Print

P3P: Privacy Primer

by Simson Garfinkel, co-author of Web Security, Privacy & Commerce, 2nd Edition
and Lorrie Faith Cranor, author of Web Privacy with P3P
02/15/2002

The W3C's Platform for Privacy Preferences Project (P3P) provides a standard way for Web sites to communicate about their practices around the collection, use, and distribution of personal information. It's a machine-readable privacy policy that can be automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies. This article has two parts: the first is an overview of P3P, written by Simson Garfinkel; the second section, written by Lorrie Cranor, offers a more in depth look and examples.

The World Wide Web Consortium's Platform for Privacy Preferences Project (P3P) provides a standard way for web sites to communicate about their practices regarding the collection, use, and distribution of personal information. This article provides a brief introduction to P3P, and Figure 1 illustrates the P3P process; P3P: A more detailed look contains more detailed technical information about the protocol.



Figure 1: How P3P works.

P3P and PICS

P3P is an outgrowth of the W3C's earlier work on its web site rating and filtering technology, PICS (see http://www.w3.org/PICS/). The idea behind PICS was that web sites would be rated regarding their content, web browsers would download these ratings, and parents could program their children's computers so that web pages that violated the parent's standards would not be displayed.

The P3P system supports many of these concepts. Instead of using the formalisms of PICS to rate their adult content, web sites and online services use the formalisms of P3P to describe their policies regarding data collection and use. These descriptions can be downloaded from the web site to the browser when the web pages are viewed. If the web site's policies do not agree with the policies identified by the user, the browser can either warn the user or disable certain functionality. For example, a web browser could be programmed to discard any cookies from a web site that claims to use cookies for profiling its visitors.

PICS and P3P are similar in many ways:

  • Like PICS, P3P doesn't define a specific set of policies or rating techniques. Instead, it describes a generalized vocabulary for describing web site privacy policies.
  •   

  • Although both the PICS and P3P standards are extensible, both were provided with an initial data schema. In the case of PICS, the schema was the RSACi system, originally developed for rating video games. In the case of P3P, its schema is the base vocabulary. In both cases, it is very unlikely that the base schema will ever be extended, although it is certainly possible.
  •   

  • Just as having a PICS rating does not imply that a site does or does not contain pornography, having a P3P rating does not imply that a site will or will not protect the privacy of its visitors. To make that determination, you (or your browser) must download the policy and read it.
  •   

P3P also differs from PICS in several important ways:

  • P3P uses XML instead of LISP S-expressions to define its policies.
  •   

  • P3P has no provisions for third-party rating services. All P3P policies are downloaded from the web site itself.
  •   

  • P3P statements are not about the content of a web site, but about its practices. Thus, it is not possible for a user or a third party to verify a P3P statement without conducting a physical audit of the web site's organization.
  •   

  • Because a web site's P3P statements may be intimately related to a web site's written privacy policy, an organization that treats personal information in a manner that is inconsistent with its P3P statements may be guilty of committing an "unfair trade practice" and may be opening itself up to an enforcement action by the Federal Trade Commission.
  •   

Internet Explorer 6.0 contains limited support for P3P (as described in the next section); Netscape Navigator 6.0 contains none.

For information on how to create a P3P policy for your web site, see P3P: A more detailed look.

Support for P3P in Internet Explorer 6.0

Internet Explorer 6.0 contains limited support for P3P. This support is limited to support for P3P's so-called compact policies that describe how a site uses information collected through the use of cookies. IE6 uses this support to determine whether or not the user should accept a cookie from a given web site.

Internet Explorer's P3P implementation is controlled through the "Privacy" tab of the Internet Options control panel (see Figure 2). Using this panel, you can specify one of seven default policies to use for all web sites. You can also modify these policies to suit your individual desires. Finally, you can specify a list of web sites to be treated with specific rules.


Figure 2: Internet Explorer 6.0 has limited support for P3P in the Privacy tab of the Internet Options control panel.

Internet Explorer 6.0's P3P implementation is solely concerned with the issue of cookies. The implementation distinguishes between first-party cookies and third-party cookies. The term first-party cookie is used to refer to a cookie that is transmitted to your browser in the header of the base HTML page that a browser is viewing. The term third-party cookie is used to refer to cookies that are transmitted in the header of included images or frames that come from web sites other than the web site of the base page. In both cases, the browser can be configured to accept or reject cookies depending on whether or not a site has a P3P policy, and on how the policy says the site will handle personally identifiable information (PII).

Several of Microsoft's default policies are concerned with the idea of using PII "without implicit consent." In general, this phrase is used to determine if a web site operator can use personal information that is collected without first asking permission or if permission must be explicitly requested and given.

Internet Explorer 6.0 can "leash" cookies, so that they are only returned to the sites from which they originated. Cookies can also be "downgraded," so that they are automatically deleted when Internet Explorer is exited. The browser also explicitly makes reference to "session cookies;" these are cookies that similarly are deleted at the end of sessions and are not stored on the computer's hard disk.

The default policies are described in Table 1.

Table 1: Privacy policies in Internet Explorer 6.0

Privacy level

First-party cookies

Third-party cookies

Accept All Cookies

Accepts

Accepts

Low

Accepts

Blocks if no compact P3P policy. "Downgrades"
cookies that use PII without implicit consent.

Medium

Leashes cookies from sites without P3P policies. Downgrades cookies from sites that allow use of PII without implicit consent.

Blocks if no compact P3P policy, or if policy allows use of PII without implicit consent.

Medium High

Blocks cookies from sites that use PII without implicit consent.

Blocks if no compact P3P policy, or if policy allows use of PII without explicit consent.

High

Blocks if no compact P3P policy, or if policy allows use of PII without explicit consent.

Blocks if no compact P3P policy, or if policy allows use of PII without explicit consent.

Block All Cookies

Blocks all cookies. Cannot read existing cookies.

Blocks all cookies. Cannot read existing cookies.

In the next section, we'll look at P3P in more depth, including how it works, examples of the markup code, and suggestions for P3P deployment.

Pages: 1, 2

Next Pagearrow