P3P: Privacy Primer

The W3C's Platform for Privacy Preferences Project (P3P) provides a standard way for Web sites to communicate about their practices around the collection, use, and distribution of personal information. It's a machine-readable privacy policy that can be automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies. This article has two parts: the first is an overview of P3P, written by Simson Garfinkel; the second section, written by Lorrie Cranor, offers a more in depth look and examples.

The World Wide Web Consortium's Platform for Privacy Preferences Project (P3P) provides a standard way for web sites to communicate about their practices regarding the collection, use, and distribution of personal information. This article provides a brief introduction to P3P, and Figure 1 illustrates the P3P process; P3P: A more detailed look contains more detailed technical information about the protocol.

P3P and PICS

P3P is an outgrowth of the W3C's earlier work on its web site rating and filtering technology, PICS (see http://www.w3.org/PICS/). The idea behind PICS was that web sites would be rated regarding their content, web browsers would download these ratings, and parents could program their children's computers so that web pages that violated the parent's standards would not be displayed.

The P3P system supports many of these concepts. Instead of using the formalisms of PICS to rate their adult content, web sites and online services use the formalisms of P3P to describe their policies regarding data collection and use. These descriptions can be downloaded from the web site to the browser when the web pages are viewed. If the web site's policies do not agree with the policies identified by the user, the browser can either warn the user or disable certain functionality. For example, a web browser could be programmed to discard any cookies from a web site that claims to use cookies for profiling its visitors.

PICS and P3P are similar in many ways:

• Like PICS, P3P doesn't define a specific set of policies or rating techniques. Instead, it describes a generalized vocabulary for describing web site privacy policies.

  

• Although both the PICS and P3P standards are extensible, both were provided with an initial data schema. In the case of PICS, the schema was the RSACi system, originally developed for rating video games. In the case of P3P, its schema is the base vocabulary. In both cases, it is very unlikely that the base schema will ever be extended, although it is certainly possible.

  

• Just as having a PICS rating does not imply that a site does or does not contain pornography, having a P3P rating does not imply that a site will or will not protect the privacy of its visitors. To make that determination, you (or your browser) must download the policy and read it.

  

P3P also differs from PICS in several important ways:

• P3P uses XML instead of LISP S-expressions to define its policies.

  

• P3P has no provisions for third-party rating services. All P3P policies are downloaded from the web site itself.

  

• P3P statements are not about the content of a web site, but about its practices. Thus, it is not possible for a user or a third party to verify a P3P statement without conducting a physical audit of the web site's organization.

  

• Because a web site's P3P statements may be intimately related to a web site's written privacy policy, an organization that treats personal information in a manner that is inconsistent with its P3P statements may be guilty of committing an "unfair trade practice" and may be opening itself up to an enforcement action by the Federal Trade Commission.

  

Internet Explorer 6.0 contains limited support for P3P (as described in the next section); Netscape Navigator 6.0 contains none.

For information on how to create a P3P policy for your web site, see P3P: A more detailed look.

Support for P3P in Internet Explorer 6.0

Internet Explorer 6.0 contains limited support for P3P. This support is limited to support for P3P's so-called compact policies that describe how a site uses information collected through the use of cookies. IE6 uses this support to determine whether or not the user should accept a cookie from a given web site.

Internet Explorer's P3P implementation is controlled through the "Privacy" tab of the Internet Options control panel (see Figure 2). Using this panel, you can specify one of seven default policies to use for all web sites. You can also modify these policies to suit your individual desires. Finally, you can specify a list of web sites to be treated with specific rules.

Internet Explorer 6.0's P3P implementation is solely concerned with the issue of cookies. The implementation distinguishes between first-party cookies and third-party cookies. The term first-party cookie is used to refer to a cookie that is transmitted to your browser in the header of the base HTML page that a browser is viewing. The term third-party cookie is used to refer to cookies that are transmitted in the header of included images or frames that come from web sites other than the web site of the base page. In both cases, the browser can be configured to accept or reject cookies depending on whether or not a site has a P3P policy, and on how the policy says the site will handle personally identifiable information (PII).

