U'S' Department of Commerce

1
Implementing Machine Readable Privacy
Requirements of the E-Gov Act of 2002 (Server
Admin)

• U.S. Department of Commerce
• Web Advisory Group
• http//www.osec.doc.gov/webresources/

2
Objectives of This Training

• Objectives of This Training
• What is meant by machine readable technology?
• What is P3P?
• Policy Reference Files (XML Version)?
• What is a Compact Policy?
• How are Compact Policies implemented?
• How does machine readable technology interact
  with users web browsers?

3
The E-Gov Requirements

• The E-Gov Requirements
• The Privacy Provisions of the E-Government Act
  of 2002 require both a human readable Privacy
  Policy and agency use of machine readable
  technology that alerts users automatically about
  whether site privacy practices match their
  personal privacy preferences.

4
Isnt the Text Version Enough?

• Isnt the Text Version Enough?
• Most users do not see the text Privacy Policy
  until after they have visited one or more of the
  sites pages.
• Text Privacy Policies are sometimes difficult for
  users to locate, too lengthy for users to read,
  difficult to understand, and can change without
  notice.

5
Machine-Readable Policy

• Machine-Readable Policy
• P3P is the standard for machine-readable Privacy
  Policy.
• P3P enables web sites to translate their privacy
  practices into a standardized format (Extensible
  Markup Language - XML) that can be retrieved
  automatically and easily interpreted by a user's
  browser.

6
How Does P3P Work?
How Does P3P Work?
7
The Policy Reference File - XML
The Policy Reference File (XML Version) Machine
Readable Format

• An XML format for expressing a privacy policy
• Using a standard P3P base data schema
• The policy reference file includes the following
  statements
• The URL where a P3P policy is found
• The URLs or regions of URL-space included or
  excluded by this policy
• The cookies that are or are not covered by this
  policy
• The period of time for which these claims are
  considered to be valid

Example Policy Reference File
8
Location of the policy reference file

• The location of the policy reference file can be
  indicated using one of the following
• At the server level
• may be located in a predefined "well-known"
  location (well known to the browser),
• http//www.agency.gov/w3c/p3p.xml
• through an HTTP header
• At the web page level
• a document may indicate a policy reference file
  through an HTML link tag or XHTML link tag

9
Policy Reference File

• Policy Reference File
• Web sites MAY (and are strongly encouraged to)
  place a policy reference file in a "well-known"
  location.
• To do this, make the policy reference file
  available on the site at the path /w3c/p3p.xml
• This mechanism ensures that the P3P policy will
  be accessible to user agents before any other
  resources are requested from the site.
• For more information about placing the policy
  reference file in a well known location, see
• http//www.w3.org/TR/P3P/Well_Known_Location

10
Policy Reference File Tools

• Policy Reference File Tools
• Free editor tools
• HiSoftware P3P Builder
• www.hisoftware.com/access/valueaddp3p.html
• IBM alphaWorks P3P Policy Editor
• www.alphaworks.ibm.com/tech/p3peditor
• Validator Tool
• www.w3.org/P3P/validator.html

11
APPEL (A P3P Preference Exchange Language)

• APPEL (A P3P Preference Exchange Language) A
  P3P Option
• P3P specifications dont require that browsers
  use APPEL
• allows user to express their privacy preferences
• W3C specification to provide standard language
  for expressing the users privacy preferences
• W3C APPEL standards
• http//www.w3.org/TR/P3P-preferences/P3Ppolicies
• APPEL Ruleset Editor (Free)
• http//p3p.jrc.it/downloadP3P.php

12
Compact Policy

• An Optional Part of P3P is the Compact Policy
• An optional performance optimization for P3P
  compliance (but required by some browsers to
  determine the web site's privacy practices
  concerning cookies).
• summarizes the privacy policy relating to cookies
  only, and provides browsers with policy
  information.
• may be implemented at server level or web-page
  level.

