The Platform for Privacy Preferences P3P

1
The Platform for Privacy Preferences (P3P)

• Katherine Koch
• Matt Taylor
• Stanley Trepetin

2
Agenda

• Privacy Environment
• P3P Specification
• Privacy Policy Editors
• User Agents
• Conclusion

3
Privacy Environment

• Online privacy key 1999 Survey 92 of Americans
  concerned about privacy threats when interacting
  online.
• Websites collect information and consumers
  willing to provide it for certain benefits.

4
Privacy Environment

• Internet is unstable
• Poor data quality.
• Organizational problems.
• Security problems.
• No (or difficult to read) notification.

5
Privacy Environment

• Resulting problems
• Annoyance.
• Embarrassment.
• Discrimination.
• All are unexpected.

6
Privacy Environment

• Responses
• Social opt-out
• Technical cookie managers, encryption, etc
• Legislative
• Numerous proposed bills in US (and some passed).
• Considerable protection in EU.

7
Privacy Environment

• Insufficient
• Social opt-out costly.
• Technical technology incompatible or not
  widespread.
• Legislative
• Sectoral in US.
• Enforcement lax in EU.

8
P3P - Background

• P3P solves prior problems
• Essentially opt-in
• Preference-based decision-making.
• Economic and technical issues
• Widespread integrated into MS Internet Explorer
  6.
• Standard (i.e. standardized) specification.

9
P3P - Background

• P3P solves prior problems (cont)
• P3P works with all industries via enforceable
  privacy policies.
• Toysmart.com vs. FTC.
• Privacy policies created from consumer and
  government demand. However, Notice-based
  legislation is needed to ensure creation of
  policies.

10
P3P - Background

• Privacy policy maker creates policy.
• Including optional human readable privacy policy.
• Consumers (via user agents) specify preferences,
  parse policy, and decide how to proceed.

11
P3P - Specification

• ltPOLICY xmlns"http//www.w3.org/2000/12/P3Pv1"
  discuri"http//www.catalog.example.com/Pri
  vacyPracticeBrowsing.html"gt ltENTITYgt
  ltDATA-GROUPgt ltDATA ref"business.name
  "gtCatalogExamplelt/DATAgt ltDATA
  ref"business.contact-info.postal.street"gt4 Main
  St.lt/DATAgt ltDATA ref"business.contac
  t-info.postal.city"gtBirminghamlt/DATAgt
  ltDATA ref"business.contact-info.postal.stateprov
  "gtMIlt/DATAgt ltDATA ref"business.conta
  ct-info.postal.postalcode"gt48009lt/DATAgt
  lt/DATA-GROUPgt lt/ENTITYgt
  ltACCESSgtltnonident/gtlt/ACCESSgt
  ltDISPUTES-GROUPgt ltDISPUTES
  resolution-type"independent"
  service"http//www.PrivacySeal.example.org"
  short-description"PrivacySeal.exampl
  e.org"gt ltREMEDIESgtltcorrect/gtlt/REMEDIESgt
  lt/DISPUTESgt lt/DISPUTES-GROUPgt
  ltSTATEMENTgt ltPURPOSEgtltadmin/gtltdevelop/gtlt/P
  URPOSEgt ltRECIPIENTgtltours/gtlt/RECIPIENTgt
  ltRETENTIONgtltstated-purpose/gtlt/RETENTIONgt
  ltDATA-GROUPgt ltDATA
  ref"dynamic.clickstream"/gt lt/DATA-GROUPgt
  lt/STATEMENTgtlt/POLICYgt

12
P3P - Specification strengths

• Robust notice policy-wide
• Human readability short and long descriptions.
• New policies dont apply to old data w/o
  consent.

13
P3P - Specification strengths

• Robust notice data-specific
• PURPOSE - reason for data collection.
• RECIPIENT destination.
• RETENTION longetivity depends on purpose.

14
P3P - Specification strengths

• ACCESS to data.
• Enforcement DISPUTES statement (e.g. applicable
  court, law, etc)

15
P3P - Specification strengths

• Development optimization Compact Policies for
  cookies.
• Flexible vocabulary Can handle new types of
  monitoring technologies.

16
P3P - Specification weakness

• Notice weakness
• No multiple policies per person or across
  individuals.

17
P3P - Specification

• No assurance that policies are being followed.
• No security standards.

18
P3P - Improvement

• Multiple privacy policies.

19
P3P Policy Editors

• Utilities for drafting Specification-Compliant
  P3P Policies

20
Outline

• What P3P editing tools are currently available?
• What criteria should we use to evaluate these
  tools?
• What insight do these evaluations provide
  designers of future tools?
• What role does this play in P3Ps future?