Several of Microsoft's default policies are concerned with the idea of using PII "without implicit consent." In general, this phrase is used to determine if a web site operator can use personal information that is collected without first asking permission or if permission must be explicitly requested and given.

Internet Explorer 6.0 can "leash" cookies, so that they are only returned to the sites from which they originated. Cookies can also be "downgraded," so that they are automatically deleted when Internet Explorer is exited. The browser also explicitly makes reference to "session cookies;" these are cookies that similarly are deleted at the end of sessions and are not stored on the computer's hard disk.

The default policies are described in Table 1.

In the next section, we'll look at P3P in more depth, including how it works, examples of the markup code, and suggestions for P3P deployment.

P3P: A more detailed look

This section was contributed by Lorrie Cranor of AT&T Labs--Research. It is copyright AT&T and reprinted with permission.

The Platform for Privacy Preferences Project (P3P) provides a standard way for web sites to communicate about their data practices. Developed by the World Wide Web Consortium (W3C), P3P includes a machine-readable privacy policy syntax as well as a simple protocol that web browsers and other user agent tools can use to fetch P3P privacy policies automatically. P3P-enabled browsers can allow users to do selective cookie blocking based on site privacy policies, as well as to get a quick "snapshot" of a site's privacy policies.

This section provides an overview of how P3P works and how you can obtain and use it. For more information about P3P, see http://www.w3.org/P3P/. That site includes pointers to the complete P3P specification, lists of P3P software and P3P-enabled web sites, and more detailed instructions for using P3P on your web site. For a complete discussion of P3P and how you can use it to best advantage, see the forthcoming book, P3P, by Lorrie Cranor.

How P3P Works

The P3P specification includes:

• a standard vocabulary for describing a web site's data practices
• a set of base data elements that web sites can refer to in their P3P privacy policies
• a protocol for requesting and transmitting web site privacy policies

The P3P protocol is a simple extension to the HTTP protocol. As shown in Figure 3, P3P user agents use standard HTTP requests to fetch a P3P policy reference file from a "well-known location" on the web site to which a user is making a request.[1] The policy reference file indicates the location of the P3P policy file that applies to each part of the web site. There might be one policy for the entire site, or several different policies, each of which covers a different part of the site. The user agent can then fetch the appropriate policy, parse it, and take action according to the user's preferences.

P3P also allows sites to place policy reference files in locations other than the well-known location. In these cases, the site must declare the location of the policy reference file using a special HTTP header or by embedding a <LINK> tag in the HTML files to which the P3P policies apply.

Here's a plain English example of the kind of disclosure a web site might make in a P3P policy:

Steve's Store strives to protect your privacy. When you come to our site to browse our catalog, we will not ask you to tell us who you are, and we will use data about your visit only to help us improve and secure our site. When you browse our site, we collect basic information about your computer and connection. We purge this information on a weekly basis. We also collect aggregate information on what pages consumers visit on our site.

Steve's Store is a licensee of the PrivacySealExample Program. The PrivacySealExample Program ensures your privacy by holding web site licensees to high privacy standards and confirming with independent auditors that these information practices are being followed.

Questions regarding this statement should be directed to: Steve's Store, 123 Steve Street, Bethesda, MD 20814 USA, Email: steve@stevesstore.com, Telephone (301) 392-6753. If you are not satisfied with our response to your inquiry, you may contact PrivacySealExample at http://www.privacyseal.example.org. Steve's Store will correct all errors or wrongful actions arising in connection with the privacy policy.

And here's what this policy would look like using the P3P syntax and encoding:

<POLICIES xmlns="http://www.w3.org/2000/12/P3Pv1">
<POLICY discuri="http://www.stevesstore.com/privacy.html"
 name="policy1">
 <ENTITY>
  <DATA-GROUP>
   <DATA ref="#business.name">Steve's Store</DATA>
   <DATA ref="#business.contact-info.postal.street">
         123 Steve Street</DATA>
   <DATA ref="#business.contact-info.postal.city">Bethesda</DATA>
   <DATA ref="#business.contact-info.postal.stateprov">MD</DATA>
   <DATA ref="#business.contact-info.postal.postalcode">20814</DATA>
   <DATA ref="#business.contact-info.postal.country">USA</DATA>
   <DATA ref="#business.contact-info.online.email">
         steve@stevesstore.com</DATA>
   <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA>
   <DATA ref="#business.contact-info.telecom.telephone.loccode">301</DATA>
   <DATA ref="#business.contact-info.telecom.telephone.number">
         3926753</DATA>
  </DATA-GROUP>
 </ENTITY>
 <ACCESS><nonident/></ACCESS>
 <DISPUTES-GROUP>
  <DISPUTES resolution-type="independent"
    service="http://www.PrivacySeal.example.org"
    short-description="PrivacySeal.example.org">
   <IMG src=http://www.PrivacySeal.example.org/Logo.gif
        alt="PrivacySealExample logo"/>
   <REMEDIES><correct/></REMEDIES>
  </DISPUTES>
 </DISPUTES-GROUP>
 <STATEMENT>
  <PURPOSE><admin/><develop/></PURPOSE>
  <RECIPIENT><ours/></RECIPIENT>
  <RETENTION><stated-purpose/></RETENTION>
  <DATA-GROUP>
   <DATA ref="#dynamic.clickstream"/>
   <DATA ref="#dynamic.http"/>
  </DATA-GROUP>
 </STATEMENT>
</POLICY>
</POLICIES>

If you are familiar with XML (Extensible Markup Language), this encoding may look familiar to you. It is important to note that P3P policies are not designed to be read by end users. User agents will interpret these policies on a user's behalf. In addition, every policy should contain the URL of the web site's human-readable privacy policy.

Deploying P3P

Some of the first questions webmasters ask when they are considering deploying P3P on their sites are "How long is this going to take?" and "How difficult is this going to be?" The answers to these questions, of course, depend on the details of each particular web site. A small company that already has a privacy policy posted on its site should be able to deploy P3P in a few hours--the technical work may even take less than 15 minutes. A large company may need to have their attorneys spend time reviewing their P3P policy, and they may need to figure out the best way to deploy P3P on a large number of servers around the world. Companies that provide "third-party" web services, such as advertising agencies and content distribution networks, may have some more complicated decisions to make as well.

To help you estimate how much work it will be for you to deploy P3P on your web site, here is an outline of the basic steps involved.

Create a privacy policy.

The privacy policy needs to include enough details to be able to use it to create a P3P policy. If you have already created a detailed policy for your site, you may still have a few questions that you have to revisit when you create your P3P policy, but you will have already done most of the difficult work. If you don't yet have a privacy policy or your policy does not go into much detail about the kinds of data your site collects or how this data is used, you will probably have to get your company's lawyers or policy makers involved in figuring out what your company's privacy policy is.

  

Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site.

If you already have multiple privacy policies for your site, then you will probably want to have multiple P3P policies as well. For example, some sites have different policies associated with different types of services they offer. Even if you have a single, comprehensive policy for your entire site, you may want to have multiple P3P policies. For example, your site's privacy policy might include a statement like "We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us." You might wish to create two P3P policies: one for use on most of your site where there are no forms, and the other for use specifically on the parts of the site where visitors fill out forms to order products.

  

Create a P3P policy (or policies) for your site.

You can use one of the P3P policy generator tools to easily create a P3P policy without having to learn XML. You will need to have a detailed understanding about the kinds of data your site collects and how they are used--but most of this should be documented in your site's privacy policy.

  

Create a policy reference file for your site.

Most of the policy generator tools will help you create a policy reference file for your site too. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances you will have just one policy reference file for your entire site. However, if you have a very large number of policies on your site or if you don't wish to provide information that would reveal the structure of your site (perhaps due to security considerations if parts of your site are password protected), you may wish to have multiple policy reference files.

  

Configure your server for P3P.

On most sites this can be done by simply placing the P3P policy and policy reference files on the web server in the proper locations. However, some sites will want to configure their servers to send a special P3P header with every HTTP response, and some will want to add <LINK> tags to their HTML content. Some sites will also want to send compact versions of P3P policies with SET_COOKIE requests.

  

Test your site to make sure it is properly P3P enabled.

