p3p a new standard in online privacy overview and demos from summer 2000
TRANSCRIPT
P3PP3PA New Standard in A New Standard in
Online PrivacyOnline Privacy
http://www.w3.org/P3P/
Overview and Demos from Summer 2000Overview and Demos from Summer 2000
2
P3P1.0 – A first stepP3P1.0 – A first step Offers an easy way for web sites to
communicate about their privacy policies in a standard machine-readable formatCan be deployed using existing web servers
This will enable the development of tools (built into browsers or separate applications) that:Provide snapshots of sites’ policiesCompare policies with user preferencesAlert and advise the user
3
P3P is part of the solutionP3P is part of the solutionP3P1.0 helps users understand privacy policies
but is not a complete solution
Seal programs and regulations help ensure that sites comply with their policies
Anonymity tools reduce the amount of information revealed while
browsing
Encryption tools secure data in transit and storage
Laws and codes of practice provide a base line level for acceptable policies
4
Using P3P on your Web siteUsing P3P on your Web site1. Formulate privacy policy
2. Translate privacy policy into P3P format Use a policy generator tool
3. Place P3P policy on web site One policy for entire site or multiple policies for different parts of
the site
4. Associate policy with web resources: Place P3P policy reference file (which identifies location of
relevant policy file) at well-known location on server; Configure server to insert P3P header with link to P3P policy
reference file; or Insert link to P3P policy reference file in HTML content
5
P3P policiesP3P policies Machine-readable (XML) version of web site
privacy policies
Use P3P Vocabulary to express data practices
Use P3P Base Data Set to express type of data collected
Capture common elements of privacy policies but may not express everything (sites may provide further explanation in human-readable policies)
6
The P3P vocabularyThe P3P vocabulary Who is collecting data?
What data is collected?
For what purpose will data be used?
Is there an ability to opt-in or opt-out of some data uses?
Who are the data recipients (anyone beyond the data collector)?
To what information does the data collector provide access?
What is the data retention policy?
How will disputes about the policy be resolved?
Where is the human-readable privacy policy?
7
P3P informs Web surfersP3P informs Web surfers
privacymanagerbutton
8
TransparencyTransparency P3P clients can
check a privacy policy each time it changes
P3P clients can check privacy policies on all objects in a web page, including ads and invisible images
http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE
http://www.att.com/accessatt/
9
A simple HTTP transactionA simple HTTP transactionWeb
ServerGET /index.html HTTP/1.1Host: www.att.com. . . Request web page
HTTP/1.1 200 OKContent-Type: text/html. . . Send web page
10
… … with P3P 1.0 addedwith P3P 1.0 addedWeb
ServerGET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File
Send Policy Reference File
GET /index.html HTTP/1.1Host: www.att.com. . . Request web page
HTTP/1.1 200 OKContent-Type: text/html. . . Send web page
Request P3P Policy
Send P3P Policy
11
P3P todayP3P today Intuitive – promotes a seamless browsing experiences
while addressing privacy concerns
Transparent – makes privacy policies clear to Web users
Flexible – compatible with both regulatory and self-regulatory approaches, and with other technology tools
Global – developed with international diversity in mind
End-to-End – provides tools to more easily create policies and checks sites for privacy assurance seals
Expandable – future versions could support automatic negotiation of privacy agreements and digital signature-based authentication
Available – demos currently available
12
P3P enabled web sitesP3P enabled web sites www.aol.com
www.att.com
www.cdt.org
www.engage.com
www.hp.com
www.ibm.com
www.idcide.com
www.microsoft.com
www.pg.com
www.ttuhsc.edu
www.youpowered.com
www.vineyard.net
www.w3.org
www.whitehouse.gov
And many more….
P3P User Agent DemosP3P User Agent Demos
Microsoft/AT&T P3P Browser Helper Object
Idcide Privacy Companion
YOUpowered Orby Privacy Plus
14
Microsoft/AT&T P3P browser helper Microsoft/AT&T P3P browser helper objectobject
A prototype tool designed to work with Microsoft Internet Explorer Browser
Not yet fully tested, still missing some features
15
Preference settings
16
17
When preferences are changed toDisallow profiling, the privacy checkwarns us that this site profiles visitors
18
IDcide Privacy CompanionIDcide Privacy Companion A browser plug-in that adds functionality to Netscape
or Internet Explorer browsers
Includes icons to let users know that sites use first- and/or third-party cookies
Enables users to select a privacy level that controls the cookie types allowed (1st or 3rd party)
Prevents data spills to 3rd parties through “referer”
Let’s users view tracking history
Prototype P3P-enabled Privacy Companion allows for more fine-grained automatic decision making based on P3P policies
http://www.idcide.com
19
Searching for a P3P policy
No P3P policy found
P3P policy isNOT acceptable
P3P policy isacceptable
IDcide P3P Icons
20
Double clicking on the P3P icon indicates wherethe site’s policy differs from the user’s preferences
21
YOUpowered Orby Privacy YOUpowered Orby Privacy PlusPlus
A tool bar that sits at the top of a user’s desktop and allows a user toAccept or deny cookies while surfing Decide how, when and where to share
personal information Store website passwords Enjoy the convenience of "one-click" form-fill
P3P features in prototype automatically rate web sites based on their P3P policies
22
TrustMeter
23
Orby cookie prompt
24
Orby preference setting menu
Policy Generator DemosPolicy Generator Demos
IBM P3P Policy Editor
PrivacyBot.com
YOUPowered Consumer Trust Policy Manager Wizard
26
IBM P3P Policy EditorIBM P3P Policy Editor
Allows web sites to create privacy policies in P3P and human-readable format
Drag and drop interface
Available from IBM AlphaWorks site: http://www.alphaworks.ibm.com/tech/p3peditor
27
Sites can list the typesof data theycollect
And view the correspondingP3P policy
28
Propertieswindows allowssites to specify detailed informationabout how eachtype of data isused.
29
PrivacyBot.comPrivacyBot.com
Allows webmasters to fill out an online questionnaire to automatically create a human-readable privacy policy and a P3P policy
30
YOUpowered Consumer Trust Policy Manager wizardYOUpowered Consumer Trust Policy Manager wizard
For more information For more information about P3P, please visit about P3P, please visit
our web siteour web site
http://www.w3.org/P3P/