21
Editing Tools

• IBM P3P Policy Editor
• YOUpowered.com/Consumer Trust
• PrivacyBot.com
• Privacy Information Management System (PIMS) P3P
  Policy Wizard

22
Evaluation Criteria

• Technical Criteria
• Correctness
• Specification-compliant/error-free policies that
  can be used by any user-side agent.
• Consistency
• Utilities that verify that the P3P policy is
  consistent with what was originally intended.
• Completeness
• Must accommodate all data practices, collection
  methods, and provide the full flexibility of the
  spec.

23
Evaluation Criteria

• Viability in Industry
• Low cost, easily obtained
• Easy to use
• Scale well to web sites of increased size and
  complexity
• Apply multiple policies to a domain, and its
  cookies and embedded content, through policy-ref
• Aid user in integration of P3P into the site

24
IBM P3P Policy Editor

• Advantages
• Strong interface for defining data collection
• Utilities that warn user of errors or possible
  inconsistencies
• XML to HTML translation to verify consistency
• Disadvantages
• Poor integration utilities, for creating detailed
  policy reference files, and exporting the
  necessary files/code.

25
IBM P3P Policy EditorDefining Data Collection
Practices

• Clear Data Definitions/GUI Interface
• Left pane contains Base Data Schema elements
• user, third party, business, and dynamic
• Right pane contains the data collected by the
  policy
• Define data groups with usage attributes
• Move elements from the left pane into groups on
  the right to include them in the policy
• Any number of groups can be defined
• This provides a useful, organized way of
  representing the sites data collection helping
  to ensure consistency

26
IBM P3P Policy Editor
27
IBM P3P Policy EditorDefining New Data Structures

• A new data set can be defined in the left pane
• Elements can be added from the base data schema
  or can be user defined
• Data sets and elements can be moved into any
  number of data groups on the right pane
• Mechanism exploits the flexibility in data
  definitions provided by the specification

28
IBM P3P Policy EditorCorrectness

• Error Pane
• Below the two data definition panes
• Prompts user to supply any specification
  requirements that have not been met
• required attributes, such as entity, or access
  information
• data groups that contain no elements, recipients,
  purpose, etc.
• Warns user about possible mistakes
• does not provide action for disputes
• claims to not collect any data, is this right?

29
IBM P3P Policy EditorConsistency

• XML to HTML translation
• Translates the XML policy into English using a
  standardized template
• This outlines what the XML policy states so that
  the user can be sure it is consistent with he/she
  intended to state
• Policy Element Pane
• Outlines the data elements, their group, purpose,
  and recipient
• A summary of the data definitions helps ensure
  consistency

30
IBM P3P Policy EditorCompleteness

• Drafting multiple policies for different
  directories of the domain is not straight forward
• Multiple policies cannot be edited simultaneously
• Policy reference file is difficult to generate
• Uniquely associating policy with cookies or
  embedded content is difficult
• No mechanism for embedded or cookie
  include/exclude
• Mechanism for compact policies is unclear

31
IBM P3P Policy EditorViability in Industry

• Free, Easy to use solution for defining data
  practices
• Utilities for verifying correctness and
  consistency
• Poor/Lacking mechanisms for uniquely associating
  multiple policies with directories of the
  domain,cookies, or embedded content
• Poor Mechanisms for providing the user with the
  necessary files/code to integrate P3P into the
  web site
• Not a scalable solution for web sites of
  significant complexity

32
YOUpowered.com Consumer Trust Policy Editor

• Advantages
• Strong interface for creating multiple policies
  for a domain and associating them with
  directories, cookies, and embedded content
• Provides much flexibility
• Disadvantages
• Data definition utilities less clear than IBM
  editor
• Does not verify correctness or consistency
• Allows less technically savvy user to create
  ambiguous and incorrect policies

33
YOUpowered.com

• GUI Interface
• Allows user to toggle between different domains
  and their policies to allow the user to edit
  their attributes
• Left pane is a pull down menu containing the
  policies and system configuration
• Right pane toggles as selection is made to allow
  user to edit the attributes
• Provides user with the ability to manipulate
  multiple policies simultaneously

34
YOUpowered.comCorrectness

• Errors managed as user inputs information into
  menus and forms
• no error pane that makes user aware of errors
• no mechanism that warns user of possible
  inconsistencies as in the IBM editor
• Not all errors can be prevented in this manner

35
YOUpowered.comCompleteness

• Policy Reference files are easily created
• when a policy is being edited actively, the
  attributes of its policy reference file can be
  edited
• include/exclude
• cookie-include/exclude
• embedded-include/exclude
• affords user full flexibility of the
  specification
• The lacking correctness features cripple these
  added features
• policy reference files can be created with errors
  and ambiguities

36
YOUpowered.comConsistency

• Lacks XML to HTML translation utilities
• Data definition is done through menus and a less
  organized GUI tool, leading to more possible
  errors
• Does not summarize the policy for the entire
  domain, after the policies have been applied
  through a policy reference file

