P3P Soundbytes:

Observations for approachingDesign, Build and Deploy

PricewaterhouseCoopersRuth Nelson

Assemble your team

• Your P3P Build and Deploy team needs a combination of skill sets– IT– Privacy – Legal– Content Management– Consultants [:->]

Understanding Your Website Architecture

• Perform a detailed review of your website to determine:– How reliant is your website on cookies?– What “states” does a user have on your site – eg visitor

(anon), registrant, transactor ? – What cookies are associated with these states ?

• How will a users experience be affected if cookies are blocked or denied?

• Does your website recognize when cookies are blocked ?- Use the excuse to make sure you have an accurate census of your sites reality

Other 3rd Party Cookies

• Some companies are missing the true impact, example: (now changed but)www.cnn.com served a metric count cookie from www.cnnaudience.com- this is a 3P cookie in the ie6 logic and is blocked at medium (default)

• X-population of cookies throughout domains within your website structure, will produce complexity – solutions – a CP or an architecture change to MLD– NOTE: this is the biggest issue we find with our clients

Determine 3rd Party Compliance

• Your third party cookie providers should be P3P compliant by now

• If not, what effect will this have on your site? – Consider unique metric counts relied upon by

analysts

• Engage in dialog with your 3rd Party cookie vendors and work with them to implement P3P compact policies

Know the Spec !

• The specification is long and cumbersome, it takes a while to digest

• Simple one Full P3P (verbose) instance is best, but only IF your architecture permits

• Use the P3P Generators but beware they are not perfect, you still need to micro-audit, test and pilot the outputs

– P.S.Do you have the correct version !

Check out examples

• Go to the W3C site and check out other examples to familiarize yourself

– Again caution – some of the best practice sites are still upgrading to the latest version of the spec, so look at the Full P3P top line and map version control first !

Our Tools for Understanding your Architecture

• WebCPOTM, a complete privacy technology developed by Watchfire and PwC that scans and provides an automated detailed analysis of your website architecture, cookies and ie6 impact.

• WebCPOTM will scan every link on the website, identifying 3rd Parties, Cookies, Forms, Security, domains, and other important privacy criteria. – More details can be explained post-workshop

Understand Your Existing Narrative Privacy Policy

• Does this adequately disclose all of the elements in the Spec

• Are you comfortable that your site conforms to the statement ?

• Does your policy map to the binary disclosures required in Full P3P policy

• Check some elements, eg Data Retention – Indefinitely may sound bad, your company does

have retention standards, should this be articulated in your human policy

Understand Your Existing Narrative Privacy Policy

• Be Aware - Your current policy may need to be revised after a P3P Policy is created. – Simple items – eg entity contact

information, phone number

– Complex items, Access, Retention, “Multiple”-choice

Edit the Full Policy

• The Policy Building utilities are a good starting point, but aren’t perfecteg may not output multiple statements

• If changes need to be made to the Full Policy, a simple XML editor should be used to make the changes– Avoid using a text editor or word processor

to make changes, they will not always work properly.

Full P3P Matrix

• Recommended: – Map each Data element by state,

double/triple check, get a second pair of eyes, (then code)

– Discuss the mapping with the whole team, check your binary i/o decisions with legal

• You’d be surprised….

Full Policy – Some key areas

• Disputes: sometimes Legislation can also be disclosed, see ATT example

• Statement: groups together a purpose element, a recipient element, a data group element, and optionally a consequence elements and one or more extensions, – NOTE: create a statement per user “state” and

also the cookies associated with that state for future proofing, also name your statements using the extension syntax so they view in the Privacy Report

Advanced P3P

• Appropriate for sites with multiple privacy practices within the site and different entities involved

• OR a site that collects a variety of information in certain areas of the site.– See ATT, or IBM’s examples– Important if multiple Full P3P are used that

your Policy Ref files are correctly coded

Validate the Full Policy

• Use the W3C developed Validator to ensure Full Policy does not have errors. – www.w3.org/P3P/validator

• WARNING – the validator DOES NOT check all logic, eg prior version did not check for opturi [3.2.2] – mandatory if purpose elements have opt-in or opt-out

Test View Privacy Report

• REMINDER: ie6 uses the Full P3P policy to create the View Privacy Report

• Check if this displays accurately, eg the seal gifs, did you correctly code name extensions on statements, did you have good descriptions in the Other Purpose and Other Categories– If Reference File contains EXCLUDE statements, the

full policy should not work on those areas of the site – double check the coding and the correctness of the “*” elements

– Recommended to do this on a local webserver test environment – NOT in live

Building a Compact Policy

• The Compact policy must associate the elements of your Full P3P policy that relate to the actual practices of the cookie, it would be normal to have multiple CP’s

• REMINDER: ie6 ONLY evaluates the Compact Policy

Validate the Compact Policy

• Manual Validation Required• Reference P3P Specification for details around

codes• Ensure that you have not created unsatisfactory

conditions by not specifying opt-in or opt-out criteria– See ie6 guidance on msdn– Be cognizant of Low, Medium and High (o =

unsatisfactory)– Build site logic to recognize blocked cookies and prompt

users to accept

Implementation & Testing

ie6 offers two good methods for testing P3P– View Privacy Report Option– Prompting for Cookies

• Tools / Internet Options / Privacy• Advanced, check override• Prompt 1P and 3P• Once prompted, allow, block, more info

displays the full cookie properties including CP served

Check all Cookies

• Make sure you have deployed the right CP on the matching cookie and every cookie !– You’d be surprised………….

• IT must validate the purpose of each cookie, get sign-off prior to launch

• Again, if possible - deploy on test first

Ongoing Monitoring

• Periodically review your site – Preferably use an automated tool, such a

WebCPOTM, to ensure ongoing P3P compliance

• Ensure that current and future 3P Cookies are P3P compliant

• New or changes in use of 1P cookies deployed must be revisited

• Implement automatic manual triggers – human change = machine change