p3ptoolbox.org

Implementation Guide
Implementer tools & User agents
Events
News & Media
FAQ
More Information
Sponsors
About IEF

What is P3P and How Does it Work?

Table of Contents
A.The Basics of P3P
B.What P3P is and What It is Not
C.P3P User Agents in Action

II. What is P3P and How Does it Work?

Human-readable privacy policies have emerged on the Web to improve the dialogue between companies and consumers regarding the use of customer information. Such policies, however, can be cumbersome for consumers to read and understand and it is often hard to track the relationships and privacy policies of the various entities collecting information on any given Web site. The time required to first find and then read a privacy policy can be excessive and the privacy policy may not even be written in language that is easily understood by the visitor. Most Web users, even those who care greatly about how information may be gathered about them, simply ignore these policy statements. As a result, there is a need for a more streamlined process of communication between Web sites and users regarding the collection and use of personal information.

In the mid-1990s, the W3C recognized the potential problems arising from this issue and began developing the Platform for Privacy Preferences. A primary goal of P3P is to increase user trust and confidence in the Web through technical empowerment. The P3P specification provides a simple, automated way for visitors to learn more about and gain more control over the use of their personal information on Web sites they visit. P3P has been designed to be flexible and support a diverse set of user preferences, public policies, service provider polices, and applications.

A. The Basics of P3P

At its most basic level, P3P is a machine-readable vocabulary and syntax for expressing a Web site´s data management practices. Taken together, a site´s P3P policies present a snapshot summary of how the site collects, handles and uses personal information about its visitors. P3P-enabled Web browsers and other P3P applications will read and understand this snapshot information automatically, compare it to the Web user´s own set of privacy preferences, and inform the user when these preferences do not match the practices of the Web site he or she is visiting.

P3P enhances user control by putting a Web site´s privacy policies where Web users can find them automatically, in a form users can easily understand, and, by using a common vocabulary, allows users to compare the privacy policies of the different Web sites they visit. Most importantly, this enables Web users to act on the privacy policy information they receive.

In short, the P3P-enabled Web communication can bring ease, transparency and consistency to Web users wishing to decide whether and under what circumstances to disclose personal information. User confidence in online transactions can increase as they are presented with meaningful information and choices about Web site privacy practices.


P3P Vocabulary

  • Who is collecting data?
  • What data is collected?
  • For what purposes will data be used?
  • Is there an ability to opt-in or opt-out of some data uses?
  • Who are the data recipients (anyone beyond the data collector)?
  • To what information does the data collector provide access?
  • What is the data retention policy?
  • How will disputes about the policy be resolved?
  • Where is the human readable privacy policy?

An Example of P3P in use

As an introduction to P3P, let us consider one common scenario that makes use of P3P.

Cindy has decided to check out an online store called CatalogShop, located at http://www.CatalogShop.com/. Let us assume that CatalogShop has placed P3P policies on all their pages, and that Cindy is using a Web browser with P3P support built in.

Cindy types the address for CatalogShop into her Web browser. Her browser is able to automatically fetch the P3P policy for that page. The policy states that the only data the site collects on its home page is the data found in standard HTTP access logs. Now Cind´s Web browser checks this policy against the preferences Cindy has set. Is this policy acceptable to her, or should she be notified? Let´s assume that Cindy has told her browser that this is acceptable. In this case, the homepage is displayed normally, with no warnings. Perhaps her browser displays a small icon somewhere along the edge of its window to tell her that a privacy policy was given by the site, and that it matched her preferences.

Next, Cindy clicks on a link to the site´s online catalogue. The catalogue section of the site has some more complex software behind it. This software uses cookies to implement a shopping cart feature. Since more information is being gathered in this section of the Web site, the Web server provides a separate P3P policy to cover this section of the site. Again, let´s assume that this policy matches Cind´s preferences, so she gets no warnings. Cindy continues and selects a few items she wishes to purchase. Then she proceeds to the checkout page.

The checkout page of CatalogShop requires some additional information: Cind´s name, address, credit card number, and email address. A third P3P policy is available that describes the data that is collected here and states that her data will be used only for completing the current transaction, her order and for sending her special offers from CatalogShop.

Cind´s browser examines this P3P policy. Imagine that, in an effort to reduce the mail she receives, Cindy has told her browser that she wants to be warned whenever a site says that it will use her information to send her marketing promotions. In this case, the browser will pop up a message saying that this Web site is planning to send her special offers but that she may opt-out of this practice by checking a box on the order form. Cindy can then decide if this is acceptable to her or if she wants to opt-out. If it is acceptable, she can continue with her order; otherwise she can cancel the transaction.

Alternatively, Cindy could have told her browser that she wanted to be warned only if a site is asking for her telephone number or was going to give her contact information to third parties. In that case, she would have received no prompts from her browser at all, and she could proceed with completing her order.

Note that this scenario describes one hypothetical implementation of P3P. Depending on what browser Cindy is using and her personal preferences, she can be warned under a variety of different circumstances - for example, when cookies are set or when her data is collected for a particular purpose. In addition, the warnings themselves may take different forms - for example pop-up messages that require the user to make a decision, or icons in the corner of the browser window that do not require user action. Other types of site configurations are also possible. For example, the CatalogShop site may decide to have fewer P3P policies that are applicable to a broader range of areas on the Web site.

B. What P3P is and What it's Not

P3P Facilitates Better Communication

The P3P specification is designed to do one job and do it well - to communicate to visitors, simply, automatically and transparently a Web site´s stated privacy policies. User agents can then be developed to compare the Web site´s policy with the visitor's own preferences for collection and use of personal information. P3P policies are not a substitute for human readable privacy policies because P3P cannot represent all the nuances of an organization's data management practices. Rather, P3P policies should be viewed as important extensions to a Web site´s human readable policy.

