The Platform for Privacy

Preferences (P3P)
Katherine Koch
Matt Taylor
Stanley Trepetin

10 May 2001

Platform for Privacy Preferences

Agenda
Privacy

Environment
P3P Specification
Privacy Policy Editors
User Agents
Conclusion

Platform for Privac

10 May 200

Privacy Environment
Online

privacy key: 1999 Survey: 92% of

Americans concerned about privacy threats
when interacting online.

Websites

collect information and consumers

willing to provide it for certain benefits.

Platform for Privac

10 May 200

Privacy Environment
Internet

is unstable:

Poor data quality.

Organizational problems.
Security problems.
No (or difficult to read) notification.

Platform for Privac

10 May 200

Privacy Environment
Resulting

All

problems:

Annoyance.
Embarrassment.
Discrimination.

are unexpected.

Platform for Privac

10 May 200

Privacy Environment
Responses:

Social: opt-out
Technical: cookie managers, encryption, etc
Legislative:
Numerous

proposed bills in US (and some passed).

Considerable protection in EU.

Platform for Privac

10 May 200

Privacy Environment
Insufficient:

Social: opt-out costly.

Technical: technology incompatible or not
widespread.
Legislative:
Sectoral

in US.
Enforcement lax in EU.

Platform for Privac

10 May 200

P3P - Background
P3P

solves prior problems:

Essentially opt-in
Preference-based

decision-making.

Economic and technical issues:

Widespread:

integrated into MS Internet Explorer 6.

Standard (i.e. standardized) specification.

Platform for Privac

10 May 200

P3P - Background
P3P

solves prior problems (cont):

P3P works with all industries via enforceable privacy

policies.
Toysmart.com

vs. FTC.

Privacy policies: created from consumer and

government demand. However, Notice-based
legislation is needed to ensure creation of policies.

Platform for Privac

10 May 200

P3P - Background
Privacy

policy maker creates policy.

Including optional human readable privacy policy.

Consumers

(via user agents): specify

preferences, parse policy, and decide how to
proceed.

10

Platform for Privac

10 May 200

P3P - Specification

11

<POLICY xmlns="http://www.w3.org/2000/12/P3Pv1"
discuri="http://www.catalog.example.com/PrivacyPracticeBrowsing.html">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">CatalogExample</DATA>
<DATA ref="#business.contact-info.postal.street">4 Main St.</DATA>
<DATA ref="#business.contact-info.postal.city">Birmingham</DATA>
<DATA ref="#business.contact-info.postal.stateprov">MI</DATA>
<DATA ref="#business.contact-info.postal.postalcode">48009</DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<DISPUTES-GROUP>
<DISPUTES resolution-type="independent"
service="http://www.PrivacySeal.example.org"
short-description="PrivacySeal.example.org">
<REMEDIES><correct/></REMEDIES>
</DISPUTES>
</DISPUTES-GROUP>
<STATEMENT>
<PURPOSE><admin/><develop/></PURPOSE>
<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated-purpose/></RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>

Platform for Privac

10 May 200

P3P - Specification strengths

Robust

12

notice: policy-wide:

Human readability: short and long descriptions.

New policies dont apply to old data w/o consent.

Platform for Privac

10 May 200

P3P - Specification strengths

Robust

13

notice: data-specific:

PURPOSE - reason for data collection.

RECIPIENT destination.
RETENTION longetivity depends on purpose.

Platform for Privac

10 May 200

P3P - Specification strengths

ACCESS

to data.
Enforcement: DISPUTES statement (e.g.
applicable court, law, etc)

14

Platform for Privac

10 May 200

P3P - Specification strengths

Development

optimization: Compact Policies

for cookies.
Flexible

vocabulary: Can handle new types of

monitoring technologies.

15

Platform for Privac

10 May 200

P3P - Specification weakness

Notice

16

weakness:

No multiple policies per person or across

individuals.

Platform for Privac

10 May 200

P3P - Specification
No

assurance that policies are being followed.

No security standards.

