P3P - Platform for Privacy Preference - PowerPoint PPT Presentation

About This Presentation

Title:

P3P - Platform for Privacy Preference

Description:

Optionally, include compact notation in the http header. Enabling Client side ... IE 6.0 supports compact notation only. Netscape 7.0 complete support for 1.0 ... – PowerPoint PPT presentation

Number of Views:150

Avg rating:3.0/5.0

Slides: 24

Provided by: barkha4

Learn more at: https://www.cse.fau.edu

Category:

more less

Transcript and Presenter's Notes

Title: P3P - Platform for Privacy Preference

1
P3P - Platform for Privacy Preference

Barkha J. Herman
Florida Atlantic University

2
Introduction

W3C Emerging standard
Allows users to control how personal info is used
by web sites
Uses XML and RDF to express policies
HTTP for transport

3
Background

Recommendation proposed by W3C
Issue with usage of cookies / data collection by
web sites.
Working group est. 1997.
Specification 1.0 published April 2002
Future CC/PP, XML Signatures.

4
Why P3P?

Privacy - top concern of individuals
Privacy issues impeding growth
Early attempts on disclosure lengthy and
confusing
Need for consistency, simplicity, transparency
Global solution for global market

5
What does it address?

Who is collecting this data?
Exactly what information is being collected?
For what purposes?
Which information is being shared with others?
And who are these data recipients?
Can users make changes in how their data is used?
How are disputes resolved?
What is the policy for retaining data?
And finally, where can the detailed policies be
found in "human readable" form?

6
How does it work

Policies are expressed in XML machine readable
Policies are transferred over HTTP
Retrieval can be automated
Policy verification is seamless
Privacy Reports are viewable by client human
readable

7
How does it work?

8
Enabling Server side

Create a policy file
Publish it in the default directory
(/w3c/p3p.xml)
Optionally, include reference in the HTTP header
Optionally, include compact notation in the http
header

9
Enabling Client side

User Agent checks for policy
User agent compares against set policy
If match, user agent gets page and displays
If no match, page (or cookie) is rejected
User Agent displays privacy report

10
P3P reference in http header

HTTP/1.1 200 OK
Date Wed, 17 Mar 2004 202359 GMT
Server Apache/1.3.28 (Unix) PHP/4.2.3
Content-Location Overview.html
Vary negotiate,accept
TCN choice
P3P policyref"http//www.w3.org/2001/05/P3P/p3p.
xml"
Cache-Control max-age600
Expires Wed, 17 Mar 2004 203359 GMT
Last-Modified Tue, 16 Mar 2004 145942 GMT

11
Compact notation in Http header

HTTP/1.0 200 OK
Date Wed, 17 Mar 2004 202213 GMT
Content-Length 428
Content-Type text/html
Expires Wed, 17 Mar 2004 205213 GMT
Cache-Control max-age1800
Server Microsoft-IIS/5.0
P3P CP"CAO CURa ADMa PSAo PSDo IVAo IVDo OUR
BUS PHY ONL PUR COM NAV INT DEM CNT STA PRE
IISExport This web site was exported using IIS
Export v2.2
Content-Location http//www.oldnavy.com/taghtml/d
efault.html
Last-Modified Tue, 03 Jun 2003 203510

12
Example Policy File

lt?xml version"1.0" ?gt
ltPOLICIES xmlns"http//www.w3.org/2002/01/P3Pv1"gt
ltEXPIRY max-age"604800" /gt
ltPOLICY name"public" discuri"http//www.w3.org/C
onsortium/Legal/privacy-statementPublic"gt
ltENTITYgt
ltDATA-GROUPgt
ltDATA ref"business.name"gtWorld Wide Web
Consortiumlt/DATAgt
ltDATA ref"business.contact-info.postal.name"gtM
IT/LCSlt/DATAgt
ltDATA ref"business.contact-info.postal.street"
gt545 Technology Squarelt/DATAgt
ltDATA ref"business.contact-info.postal.postalc
ode"gt02143lt/DATAgt
ltDATA ref"business.contact-info.postal.city"gtC
ambridge MAlt/DATAgt
ltDATA ref"business.contact-info.postal.country
"gtUSAlt/DATAgt
ltDATA ref"business.contact-info.postal.name"gtI
NRIA/Sophia Antipolislt/DATAgt