13
Sample CP

• Sample CP NOI NID ADMa OUR LEG DSP COR
• NOI No personally identifiable information
  (PII) collected
• NID No PII collected, therefore the web user
  cannot access
• ADMa Information is collected for web site and
  system admin (no user choice) (browser type,
  screen resolution, etc)
• OUR Who uses the information collected?
  (ourselves and/or entities acting as our agents)
• LEG How long is the information collected
  retained?
• DSP The privacy policy contains one or more
  DISPUTES elements
• COR - Errors or wrongful actions arising in
  connection with the privacy policy will be
  remedied by the service e.g., web site owner

14
Implementing Compact Policy

• Implementing
• the Optional Compact Policy
• - Server Configuration -
• The Compact Policy may be implemented on the
  server. This is valuable when all pages or sites
  on the server adhere to the same Privacy Policy.

15
Server Implementation of CP

• Server Implementation of the Optional CP
• Included in Server HTTP Header
• In Apache Web Server
• Add the Compact Policy line to the http header
  response in the configuration file (httpd.conf
  or .htaccess)
• In Internet Information Server 4.0
• Add/Edit Custom HTTP Header
• In the custom header field, enter P3P
• In the custom header value field, enter your
  compact policy

Example
Example
16
Apache Web Server Implementation
Apache Web Server

• Sample CP NOI NID ADMa OUR LEG DSP COR
• Example of P3P in HTTP Header
• HTTP/1.1 200 OK
• Date Wed, 05 Jun 2002 204255 GMT
• Server Apache/1.3.2-3
• P3P CPNOI NID ADMa OUR LEG DSP COR
• To view HTTP headers - http//www.delorie.com/web/
  headers.html

Back
17
Internet Information Server (IIS) Implementation

• Internet Information Server (IIS)
• The Microsoft Management Console (MMC) can be
  used to specify a P3P HTTP header.
• Within MMC, expand the Internet Information
  Server line, and then expand the ServerName line.
  At Default Web Site, right click and then choose
  Properties. Select the HTTP Headers tab. In
  Custom HTTP Headers, click Add. Under Custom
  Header Name, type in the following
• P3P
• Next, in Custom Header Value, type in
• policyref"http//www.mydomain.gov/w3c/p3p.xml",
  CP" NOI NID ADMa OUR LEG DSP COR "
• Click OK twice.
• IIS should now be ready to serve the P3P header
  within the default set of HTTP headers.

Back
18
Web Page Implementation of CP

• Optional Web Page Implementation of CP
• The Compact Policy may also be implemented on
  individual web pages.
• This is especially valuable when one page
  requires a different Privacy Policy
  (e.g.,personal information collection such as
  name, phone number, etc.).

19
Web Page Compact Policies
Use of Optional Compact Policies on Web Pages If
you choose to implement a CP on a per page basis,
you can set the CP using one of the following
methods, depending on the technologies employed
by your servers.
20
How Users Are Notified -Web Browser Alerts

• How Users Are Notified
• Web Browser Alerts
• Web visitors who want to take advantage of P3P
  enabled sites have to set their personal privacy
  preferences in their web browser.

21
Browser Support

• Browser Support
• Browser implementation of P3P is concerned with
  the issue of cookies
• When the browser encounters a cookie from a web
  page that either does not have a compact P3P
  policy, or that has a P3P policy that does not
  match the users privacy preferences, the user is
  alerted via icons.
• Browsers supporting Compact P3P Policy
• Netscape 7
• Mozilla
• Internet Explorer 6
• ATT Privacy Bird (Plug-in for Internet Explorer)

22
To Assist DOC Web Developers

• To Assist DOC Web Developers
• Web Advisory Group will post guidance on the WAG
  site to help webmasters meet the December 2004
  deadline (http//www.osec.doc.gov/webresources/)
• Links to various tools we have tested
• Examples
• How to" information
• Reference materials (W3C)

23
Reference Materials

• W3C Platform for Privacy Preferences (P3P)
  Project
• http//www.w3.org/P3P/
• W3C P3P - 1.0 Specifications
• http//www.w3.org/TR/P3P/
• W3C References for P3P Implementations
• http//www.w3.org/P3P/implementations
• P3P Toolbox
• http//www.p3ptoolbox.org/

24
(No Transcript)