17

Platform for Privac

10 May 200

P3P - Improvement
Multiple

18

privacy policies.

Platform for Privac

10 May 200

P3P Policy Editors

Utilities for drafting
SpecificationCompliant P3P
Policies

19

10 May 2001

Platform for Privacy Preferences

Outline
What

P3P editing tools are currently available?

What criteria should we use to evaluate these
tools?
What insight do these evaluations provide
designers of future tools?
What role does this play in P3Ps future?

20

Platform for Privac

10 May 200

Editing Tools
IBM

P3P Policy Editor

YOUpowered.com/Consumer Trust
PrivacyBot.com
Privacy Information Management System
(PIMS) P3P Policy Wizard

21

Platform for Privac

10 May 200

Evaluation Criteria
Technical

Criteria

Correctness
Specification-compliant/error-free

policies that can be used

by any user-side agent.

Consistency
Utilities

that verify that the P3P policy is consistent with what

was originally intended.

Completeness
Must

accommodate all data practices, collection methods,

and provide the full flexibility of the spec.

22

Platform for Privac

10 May 200

Evaluation Criteria
Viability

23

in Industry

Low cost, easily obtained

Easy to use
Scale well to web sites of increased size and complexity
Apply multiple policies to a domain, and its cookies and
embedded content, through policy-ref
Aid user in integration of P3P into the site

Platform for Privac

10 May 200

IBM P3P Policy Editor

Advantages

Disadvantages

24

Strong interface for defining data collection

Utilities that warn user of errors or possible inconsistencies
XML to HTML translation to verify consistency
Poor integration utilities, for creating detailed policy reference
files, and exporting the necessary files/code.

Platform for Privac

10 May 200

IBM P3P Policy Editor

Defining Data Collection Practices

Clear Data Definitions/GUI Interface

Left pane contains Base Data Schema elements

user, third party, business, and dynamic

Right pane contains the data collected by the policy

Define data groups with usage attributes
Move elements from the left pane into groups on the right to
include them in the policy
Any number of groups can be defined

25

This provides a useful, organized way of representing the

sites data collection helping to ensure consistency

Platform for Privac

10 May 200

IBM P3P Policy Editor

26

Platform for Privac

10 May 200

IBM P3P Policy Editor

Defining New Data Structures

A new data set can be defined in the left pane

27

Elements can be added from the base data schema or can be

user defined
Data sets and elements can be moved into any number of
data groups on the right pane

Mechanism exploits the flexibility in data definitions

provided by the specification

Platform for Privac

10 May 200

IBM P3P Policy Editor

Correctness

Error Pane

Below the two data definition panes

Prompts user to supply any specification requirements that
have not been met
required attributes, such as entity, or access information
data groups that contain no elements, recipients, purpose, etc.

Warns user about possible mistakes

does not provide action for disputes
claims to not collect any data, is this right?

28

Platform for Privac

10 May 200

IBM P3P Policy Editor

Consistency

XML to HTML translation

Policy Element Pane

29

Translates the XML policy into English using a standardized

template
This outlines what the XML policy states so that the user can
be sure it is consistent with he/she intended to state
Outlines the data elements, their group, purpose, and recipient
A summary of the data definitions helps ensure consistency

Platform for Privac

10 May 200

IBM P3P Policy Editor

Completeness

Drafting multiple policies for different directories of the

domain is not straight forward

Uniquely associating policy with cookies or embedded

content is difficult

30

Multiple policies cannot be edited simultaneously

Policy reference file is difficult to generate

No mechanism for embedded or cookie include/exclude

Mechanism for compact policies is unclear

Platform for Privac

10 May 200

IBM P3P Policy Editor

Viability in Industry

31

Free, Easy to use solution for defining data practices

Utilities for verifying correctness and consistency
Poor/Lacking mechanisms for uniquely associating multiple
policies with directories of the domain,cookies, or embedded
content
Poor Mechanisms for providing the user with the necessary
files/code to integrate P3P into the web site
Not a scalable solution for web sites of significant complexity