P3P is Not an Enforcement Mechanism

P3P does not set minimum standards for privacy, nor can it monitor whether sites adhere to their own stated procedures. Addressing all of the complicated, fundamental issues surrounding privacy on the Web will require the appropriate combination of technology, a legal framework, self-regulatory practices or an assurance system.

Although P3P provides a technical mechanism for helping inform Web site visitors about privacy policies before they release personal information, it does not provide a mechanism for ensuring that sites act according to their policies. Tools implementing the P3P specification may provide assistance in that regard, but that is up to specific implementations and beyond the scope of the specification. P3P is intended to be complementary to both government and self-regulatory programs that can help enforce Web site policies. In addition, while P3P does not include mechanisms for transferring or securing personal data, it can be built into tools designed to facilitate data transfer.

P3P Version 1.0

The specific goal with the release of version 1.0 of the P3P specification is to inform Web users of the data-collection practices of Web sites. This involves two components: first, P3P allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. Second, it enables Web users to understand what data will be collected by sites they visit, how that data will be used, what data/uses they may opt-out of or opt-in to, and how long that data will be kept, or retained by the company Web site it.

P3P provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable format known as a P3P policy. The P3P specification defines:

  • A standard schema of categories for data a Web site may wish to collect, known as the P3P base data schema.
  • A standard set of uses, recipients, data categories, and other privacy disclosures.
  • An XML format for expressing a privacy policy associated with pages or content elements of a Web site represented using Uniform Resource Identifiers (URIs).
  • A non-XML format for expressing a privacy policy for a cookie (called a compact policy).
  • A means of associating privacy policies with Web pages or sites, and cookies
  • A mechanism for transporting P3P policies over HTTP

Various user agents and applications, such as Web browsers, use the P3P protocol to act on the users' behalf to automatically look for and react to the P3P policies at Web sites.

Sample P3P Policy - Showing the XML coding

<POLICY name="forBrowsers"
discuri="http://www.catalogshop.example.com/PrivacyPracticeBrowsing.html">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">CatalogShop</DATA>
<DATA ref="#business.contact-info.postal.street">4000 Lincoln Ave.</DATA>
<DATA ref="#business.contact-info.postal.city">Birmingham</DATA>
<DATA ref="#business.contact-info.postal.stateprov">MI</DATA>
<DATA ref="#business.contact-info.postal.postalcode">48009</DATA>
<DATA ref="#business.contact-info.postal.country">USA</DATA>
<DATA ref="#business.contact-info.online.email">catalog@example.com</DATA>
<DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA>
<DATA ref="#business.contact-info.telecom.telephone.loccode">248</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">3926753</DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<DISPUTES-GROUP>
<DISPUTES resolution-type="independent"
service="http://www.PrivacySeal.example.org"
short-description="PrivacySeal.example.org">
<IMG src="http://www.PrivacySeal.example.org/Logo.gif" alt="PrivacySeal's logo"/>
<REMEDIES><correct/></REMEDIES>
</DISPUTES>
</DISPUTES-GROUP>
<STATEMENT><br /> <PURPOSE><admin/><develop/></PURPOSE>
<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated-purpose/></RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream"/>
<DATA ref="#dynamic.http"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>

P3P Provides Flexibility

The P3P standard has been created with input from many organizations, individuals, and international groups crossing technical and non-technical boundaries. As a result of this collaboration, P3P is flexible and supports a diverse set of user preferences, public policies, service provider polices, and applications. This flexibility will provide opportunities for using P3P in a wide variety of innovative ways that its designers have not yet imagined.

C. P3P User Agents in Action

Some organizations have released user tools that support P3P and others have announced plans to do so. The types of user agents that may emerge include Web browsers and plug-ins to Web browsers that provide different or additional P3P privacy features, media players, document readers, and software for wireless devices, such as personal digital assistants (PDAs) and Internet or e-commerce capable cellular phones. In many of these cases, in particular with PDAs and cellular phones, as well as proxies including the JRC client and the Japanese implementation.

The first user agents to emerge on the scene are Microsoft's Internet Explorer 6.0, a Web browser and AT&T Privacy Bird, a plug-in for Microsoft Internet Explorer 4.0, 5.0, 5.5 and 6.0. To get a sense of P3P in action here are some ways that a Web user may interact with P3P using these user agents:

Microsoft Internet Explorer 6.0

With Internet Explorer 6.0 a user may see a warning appear when the browser encounters a cookie that either does not have a compact P3P policy or that has a P3P policy that does not match the privacy preferences set in IE 6.0 under the Privacy tab in the Internet Options pull-down menu.

By clicking on the warning icon in the browser tray Privacy Report option under the View menu the user will see:

While browsing on the Web with Internet Explorer 6.0, a user can click on Privacy Policy Summary to see the human readable version of the P3P policy. It will look something like this:

To alter a user´s preferences in IE 6.0, the user can change their privacy settings using the following privacy slide bar:

AT&T Privacy Bird

The AT&T Privacy Bird displays a bird icon in the top right of the user´s browser title bar and displays a different color of bird to indicate whether or not the Web site´s P3P policy matches the users preferences. The Privacy Tool can even be configured to provide an audible chirp to provide a warning.

The AT&T Privacy Bird provides a page for users to set their privacy setting preferences with the settings grouped into four categories: Health or Medical Information; Financial or Purchase Information; Personally Identifiable Information; and Non-Personally Identifiable Information. By checking the box next to a setting, the user controls which warnings to receive.

P3P Implementation Guide

Table of Contents
Introduction
Section I
Section II
Section III
Section IV
Appendix

Please note that this document is a working draft for review and reference purposes only. Any questions or comments should be e-mailed to info@p3ptoolbox.org.