P3P-The platform for Privacy Preference Project

資管研一 戴志洋 R89725014資管研一 余丹楓 R89725015

P3P 簡介P3P─ 透過 User agent 來協調 Web site和 User 之間 Privacy Policy 的自動化機制

P3P policies

use an XML encoding of the P3P vocabulary enumerate the types of data or data elements collected, and explain how the data will be used

P3P User AgentsP3P1.0 user agents can be built into web browsers, browser plug-ins, or proxy servers. They can also be implemented as Java applets or JavaScript; or built into electronic wallets, automatic form-fillers, or other user data management toolsP3P user agent would retrieve P3P policies, compare them with user's preferences, and authorize the release of data only if a) the policy is consistent with the user's preferences

and b) the requested data transfer is consistent with the

policy

Example of P3P in Use

http://www.catalog.example.com

•Assume that CatalogExample has placed P3P policies on all their pages.•Web browser with P3P built in.

Tellme

browser

Web site

HTTP access standard log

preferences Tellme has given it

Check:match

Enter other catalog

software uses cookies to implement a "shopping cart" feature

Need more information

Check:match

Enter checkout

Need telephone

Yes No

Cancel

complete

P3P1.0

W3C Working Draft 18 October 2000 The Platform for Privacy Preferences 1.0 (P3P1.0) Specification

Provide web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy

P3P1.0 specification defines:

A standard schema for data a Web site may wish to collect, known as the "P3P base data schema" A standard set of uses, recipients, data categories, and other privacy disclosures An XML format for expressing a privacy policy A means of associating privacy policies with Web pages or sites, and cookies A mechanism for transporting P3P policies over HTTP

Goal of P3P version 1.0

it allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may "opt-out" of or "opt-in" to

Future Version of P3P

a mechanism to allow sites to offer a choice of P3P policies to visitors a mechanism to allow visitors (through their user agents) to explicitly agree to a P3P policy mechanisms to allow for non-repudiation of agreements between visitors and web sites a mechanism to allow user agents to transfer user data to services

Policy References The URI where a P3P policy is found The URIs or regions of URI-space covered by this policy The URIs or regions of URI-space not covered by this policy The regions of URI-space for embedded content on other servers that are covered by this policy The cookies that are or are not covered by this policy The access methods for which this policy is applicable The period of time for which these claims are considered to be valid

Locating Policy Reference Files

"well-known" locationnon-ambiguityhttp://cgi.example.com/w3c/p3p.xml

HTTP Headers

[1]p3p-header =`P3P: `p3p-header-field*(`,` p3p-header-field)[2]p3p-header-field = policy-ref-field | extension-field[3]policy-ref-field = `policyref="` URI `"`[4]extension-field = token [`=` (token | quoted-string) ]

1. Client makes a GET request.

GET /index.html HTTP/1.1Host: catalog.example.comAccept: */*Accept-Language: de, enUser-Agent: WonderBrowser/5.2 (RT-11)

2. Server returns content and the P3P header pointing to the policy of the page.

HTTP/1.1 200 OKP3P:policyref=http://catalog.example.com/P3P/PolicyReferences.xml

Content-Type: text/htmlContent-Length: 7413Server: CC-Galaxy/1.3.18

The HTML link Tag

[5]p3p-link-tag=`<link rel="P3Pv1" href="` URI `">

<link rel= "P3Pv1“ href="http://catalog.example.com/P3P/PolicyReferences.xml">

Policy Reference File <META xmlns="http://www.w3.org/2000/10/18/P3Pv1"> <POLICY-REFERENCES>

<EXPIRY max-age="172800"/>

<POLICY-REF about="/P3P/Policy1.xml"> <INCLUDE>/*</INCLUDE>

<EXCLUDE>/catalog/*</EXCLUDE> <EXCLUDE>/cgi-bin/*</EXCLUDE> <EXCLUDE>/servlet/*</EXCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy2.xml"> <INCLUDE>/catalog/*</INCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy3.xml"> <INCLUDE>/cgi-bin/*</INCLUDE> <INCLUDE>/servlet/*</INCLUDE> <EXCLUDE>/servlet/unknown</EXCLUDE> </POLICY-REF> </POLICY-REFERENCES></META>

Policy reference file lifetimes and the EXPIRY element

[6] prf = `<META xmlns="http://www.w3.org/2000/10/18/P3Pv1">`policyrefs[policies]PCDATA"</META>"

[7] policyrefs

= "<POLICY-REFERENCES>“[expiry]*policyref"</POLICY-REFERENCES>"

[8] expiry = "<EXPIRY" (absdate|reldate) "/>"

[9] absdate = `date="` HTTP-date `"`

[10]

reldate = `max-age="` delta-seconds `"`

The POLICY-REF element <META xmlns="http://www.w3.org/2000/10/18/P3Pv1"> <POLICY-REFERENCES> <POLICY-REF about="/P3P/Policy1.xml">

<INCLUDE>/docs/*</INCLUDE> <INCLUDE>/other/index.html</INCLUDE> <EMBEDDED-INCLUDE>

http://*.example.com/ads/* </EMBEDDED-INCLUDE> <EMBEDDED-EXCLUDE> http://*.example.com/ads/network/* </EMBEDDED-EXCLUDE> <COOKIE-INCLUDE>*</COOKIE-INCLUDE>

<COOKIE-EXCLUDE> obnoxious- cookie..example.com/

</COOKIE-EXCLUDE> </POLICY-REF> </POLICY-REFERENCES></META>

Non-ambiguity

A very important rule of policy references is that of non-ambiguity: For each resource at a website there MUST be at most one policy active at any given time. Thus two non-expired policy reference files on a given site MUST NOT declare two or more different policy URIs for the same resource.