Platform for Privac

10 May 200

YOUpowered.com Consumer Trust

Policy Editor

Advantages

Disadvantages

32

Strong interface for creating multiple policies for a domain and

associating them with directories, cookies, and embedded
content
Provides much flexibility
Data definition utilities less clear than IBM editor
Does not verify correctness or consistency
Allows less technically savvy user to create ambiguous and
incorrect policies

Platform for Privac

10 May 200

YOUpowered.com

GUI Interface

Allows user to toggle between different domains and their

policies to allow the user to edit their attributes
Left pane is a pull down menu containing the policies and system
configuration
Right pane toggles as selection is made to allow user to edit the
attributes

33

Provides user with the ability to manipulate multiple policies

simultaneously

Platform for Privac

10 May 200

YOUpowered.com
Correctness

Errors managed as user inputs information into menus

and forms

34

no error pane that makes user aware of errors

no mechanism that warns user of possible inconsistencies as
in the IBM editor
Not all errors can be prevented in this manner

Platform for Privac

10 May 200

YOUpowered.com
Completeness

Policy Reference files are easily created

when a policy is being edited actively, the attributes of its policy

reference file can be edited
include/exclude
cookie-include/exclude
embedded-include/exclude

The lacking correctness features cripple these added

features

35

affords user full flexibility of the specification

policy reference files can be created with errors and ambiguities

Platform for Privac

10 May 200

YOUpowered.com
Consistency

36

Lacks XML to HTML translation utilities

Data definition is done through menus and a less
organized GUI tool, leading to more possible errors
Does not summarize the policy for the entire domain,
after the policies have been applied through a policy
reference file

Platform for Privac

10 May 200

YOUpowered.com
Viability in Industry

Has the Completeness characteristics of a scalable

solution for industry

37

No compact policies

Lacks the correctness and consistency requirements to

be a good tool

Platform for Privac

10 May 200

PrivacyBot.com

38

Generates P3P compliant policies

Charges fees for this service, as well as dispute mediation services
Provides forms for the user, which it uses to generate a P3P policy for
$100
editing this policy costs $10
XML cannot be previewed before this fee is paid
User has minimal input in the construction of the XML
Verification of completeness, consistency, and correctness is difficult with
a third party delivering the policy as part of a suite of services
Does not focus on generating a comprehensive policy, that is stored
locally, and can be interpreted by any variety of user agents
Focus is on seal verification and service model

Platform for Privac

10 May 200

PIMS P3P Policy Wizard

Advantages

Provides flexibility
Files/Code are output in a simple and user friendly
way

Disadvantages

39

Generally requires more technically competent

users

Platform for Privac

10 May 200

PIMS P3P Policy Wizard

Tool

caters to the technically competent

Prompts the user for the information required for the

XML statements
User must copy XML code into a box for data
statements and new data structure definitions

This

design affords flexibility, but sacrifices

consistency and correctness

40

Platform for Privac

10 May 200

PIMS P3P Policy Wizard

Exports files/code in an HTML document

Simple Design

41

Box for each policy, policy reference file, html link tag, http
headers, and any compact policies
Each box has instructions on what to do with the text, where to
put the file, where to paste the code, etc.
Exporting to a local file structure, as in the YouPowered.com,
tool can be confusing
Explanations allow users to integrate P3P into their site easily

Platform for Privac

10 May 200

Design Recommendations

42

Do any of these tools provide a scalable solution for

P3P compliance?

Do the sum of the strengths of the tools achieve the

technical and business goals?

How can this be done?

Platform for Privac

10 May 200

Design Recommendations
What

must be achieved?

Correctness
Consistency
Completeness
User

friendly
Scalable
Detailed, accurate policy reference files
Integration utilities

43

Platform for Privac

10 May 200

Design Recommendations

Combine the strengths of the YOUpowered, IBM, and

PIMS tools

44

YOUpowered tool provides ability to edit multiple policies

simultaneously and construct and edit detailed policy reference files
IBM tool provides a useful GUI for defining data groups, and new data
sets, in an organized way
PIMS tool allows user to export files/code in a simple and faulttolerant way

Whats missing?

