacyBot.com

Allows webmasters to fill out an online questionnaire to automatically create a human-readable privacy policy and a P3P policy

30

YOUpowered Consumer Trust Policy Manager wizardYOUpowered Consumer Trust Policy Manager wizard

For more information For more information about P3P, please visit about P3P, please visit

our web siteour web site

http://www.w3.org/P3P/