13
Continued

ltDATA ref"business.contact-info.postal.street"
gt2004 Routes des Lucioleslt/DATAgt
ltDATA ref"business.contact-info.postal.postalc
ode"gtF-06902lt/DATAgt
ltDATA ref"business.contact-info.postal.city"gtS
ophia Antipolislt/DATAgt
ltDATA ref"business.contact-info.postal.country
"gtFRANCElt/DATAgt
ltDATA ref"business.contact-info.postal.name"gtK
eio Universitylt/DATAgt
ltDATA ref"business.contact-info.postal.street"
gtShonan Fujisawa Campuslt/DATAgt
ltDATA ref"business.contact-info.postal.postalc
ode"gt252-8520lt/DATAgt
ltDATA ref"business.contact-info.postal.city"gt5
322 Endo, Fujisawa-shi, Kanagawalt/DATAgt
ltDATA ref"business.contact-info.postal.country
"gtJAPANlt/DATAgt
ltDATA ref"business.contact-info.online.email"gt
site-policy_at_w3.orglt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.intcode"gt1lt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.loccode"gt617lt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.number"gt2532613lt/DATAgt

14
Continued

ltDATA ref"business.contact-info.online.email"gt
site-policy_at_w3.orglt/DATAgt
ltDATA ref"business.contact-info.online.uri"gtht
tp//www.w3.org/lt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.intcode"gt1lt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.loccode"gt617lt/DATAgt
ltDATA ref"business.contact-info.telecom.teleph
one.number"gt2532613lt/DATAgt
lt/DATA-GROUPgt
lt/ENTITYgt
ltACCESSgt
ltnonident /gt
lt/ACCESSgt
ltDISPUTES-GROUPgt
ltDISPUTES resolution-type"service"
service"http//www.w3.org/" short-description"si
te-policy_at_w3.org"gt
ltLONG-DESCRIPTIONgtThe Webmaster and our
Communications Team will carefully consider the
input and correct errors. If you discover privacy
invasive behavior, please don't hesitate to
contact us.lt/LONG-DESCRIPTIONgt

15
Continued

ltltIMG src"http//www.w3.org/Icons/WWW/w3c_home"
width"72" height"48" alt"Logo World Wide Web
Consortium" /gt
ltREMEDIESgt ltcorrect /gt lt/REMEDIESgt
lt/DISPUTESgt lt/DISPUTES-GROUPgt
ltSTATEMENTgt
ltCONSEQUENCEgtWe collect normal Web-Logs. They
are used for Server administration, Web protocol
research, Statistics of usage and
Security.lt/CONSEQUENCEgt
ltPURPOSEgt ltcurrent /gt ltadmin /gt ltdevelop /gt
lt/PURPOSEgt
ltRECIPIENTgt ltours /gt lt/RECIPIENTgt
ltRETENTIONgt ltindefinitely /gt
lt/RETENTIONgt ltDATA-GROUPgt
ltDATA ref"dynamic.clickstream" /gt
ltDATA ref"dynamic.http.useragent" /gt
ltDATA ref"dynamic.http.referer" /gt
lt/DATA-GROUPgt
lt/STATEMENTgt
lt/POLICYgt
lt/POLICIESgt

16
User Agent support

IE 6.0 supports compact notation only
Netscape 7.0 complete support for 1.0
ATT Privacy bird plugin 1.0 support

17
Editors

P3PEdit
P3PEditor
PrivacyBot
Privacy Policy Editor web based
AlphaWorks P3P Editor

18
Validators

http//www.w3.org/P3P/validator.html
(only game in town)

19
APPEL A P3P Preference Exchange Language 1.0
(APPEL1.0)

W3C working draft that specifies a language for
describing sets of preferences about P3P
policies.
Rule-set for expressing P3P
ltappelRULE behavior"request" description"My
Bank collects data only for itself and its
agents"gt
ltappelREQUEST-GROUPgt
ltappelREQUEST uri"http//www.my-bank.com/"/gt
lt/appelREQUEST-GROUPgt
ltp3pPOLICYgt
ltp3pSTATEMENTgt
ltp3pRECIPIENT appelconnective"or-exact"gt
ltp3pours/gt lt/p3pRECIPIENTgt
lt/p3pSTATEMENTgt
lt/p3pPOLICYgt
lt/appelRULEgt

20
P3P vs. OPS

The Open Profiling Standard - proposal
co-authored by Netscape, Firefly, and VeriSign.
This specification proposed a means for the
exchange of user profile information -- how to
store and release, under the user's permission,
data which is often requested or required by a
Web site.
Eventually, the P3P working groups decided not to
include a data transfer protocol as part of
P3Pv1.

21
P3P Digital Signature assurance

W3C Note Not a specification
The design philosophy and requirements of this
specification are to
Define what it means for a P3P Policy to be
assured via an XML Signature.
Provide detached signatures for P3P Policies and
Assurances.
Enveloping signatures MAY contain the P3P Policy
Reference. This can be convenient in that all the
files are included together, but this has the
following two disadvantages the Signature is the
root element, and XPointer is required to select
portions of the document.
Enveloped signatures are prohibited by P3P's
content model.
Be concise and unambiguous.