Policy Generation, Compact Policies, the Safe Zone - Part 3 of Chapter 5 from Web Privacy with P3P (4/4)
Web Privacy with P3P, Chapter 5: Overview and Options
It is impossible to make an HTTP request for anything, including a P3P policy, without revealing some information (for example, an IP address) and risking that it might be used in a privacy-invasive way. The P3P specification defines a safe zone to allow P3P policies to be requested with less risk. Minimal data collection takes place in the safe zone, and any data that is collected is used only in nonidentifiable ways.
The P3P specification recommends that P3P user agents help implement the safe zone by suppressing the transmission of data unnecessary for the purpose of finding a site's policy--such as the HTTP referer header, cookies, and user agent information--until after the policy has been fetched.
The P3P specification further states that, to serve a P3P policy file or policy reference file, servers should not require the receipt of an HTTP referer header, cookies, user agent information, or other information unnecessary for responding to the request. If user agents send any of this information in the process of requesting a P3P policy file or policy reference file, servers should not use the information in an identifiable way.
There are two important practical implications of the safe zone for web sites:
- You need to make sure that the HTTP referer header and cookies are not essential to serving your P3P policy and policy reference files.
- If you do any data mining on your web server logs that results in identifying individuals or households, you need to make sure that you exclude data requests for P3P files.
TIP: As part of its safe-zone implementation, IE6 does not do authentication on safe zone requests. Therefore, IE6 may not be able to fetch P3P files from web sites that require authentication. This problem occurs mostly on corporate intranet sites.
After you have P3P-enabled your web site, don't forget to test it to make sure everything is working properly. Use the W3C P3P Validator (http://www.w3.org/P3P/validator/) to check your P3P files for proper syntax and make sure they are all installed in the correct location. This validator will allow you to check the syntax of individual P3P policy files or to enter a URL and check to make sure it is properly P3P-enabled by identifying and checking the relevant policy reference and policy files. The validator checks only a single URL, not your entire site, so make sure you validate URLs on different parts of your site, especially if you have more than one P3P policy. Also be sure to test your site from outside your corporate intranet.
In addition to the W3C P3P Validator, new tools are being developed to help web sites develop and test their P3P implementations. Check the Web for the latest information on P3P tools.
The TEST Element and TST Token
Once you P3P-enable your web site, you are making a public commitment about your site's privacy practices. Many companies would rather not make such a commitment until they have fully tested and reviewed their P3P policies. While you are still testing your policy, you may want to include the
TESTelement in your full P3P policy and the
TSTtoken in your compact policy (discussed in Chapter 6). This will let P3P user agents know that your policy is still being tested. The W3C P3P Validator can validate policies with the
TESTtoken. IE6 ignores compact policies with the
TSTtoken. The AT&T Privacy Bird treats sites with the
TESTelement as if they have no P3P policies but provides a policy summary with a note that it is for testing purposes only.
Created: January 6, 2003
Revised: January 6, 2003