Multiple Languages

Multiple language versions (translations) of the same policy can be offered by the server using the HTTP "Content-Language" header to properly indicate that a particular language has been used for the policy. This is useful so that human-readable fields such as entity and consequence can be presented in multiple languages.

Non-Discrimination of Policies

Servers SHOULD make every effort to help user agents find P3P policies. In particular, servers SHOULD place a policy reference file at the well-known location whenever possible.

Security of Policy Transport

P3P policies and references to P3P policies SHOULD NOT, in themselves, contain any sensitive information.

Policy Updates

Note that when a web site changes its P3P policy, the old policy applies to data collected when it was in effect. It is the responsibility of the site to keep records of past P3P policies and policy reference files along with the dates when they were in effect, and to apply these policies appropriately.

P3P Guiding Principles (Non-normative)

Notice and Communication Service providers should:

Communicate explicitly about data collection and use, identifying the purpose for which personal information is collected and the extent to which it may be shared.

Prominently post clear, human-readable privacy policies.

User agents should: Provide users an option that allows them

to easily preview and agree to or reject each transfer of personal information that the user agent facilitates.

Not by default to transfer personal information without the user's consent.

Inform users about the privacy-related options offered by the user agent

P3P Guiding Principles (Non-normative)

Choice and Control Service providers should:

Limit their requests to information necessary for fulfilling the level of service desired by the user.

Obtain informed consent prior to the collection and use of personal information.

Provide information about the ability to review and correct personal information.

P3P Guiding Principles (Non-normative)

User agents should: Include configuration tools that allow

users to customize their preferences. Allow users to import and customize P3P

preferences from trusted parties. Present options to users in a way that is

neutral or biased towards privacy.

P3P Guiding Principles (Non-normative)

Fairness and Integrity Service providers should:

Use information only for the stated purpose and retain it only as long as necessary.

Ensure that information is accurate, complete, and up-to-date.

ontinue to treat information according to the policy in effect when the information was collected, unless users give their informed consent to a new policy.

P3P Guiding Principles (Non-normative)

P3P Guiding Principles (Non-normative)

User agents should: Act only on behalf of the user according

to the preferences specified by the user. Accurately represent the practices of the

service provider.

P3P Guiding Principles (Non-normative)

Security Service providers should:

Provide mechanisms for protecting any personal information they collect.

Use appropriate trusted protocols for the secure transmission of data.

P3P Guiding Principles (Non-normative)

User agents should: Protect the personal information that

stored in the agent. Use appropriate trusted protocols for the

secure transmission of data. Warn users when an insecure transport

mechanism is being used.

P3P: Pretty Poor Privacy?

Current Internet Privacy Risks Failure to Establish Privacy Standards Exclusion of Non-Compliant Sites Absence of Enforcement Prognosis for Adoption impact on Privacy if P3P is Deployed P3P Fails to Satisfy Jurisdictions with Strong Privacy Standards

Current Internet Privacy Risks

Today the Internet faces a wide range of privacy problems. The Internet Protocol (IP) used to transmit web pages creates a privacy risk that is not imposed by web browsers but in the transmission of web pages through the IP. When a browser requests a page from a server, the browser's IP address is transmitted as the return address to which the requested page is to be sent. Various services are available today to disguise one's IP address.

Failure to Establish Privacy Standards

P3P builds on the notice and choice privacy approach. This is a weak model for privacy protection because it fails to ensure the observance of Fair Information Practices. This is also not the approach that the United States has typically taken to ensure privacy protection in other sectors with rapidly changing technology.

Exclusion of Non-Compliant Sites

P3P is developed from a self-regulatory aspect giving web sites the option of whether to incorporate the P3P protocol on their web site. When a web site collects too much data they probably will not incorporate the P3P protocol. If few sites support P3P, consumers will have little incentive to use the technology, thus creating a sort of chicken and egg problem.

Absence of Enforcement

P3P lacks any means to enforce privacy policies. Even where there is agreement about

the privacy terms for a particular transaction, P3P provides no means to ensure enforcement of the stated privacy policies and the P3P developers do not seem particularly concerned about this problem.

Prognosis for Adoption

There is no user base and no user demand. Companies have been reluctant to adopt the complicated protocol structure, and governments has shown little indication that it will address public concerns about privacy protection.

Impact on Privacy if P3P is Deployed

Microsoft and Netscape/AOL are likely to implement P3P in a way that sets very low privacy preference defaults. This is true because these companies are paid through advertisements and data collecting, so it in their best interest to have the lowest privacy preference as defaults.

P3P Fails to Satisfy Jurisdictions

with Strong Privacy Standards

P3P has not impressed those jurisdictions that have considered its use to implement legal rules for privacy. The European Union, which does have

baseline, legally enforceable privacy rights in the form of the EU Data Directive, has explicitly rejected P3P as part of its privacy protection framework.