37
YOUpowered.comViability in Industry

• Has the Completeness characteristics of a
  scalable solution for industry
• No compact policies
• Lacks the correctness and consistency
  requirements to be a good tool

38
PrivacyBot.com

• Generates P3P compliant policies
• Charges fees for this service, as well as dispute
  mediation services
• Provides forms for the user, which it uses to
  generate a P3P policy for 100
• editing this policy costs 10
• XML cannot be previewed before this fee is paid
• User has minimal input in the construction of the
  XML
• Verification of completeness, consistency, and
  correctness is difficult with a third party
  delivering the policy as part of a suite of
  services
• Does not focus on generating a comprehensive
  policy, that is stored locally, and can be
  interpreted by any variety of user agents
• Focus is on seal verification and service model

39
PIMS P3P Policy Wizard

• Advantages
• Provides flexibility
• Files/Code are output in a simple and user
  friendly way
• Disadvantages
• Generally requires more technically competent
  users

40
PIMS P3P Policy Wizard

• Tool caters to the technically competent
• Prompts the user for the information required for
  the XML statements
• User must copy XML code into a box for data
  statements and new data structure definitions
• This design affords flexibility, but sacrifices
  consistency and correctness

41
PIMS P3P Policy Wizard

• Exports files/code in an HTML document
• Box for each policy, policy reference file, html
  link tag, http headers, and any compact policies
• Each box has instructions on what to do with the
  text, where to put the file, where to paste the
  code, etc.
• Simple Design
• Exporting to a local file structure, as in the
  YouPowered.com, tool can be confusing
• Explanations allow users to integrate P3P into
  their site easily

42
Design Recommendations

• Do any of these tools provide a scalable solution
  for P3P compliance?
• Do the sum of the strengths of the tools achieve
  the technical and business goals?
• How can this be done?

43
Design Recommendations

• What must be achieved?
• Correctness
• Consistency
• Completeness
• User friendly
• Scalable
• Detailed, accurate policy reference files
• Integration utilities

44
Design Recommendations

• Combine the strengths of the YOUpowered, IBM, and
  PIMS tools
• YOUpowered tool provides ability to edit multiple
  policies simultaneously and construct and edit
  detailed policy reference files
• IBM tool provides a useful GUI for defining data
  groups, and new data sets, in an organized way
• PIMS tool allows user to export files/code in a
  simple and fault-tolerant way
• Whats missing?

45
Design Recommendations

• Correctness Verification Utilities
• utility must be added to create warnings and
  errors for policy reference file
• multiple policies point to same URI
• this policy is not referenced to anything
• Consistency Verification Utilities
• XML to HTML translation for a web site with
  multiple policies
• Summary of data elements across domain with
  multiple policies

46
What does this mean for P3P?

• Comprehensive compliance tool is easy to conceive
• What user-side demand might force its development
  or widespread use?

47
Future of P3P Editors

• It should not be the case that editor-side
  friction prevents propagation of P3P use
  throughout the commercial web
• Could be easily integrated into web authoring
  tools, or offered as a stand alone utility
• If user-side demand requires the adoption of P3P,
  commercial sites should have a tool that
  facilitates compliance.

48
P3P User Agents

• User Agent Implementations

49
P3P User Agents

• Evaluation Criteria
• Public Policy, Technical, Business
• User Agent Evaluations
• Internet Explorer 6, Orby Privacy Plus, Privacy
  Minder, Privacy Bank
• Recommendations

50
Evaluation Criteria PolicyWhat is the tool
intended to do?

• Users need control of their personal information
• What data does the tool allow the user to
  control?
• Cookies, Identifiable, Non-Identifiable?
• Users dont want to read the privacy policies
• How does the tool help the user make an informed
  decision about a sites practices?

51
Evaluation Criteria PolicyWhat is the tool
intended to do?

• Users should be able to trust the user agent
• Does the tool act on behalf of only the user?
• Users should know what to expect from the user
  agent
• Are the claims the tool makes legitimate?

52
Evaluation Criteria TechnicalDesign Implications

• Novice and Advanced Users
• Is the tool easy to use?
• Is it suitable for all types of users?
• Seamless Browsing Experience
• Does the tool interrupt the users browsing?

53
Evaluation Criteria TechnicalDesign Implications

• Security
• Does the agent store and transmit the users
  personal information securely?
• Default Behaviors
• How does the tool protect the users information
  in its default settings?

54
Evaluation Criteria BusinessEffected Parties

• What is the effect on
• Software Developer What are the business goals?
• User What are the costs?
• Third Parties Implications for web sites?