Platform for Privac

10 May 200

Design Recommendations

Correctness Verification Utilities

utility must be added to create warnings and errors for policy

reference file
multiple policies point to same URI
this policy is not referenced to anything

Consistency Verification Utilities

XML to HTML translation for a web site with multiple policies
Summary of data elements across domain with multiple policies

45

Platform for Privac

10 May 200

What does this mean for P3P?

46

Comprehensive compliance tool is easy to conceive

What user-side demand might force its development or

widespread use?

Platform for Privac

10 May 200

Future of P3P Editors

It

should not be the case that editor-side

friction prevents propagation of P3P use
throughout the commercial web
Could be easily integrated into web authoring
tools, or offered as a stand alone utility
If user-side demand requires the adoption of
P3P, commercial sites should have a tool that
facilitates compliance.
47

Platform for Privac

10 May 200

P3P User Agents

User Agent
Implementations

48

10 May 2001

Platform for Privacy Preferences

P3P User Agents

Evaluation

Public Policy, Technical, Business

User

Criteria

Agent Evaluations

Internet Explorer 6, Orby Privacy Plus, Privacy

Minder, Privacy Bank

Recommendations

49

Platform for Privac

10 May 200

Evaluation Criteria: Policy

What is the tool intended to do?
Users

need control of their personal

information

What data does the tool allow the user to control?

Cookies, Identifiable, Non-Identifiable?

Users

50

dont want to read the privacy policies

How does the tool help the user make an informed

decision about a sites practices?

Platform for Privac

10 May 200

Evaluation Criteria: Policy

What is the tool intended to do?
Users

should be able to trust the user agent

Does the tool act on behalf of only the user?

Users

should know what to expect from the

user agent

51

Are the claims the tool makes legitimate?

Platform for Privac

10 May 200

Evaluation Criteria: Technical

Design Implications
Novice

and Advanced Users

Is the tool easy to use?

Is it suitable for all types of users?

Seamless

52

Browsing Experience

Does the tool interrupt the users browsing?

Platform for Privac

10 May 200

Evaluation Criteria: Technical

Design Implications
Security

Does the agent store and transmit the users

personal information securely?

Default

53

Behaviors

How does the tool protect the users information in

its default settings?

Platform for Privac

10 May 200

Evaluation Criteria: Business

Effected Parties
What

54

is the effect on:

Software Developer : What are the business goals?

User : What are the costs?
Third Parties : Implications for web sites?

Platform for Privac

10 May 200

P3P User Agents

Internet

Explorer 6.0
Orby Privacy Plus
Privacy Minder
Privacy Bank

55

Platform for Privac

10 May 200

Internet Explorer 6
Microsoft

Beta version available,

Release Summer 2001

More

Cookie
Management Features

56

Platform for Privac

10 May 200

Internet Explorer 6: Policy

What is the tool intended to do?
Control

More control of cookie placement with compact

policies
Personally-identifiable information, recipients

Helping

57

of personal information

users make informed decisions

Compare cookies policy to users preferences

Only allows cookies that match preferences
Show sites policy
Platform for Privac

10 May 200

Internet Explorer 6: Technical

Design Implications
Novice

and Advanced Users

5 Privacy Settings (3 in Preview)

Site-by-Site Cookie Settings
Import Preferences (Not in Preview)

Seamless

58

Browsing Experience

Privacy Icon

Platform for Privac

10 May 200

Internet Explorer 6: Technical

Design Implications
Security

Doesnt store personal info for cookie management

Default

59

Behaviors

Policy required for 3rd party cookies, but not 1st.

If Internet Explorer 6 were to require all first-party Web sites to have a P3P
compact policy for the user to be "remembered" by the site using persistent
cookie placement, it would break user personalization on the Web. It would
also place significant undue hardship on small first-party sites that dont have
the resources and expertise to understand, create and implement a P3P CP
by the time Internet Explorer 6 is scheduled to ship in early summer 2001.

