Policy Generation, Compact Policies, the Safe Zone - Part 3 of Chapter 5 from Web Privacy with P3P (4/4) | WebReference

Policy Generation, Compact Policies, the Safe Zone - Part 3 of Chapter 5 from Web Privacy with P3P (4/4)

To page 1To page 2To page 3current page

Web Privacy with P3P, Chapter 5: Overview and Options

The Safe Zone

It is impossible to make an HTTP request for anything, including a P3P policy, without revealing some information (for example, an IP address) and risking that it might be used in a privacy-invasive way. The P3P specification defines a safe zone to allow P3P policies to be requested with less risk. Minimal data collection takes place in the safe zone, and any data that is collected is used only in nonidentifiable ways.

The P3P specification recommends that P3P user agents help implement the safe zone by suppressing the transmission of data unnecessary for the purpose of finding a site's policy--such as the HTTP referer header, cookies, and user agent information--until after the policy has been fetched.

The P3P specification further states that, to serve a P3P policy file or policy reference file, servers should not require the receipt of an HTTP referer header, cookies, user agent information, or other information unnecessary for responding to the request. If user agents send any of this information in the process of requesting a P3P policy file or policy reference file, servers should not use the information in an identifiable way.

There are two important practical implications of the safe zone for web sites:

  • You need to make sure that the HTTP referer header and cookies are not essential to serving your P3P policy and policy reference files.
  • If you do any data mining on your web server logs that results in identifying individuals or households, you need to make sure that you exclude data requests for P3P files.
  • TIP: As part of its safe-zone implementation, IE6 does not do authentication on safe zone requests. Therefore, IE6 may not be able to fetch P3P files from web sites that require authentication. This problem occurs mostly on corporate intranet sites.

Testing Your Web Site

After you have P3P-enabled your web site, don't forget to test it to make sure everything is working properly. Use the W3C P3P Validator (http://www.w3.org/P3P/validator/) to check your P3P files for proper syntax and make sure they are all installed in the correct location. This validator will allow you to check the syntax of individual P3P policy files or to enter a URL and check to make sure it is properly P3P-enabled by identifying and checking the relevant policy reference and policy files. The validator checks only a single URL, not your entire site, so make sure you validate URLs on different parts of your site, especially if you have more than one P3P policy. Also be sure to test your site from outside your corporate intranet.

In addition to the W3C P3P Validator, new tools are being developed to help web sites develop and test their P3P implementations. Check the Web for the latest information on P3P tools.[1]

You may also want to browse your web site using one or more P3P user agents with various user preference settings, to see how visitors that use P3P will view your site. Some of the web site privacy self-assessment tools have features that can help you see how P3P user agents will respond to your site's policy. You should check the human-readable language produced by the P3P user agents and self-assessment tools against the language in your human-readable privacy policy and make sure that you have not made any errors in translating your policy into P3P.

The TEST Element and TST Token

Once you P3P-enable your web site, you are making a public commitment about your site's privacy practices. Many companies would rather not make such a commitment until they have fully tested and reviewed their P3P policies. While you are still testing your policy, you may want to include the TEST element in your full P3P policy and the TST token in your compact policy (discussed in Chapter 6). This will let P3P user agents know that your policy is still being tested. The W3C P3P Validator can validate policies with the TEST token. IE6 ignores compact policies with the TST token. The AT&T Privacy Bird treats sites with the TEST element as if they have no P3P policies but provides a policy summary with a note that it is for testing purposes only.

1. The P3P implementation page at http://www.w3.org/P3P/implementations/ lists P3P user agents as well as P3P generators and validators. http://p3ptoolbox.org also lists P3P tools.

To page 1To page 2To page 3current page

Created: January 6, 2003
Revised: January 6, 2003

URL: http://webreference.com/authoring/p3p/chap5/3/4.html