To read the article online, visit http://www.4GuysFromRolla.com/webtech/072902-1.shtml

The Platform for Privacy Preferences Project (P3P)

By Philip Bathe


Introduction
In this article I will introduce what the Platform for Privacy Preferences Project, or P3P, is, and why it should be on your radar. Note that this article does not intend to be a thorough examination of P3P, more of an observation on the effect of P3P in web development. At the end of this article you will find a number of links you can visit for more technical information on P3P.

P3P - What is It?
P3P is something that the World Wide Web Consortium (W3C) has established in the hopes of providing Internet users with a sense of privacy when surfing the Web. (The W3C, if you didn't know, is the official Web standards body. Essentially they are the Arthurian knights of the Internet, riding through the chaos of warring Web browsers and emerging technologies in an attempt to bring law and order to our world. Only not as dramatic.) P3P was initiated to alleviate consumer concern over the amount of data being collected by the Web sites we visit. The idea is that anyone who wishes to gather information about someone browsing their site should state what they intend using the information for (such as: "I want to monitor the pages you visit to improve the usability of my site" or "We want to make our advertising more apropriate for you") and how long they will retain any information for. A user visiting a site with a P3P policy then has access to the site's privacy policies and can decide whether or not to accept cookies or even whether or not to use that site.

The above is my personal take of P3P. For more technical information, be sure to check out the official P3P page, available at: http://www.w3.org/P3P. From that page you can find a P3P FAQ and the technical specifications for the P3P policy standard.

Why You Should Know About P3P
Many Web sites in the past would use cookies often to accomplish a wide array of tasks. It was understood that the vast majority of Internet users were able to accept cookies; after all, it was only those paranoid Internet users who bothered to disallow cookies, right? While this assumption may have held before it does not necessarily hold now with P3P.

Privacy settings in IE 6. You can no longer assume the vast majority of users will accept any ol' cookie you throw their way. Browsers that support P3P, such as Microsoft' Internet Explorer 6.0, may reject your cookies or prompt the user with a warning, depending on the user's security settings. If you have IE 6 take a moment to see your P3P settings: go to the Tools menu and select Internet Options. Now click on the Privacy tab and you'll see what level of privacy you have set. The default for IE 6 is "Medium" privacy which blocks 3rd party cookies without a privacy policy and blocks both 3rd and 1st party cookies that use "personally identifiable information without implicit consent".

A report showing that cookies from mjxads.internet.com were blocked. Realize that 1st party cookies are those set by the current site, 3rd party cookies are those set by other sites such as advertisers (like those from mjxads.internet.com that are set when you visit www.4guysfromrolla.com - correct in July 2002; or advertisements served up by doubleclick.net). Now it doesn't look as though mjxads.internet.com has a privacy policy at present because my IE 6 browser (on default privacy - medium) has blocked all of its cookies (you get an icon of an eye and a no entry sign somewhere along your status bar - double click it to see a report similar to the one shown on the left).

Still not worried?
Imagine that you work for a company where you have to support a large range of cookie driven shops. Now, IE 6 comes out and suddenly your site visitors are having problems with all of the shops. Such a problem may arise if the shops all direct the shoppers to the same domain where the products available are displayed based on what session variable was passed from the first site. This session variable is a cookie and since we are going to a different domain it is now a 3rd party cookie and will be blocked by IE 6.

This will inevitably lead to angry and confused customers who will scream at you and shout down the phone at you and cast evil looks at you. Furthermore, it's likely that your boss and manager will not be all too pleased. The solution to this problem ranges from the easy - set up your P3P policies - to the hard - re-write the whole application so that it does not use 3rd party cookies.

Setting Up P3P Policies
Hopefully by this point you're more aware of P3P than before and the potential pitfalls it may cause you, especially if you're using 3rd or 1st party cookies and your users are using IE 6. The W3C provides the page http://www.w3.org/P3P/details.html which has "6 easy steps" to implementing a P3P policy on your site. If you drill down into the details you'll note that a P3P policy is a simple XML file that resides on your Web server, spelling out what cookies the site plans on using and for what purposes. Don't worry if you're not an XML afficionado, though, there are a few P3P policy generator software packages listed at http://www.w3.org/P3P/details.html. (It seems that the only one listed that is free is IBM's P3P Policy Editor, although a search on Google has yielded more resources...)

For More Information
There are a number of useful resources on P3P. As aforementioned, this article's intent was not to drill down into the technical details of P3P, but rather to introduce the standard and alert Web developers to potential problems users browsing with P3P-compatible browsers (such as IE 6) may cause. For more technical information on P3P I highly recommend these following resources:

  • P3PToolbox.org - A large, independent site with oodles of information and resources on P3P.
  • Introduction to P3P - A free sample chapter from O'Reilly's book Web Privacy with P3P. (The sample chapter is a PDF file.)
  • The Official P3P Web Page - This is the W3C's P3P page and has tons of technical information about the standard. Definitely worth reading over.
  • A P3P Primer - this article provides a good discussion of what P3P is and how to create some simple P3P policy files.
  • A P3P Primer - this article provides a good discussion of what P3P is and how to create some simple P3P policy files.

Happy Programming!

  • By Philip Bathe


  • Article Information
    Article Title: The Platform for Privacy Preferences Project (P3P)
    Article Author: Philip Bathe
    Published Date: Sunday, July 28, 2002
    Article URL: http://www.4GuysFromRolla.com/webtech/072902-1.shtml


    Copyright 2017 QuinStreet Inc. All Rights Reserved.
    Legal Notices, Licensing, Permissions, Privacy Policy.
    Advertise | Newsletters | E-mail Offers