Platform for Privac

10 May 200

Internet Explorer 6: Business

Effected Parties
Microsoft

Actively involved in P3P effort

Users

Free software
No configuration required to use the P3P features

Third

60

Parties

Compact policies

Platform for Privac

10 May 200

Internet Explorer 6
Status

bar informative, but not disruptive

IE6 could expose a wide audience to P3P
Limitation: Only uses compact policies

61

Could encourage sites to implement CPs

Platform for Privac

10 May 200

Orby Privacy Plus

YOUpowered

Version 3.0 April 2001

Add-on

to Internet Explorer
Manage cookies, remember passwords, store
personal data, fill forms

62

Platform for Privac

10 May 200

Orby Privacy Plus: Policy

What is the tool intended to do?
Control

of personal information

Track Eraser deletes cookies when you leave,

doesnt control placement
Manages data transfer to SmartSense sites
Personal
Demographic
Financial
Behavioral

63

Platform for Privac

10 May 200

Orby Privacy Plus: Policy

What is the tool intended to do?
Helping

users make
informed decisions

Orby Trust rating

Site Information
window
Information

flags
Implicit/Explicit sites
Privacy policies

64

Platform for Privac

10 May 200

Orby Privacy Plus: Policy

What is the tool intended to do?
On

behalf of only the user

SmartSense sites can store behavioral profiles

Share with other sites through Orby!
User can turn off sharing

User

65

expectations

You can access and change your information

forever and whenever you want.
May be misleading
Platform for Privac

10 May 200

Orby Privacy Plus: Technical

Design Implications
Novice

and Advanced Users

4 Security levels for data transfer

Site-by-site preferences
Not enough flexibility for advanced users

Seamless

66

Browsing Experience

Trust score does not give enough information

Platform for Privac

10 May 200

Orby Privacy Plus: Technical

Design Implications
Security

Encrypted, password-protected profile

Default

67

Behaviors

Private security level

Allows cookies

Platform for Privac

10 May 200

Orby Privacy Plus: Business

Effected Parties

YOUpowered

Sell SmartSense to sites and distribute Orby free

Users

Free for users

Third

68

Parties

SmartSense sites can receive data from Orby

Platform for Privac

10 May 200

Orby Privacy Plus

Behavioral

profiling, but can turn off sharing

Trust Score not informative enough
Cookie management not as flexible as IE
Form filling is nice, but doesnt use P3P

69

Platform for Privac

10 May 200

Privacy Minder
AT&T

Research Prototype (1999)

Similar to Orby, but not full user agent
Import preferences using APPEL
Icons show site status
Pop-up window shows information about forms

70

Platform for Privac

10 May 200

Privacy Bank
Stores

users information online

Users indicate sharing preferences
Provides form filler that uses P3P

71

Platform for Privac

10 May 200

User Agent Recommendations

Why are the current tools not adequate?
No one tool for managing cookies and other
data collection
Can import preferences, but no utility for
creating them

72

Platform for Privac

10 May 200

User Agent Recommendations

What

about the kids?

Special settings for children, COPPA

Integrate

73

into the browser.

Platform for Privac

10 May 200

User Agent Recommendations

Show

the user what he needs to know to make

a decision.

74

Show meaningful icons, not a rating

Separate window for detailed information
Show policy information on forms

Platform for Privac

10 May 200

User Agent Recommendations

Give

users the power.

Full control
Specify

preferences in detail
No automatic data transfer

Of all types of personal data

Cookies,

75

identifiable, non-identifiable

Platform for Privac

10 May 200

The Future

76

10 May 2001

Platform for Privacy Preferences

Conclusion

P3P great step forward in privacy protection:

Improvements:

77

Standardized, highly flexible privacy protection specification

which facilitates tool development.
Implementing tools should soon be widely used.

Specification.
Policy editors.
User agents.

Platform for Privac

10 May 200

Conclusion
Work

in tandem with other security

technologies.
Notice-based legislation still needed.
P3P

can become a great privacy protecting

platform.

78

Platform for Privac

10 May 200