The W3C P3P Validator tool can be used to test your site and report back a list of any problems it finds. Of course, this tool cannot verify that your P3P policy matches your privacy policy or that either policy conforms to your actual practices. But it can make sure that your policy and policy reference files are syntactically correct and that you've configured everything properly. You can try the W3C P3P Validator at http://www.w3.org/P3P/validator/.

Creating a Privacy Policy

Your policy should include enough detail to answer the questions you will have to answer to create a P3P policy. Here's a basic outline of the points that you should cover:

• The name and contact information for your company or organization.
• A statement about the kind of access you provide (do you let people find out what information you hold about them, and if so, how can they get this access?).
• A statement about what privacy laws you comply with, what privacy seal programs you participate in, and other mechanisms available to your customers for resolving privacy disputes. This statement may also describe what remedies you offer should a privacy policy breach occur.
• A description of the kinds of data you collect. If your web site uses cookies, be sure to mention this too and explain how the cookies are used.
• A description of how collected data is used, and whether individuals can opt-in or opt-out of any of these uses.
• Information about whether data may be shared with other companies, and if so, under what conditions and whether or not consumers can opt-in or opt-out of this.
• Information about your site's data retention policy, if any.
• Information about how consumers can take advantage of opt-in or opt-out opportunities.

P3P doesn't cover web site security practices, but most privacy policies also include a statement about the site's commitment to security. And web sites with content aimed at children often describe their policy with respect to children's data.

Generating a P3P Policy and Policy Reference File

If your privacy policy is fairly simple (or if you happen to enjoy writing XML), you may want to write your P3P policy and policy reference file by hand in XML, perhaps cutting and pasting from one of our examples. However, most people will probably opt to use a P3P policy generator program.

One good P3P policy generator you may want to try is the P3P Policy Editor from IBM. This tool features a drag-and-drop interface, shown in Figure 4, that lets you edit P3P policies by dragging icons representing P3P data elements and data categories into an editing window. The tool also has pop-up windows that let you set the properties associated with each data element (purpose, recipient, etc.) and also fill out general information about the site's privacy practices. You can view the XML that has been created as you add each data element, as well as a corresponding human-readable version of the policy. There is also a useful errors tab that indicates problems with your policy, such as leaving out information in required fields. The tool comes with good documentation and a set of templates for typical web sites. This tool can also create policy reference files. It is available for free download from the IBM Alphaworks web site at http://www.alphaworks.ibm.com/tech/p3peditor.

Helping User Agents Find Your Policy Reference File

Related Reading Web Privacy with P3P By Lorrie Faith Cranor Table of Contents Index Sample Chapter

The P3P specification has designated /w3c/p3p.xml as the "well-known location" for policy reference files. P3P user agents will check this location automatically for a policy reference file at every site they visit. If they can't find a policy reference file at a site, they will keep rechecking once every 24 hours if the user returns to that site.

Most web sites should be able to place their policy reference file at the well-known location without a problem. However, for sites that do not wish to do this, two alternatives are offered: sites can be configured to send a special P3P header with every HTTP response, or <LINK> tags can be embedded in HTML documents that give the location of the policy reference file.

The HTTP header alternative is most useful for sites that have decided to use multiple policy reference files. It allows sites to send a pointer to the policy reference file applicable to each request. The downside of using the HTTP header instead of the well-known location is that there is no way for a user agent to know a site's policy before requesting a resource. Thus, some user agents may suppress cookies, referer headers, or other information until they receive the P3P response header.

The HTML <LINK> tag alternative was designed primarily for sites in which content providers have access only to a designated area of the web server (which does not include the /w3c directory) and do not have the ability to configure the server to send extra HTTP response headers. For example, students who wish to provide a privacy policy on a personal home page hosted on a university server, or individuals or organizations with sites that do not have their own domain, may wish to use this alternative. This alternative has the same drawbacks as the HTTP header. In addition, sites that wish to use this alternative must add a <LINK> tag to every HTML document that is covered by the P3P policy, which may be a time-consuming task. Also, if visitors request non-HTML documents (images, PostScript, or PDF files, etc.) directly without following a link from an HTML document on that site, their user agents may be unable to find the policy reference file when <LINK> tags are used.