55
P3P User Agents

• Internet Explorer 6.0
• Orby Privacy Plus
• Privacy Minder
• Privacy Bank

56
Internet Explorer 6

• Microsoft
• Beta version available, Release Summer 2001
• More Cookie Management Features

57
Internet Explorer 6 Policy What is the tool
intended to do?

• Control of personal information
• More control of cookie placement with compact
  policies
• Personally-identifiable information, recipients
• Helping users make informed decisions
• Compare cookies policy to users preferences
• Only allows cookies that match preferences
• Show sites policy

58
Internet Explorer 6 Technical Design
Implications

• Novice and Advanced Users
• 5 Privacy Settings (3 in Preview)
• Site-by-Site Cookie Settings
• Import Preferences (Not in Preview)
• Seamless Browsing Experience
• Privacy Icon

59
Internet Explorer 6 Technical Design
Implications

• Security
• Doesnt store personal info for cookie management
• Default Behaviors
• Policy required for 3rd party cookies, but not
  1st.
• If Internet Explorer 6 were to require all
  first-party Web sites to have a P3P compact
  policy for the user to be "remembered" by the
  site using persistent cookie placement, it would
  break user personalization on the Web. It would
  also place significant undue hardship on small
  first-party sites that dont have the resources
  and expertise to understand, create and implement
  a P3P CP by the time Internet Explorer 6 is
  scheduled to ship in early summer 2001.

60
Internet Explorer 6 BusinessEffected Parties

• Microsoft
• Actively involved in P3P effort
• Users
• Free software
• No configuration required to use the P3P features
• Third Parties
• Compact policies

61
Internet Explorer 6

• Status bar informative, but not disruptive
• IE6 could expose a wide audience to P3P
• Limitation Only uses compact policies
• Could encourage sites to implement CPs

62
Orby Privacy Plus

• YOUpowered
• Version 3.0 April 2001
• Add-on to Internet Explorer
• Manage cookies, remember passwords, store
  personal data, fill forms

63
Orby Privacy Plus Policy What is the tool
intended to do?

• Control of personal information
• Track Eraser deletes cookies when you leave,
  doesnt control placement
• Manages data transfer to SmartSense sites
• Personal
• Demographic
• Financial
• Behavioral

64
Orby Privacy Plus Policy What is the tool
intended to do?

• Helping users make informed decisions
• Orby Trust rating
• Site Information window
• Information flags
• Implicit/Explicit sites
• Privacy policies

65
Orby Privacy Plus Policy What is the tool
intended to do?

• On behalf of only the user
• SmartSense sites can store behavioral profiles
• Share with other sites through Orby!
• User can turn off sharing
• User expectations
• You can access and change your information
  forever and whenever you want.
• May be misleading

66
Orby Privacy Plus Technical Design Implications

• Novice and Advanced Users
• 4 Security levels for data transfer
• Site-by-site preferences
• Not enough flexibility for advanced users
• Seamless Browsing Experience
• Trust score does not give enough information

67
Orby Privacy Plus Technical Design Implications

• Security
• Encrypted, password-protected profile
• Default Behaviors
• Private security level
• Allows cookies

68
Orby Privacy Plus Business Effected Parties

• YOUpowered
• Sell SmartSense to sites and distribute Orby free
• Users
• Free for users
• Third Parties
• SmartSense sites can receive data from Orby

69
Orby Privacy Plus

• Behavioral profiling, but can turn off sharing
• Trust Score not informative enough
• Cookie management not as flexible as IE
• Form filling is nice, but doesnt use P3P

70
Privacy Minder

• ATT Research Prototype (1999)
• Similar to Orby, but not full user agent
• Import preferences using APPEL
• Icons show site status
• Pop-up window shows information about forms

71
Privacy Bank

• Stores users information online
• Users indicate sharing preferences
• Provides form filler that uses P3P

72
User Agent Recommendations

• Why are the current tools not adequate?
• No one tool for managing cookies and other data
  collection
• Can import preferences, but no utility for
  creating them

73
User Agent Recommendations

• What about the kids?
• Special settings for children, COPPA
• Integrate into the browser.

74
User Agent Recommendations

• Show the user what he needs to know to make a
  decision.
• Show meaningful icons, not a rating
• Separate window for detailed information
• Show policy information on forms

75
User Agent Recommendations

• Give users the power.
• Full control
• Specify preferences in detail
• No automatic data transfer
• Of all types of personal data
• Cookies, identifiable, non-identifiable

76
The Future
77
Conclusion

• P3P great step forward in privacy protection
• Standardized, highly flexible privacy protection
  specification which facilitates tool development.
• Implementing tools should soon be widely used.
• Improvements
• Specification.
• Policy editors.
• User agents.

78
Conclusion

• Work in tandem with other security technologies.
• Notice-based legislation still needed.
• P3P can become a great privacy protecting
  platform.