Compact Policies

P3P-enabled web sites have the option of providing short summaries of their policies with respect to cookies in HTTP response headers that accompany SET_COOKIE headers. These compact policies are designed as an optimization to allow for cookie processing to proceed at the same time that a full P3P policy is being evaluated. Sites can only use compact policies if they set cookies, and if their cookie-related statements in their full P3P policy do not include mandatory extensions. While the compact policy is entirely optional for P3P-enabled web sites, note that some of the early P3P user agent implementations rely heavily on the compact policy--for example, the Microsoft Internet Explorer 6 P3P user agent.

A site that uses compact policies would have a policy reference file and a full P3P policy just like any other P3P-enabled web site. In addition, the site would configure its web server to include a P3P header with all of its responses that contain SET_COOKIE requests (or with every response). Here is an example of what such a server response might look like:

HTTP/1.1 200 OK
P3P: policyref="http://cookie.example.com/w3c/p3p.xml", 
     CP="NON DSP ADM DEV PSD CUSo OUR IND STP PRE NAV UNI"
Content-Type: text/html
Content-Length: 8934
Server: CC-Galaxy/1.3.19

Most of the P3P policy generator tools will also generate compact policies.

Simple P3P-Enabled Web Site Example

Many sites, including personal home pages and sites designed primarily to provide information (as opposed to those designed to sell things or provide interactive services), have very simple privacy policies. They tend to collect minimal amounts of data, and generally will either commit to using that data in very limited ways, or make no commitment that might limit future use of that data. Furthermore, for these simple sites one P3P policy is probably sufficient for the entire site.

Example 1 is a policy reference file for a simple site named Example.Com that has one policy for the entire site. This policy reference file is placed at the well-known location (/w3c/p3p.xml). This file also includes the site's P3P policy. The policy reference file and policy expiry are set to 10 days. The policy for this site also applies to all the cookies set by this site. Example.com keeps typical web logs. These logs are kept indefinitely and are used to diagnose problems with the web site. They are not shared with other companies; however, they are sometimes analyzed in order to gain insights into how people are using the web site.

Example 1: A policy reference file for a simple site that includes an inline policy

<META xmlns="http://www.w3.org/2000/12/P3Pv1">
  <POLICY-REFERENCES>
    <EXPIRY max-age="864000"/> <!-- 10 days -->
    <POLICY-REF about="#policy1">
      <INCLUDE>/*</INCLUDE>
      <COOKIE-INCLUDE>* .example.com *</COOKIE-INCLUDE>
    </POLICY-REF>
  </POLICY-REFERENCES>  
  <POLICIES>
  <POLICY discuri = "http://www.example.com/privacy/policy.html"
     name="policy1">
   
    <EXPIRY max-age="864000"/> <!-- 10 days -->
    <ENTITY>
      <DATA-GROUP>
        <DATA ref="business.name">Example Corp.</DATA>
        <!-- it's a good idea to include an email address or
             other contact information here as well -->
      </DATA-GROUP>
    </ENTITY>
    <ACCESS><nonident/></ACCESS> <!-- no identified data is collected -->
    <!-- if the site has a dispute resolution procedure that it follows, 
         a DISPUTES-GROUP should be included here -->
    <STATEMENT>
      <PURPOSE><current/><admin/><develop/></PURPOSE>
      <RECIPIENT><ours/></RECIPIENT>
      <RETENTION><indefinitely/><RETENTION>
      <DATA-GROUP>
        <DATA ref="#dynamic.clickstream"/>
        <DATA ref="#dynamic.http"/>
      </DATA-GROUP>
    </STATEMENT>
  </POLICY>
  </POLICIES>
</META>

Footnote:

1. For information about where the "well-known location" resides, see the section later in this article, "Helping User Agents Find Your Policy Reference File."

Simson Garfinkel is a developer with 24 years of programming experience, the author or coauthor of 14 books, an entrepreneur, and a journalist. He is the founder and Chief Technology Officer of Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools.

Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.

Return to the O'Reilly Network.

Copyright © 2007 O'Reilly Media, Inc.