Web Security, Privacy and Commerce, 2nd Edition
only for RuBoard - do not distribute or recompile |
C.1 How P3P Works
The P3P specification includes a standard vocabulary for describing a web site's data practices, a set of base data elements that web sites can refer to in their P3P privacy policies, and a protocol for requesting and transmitting web site privacy policies.
The P3P protocol is a simple extension to the HTTP protocol. As shown in Figure C-1, P3P user agents use standard HTTP requests to fetch a P3P policy reference file from a "well-known location" on the web site to which a user is making a request.[A] The policy reference file indicates the location of the P3P policy file that applies to each part of the web site. There might be one policy for the entire site, or several different policies, each of which covers a different part of the site. The user agent can then fetch the appropriate policy, parse it, and take action according to the user's preferences.
[A] For information about where the "well-known location" resides, see Section C.2.3.
Figure C-1. The basic protocol for fetching a P3P policy.
P3P also allows sites to place policy reference files in locations other than the well-known location. In these cases, the site must declare the location of the policy reference file using a special HTTP header or by embedding a <LINK> tag in the HTML files to which the P3P policies apply.
Here's a plain English example of the kind of disclosure a web site might make in a P3P policy:
Steve's Store strives to protect your privacy. When you come to our site to browse our catalog, we will not ask you to tell us who you are, and we will use data about your visit only to help us improve and secure our site. When you browse our site, we collect basic information about your computer and connection. We purge this information on a weekly basis. We also collect aggregate information on what pages consumers visit on our site.
Steve's Store is a licensee of the PrivacySealExample Program. The PrivacySealExample Program ensures your privacy by holding web site licensees to high privacy standards and confirming with independent auditors that these information practices are being followed.
Questions regarding this statement should be directed to: Steve's Store, 123 Steve Street, Bethesda, MD 20814 USA, Email: steve@stevesstore.com, Telephone (301) 392-6753. If you are not satisfied with our response to your inquiry, you may contact PrivacySealExample at http://www.privacyseal.example.org. Steve's Store will correct all errors or wrongful actions arising in connection with the privacy policy.
And here's what this policy would look like using the P3P syntax and encoding:
<POLICIES xmlns="http://www.w3.org/2000/12/P3Pv1"> <POLICY discuri="http://www.stevesstore.com/privacy.html" name="policy1"> <ENTITY> <DATA-GROUP> <DATA ref="#business.name">Steve's Store</DATA> <DATA ref="#business.contact-info.postal.street"> 123 Steve Street</DATA> <DATA ref="#business.contact-info.postal.city">Bethesda</DATA> <DATA ref="#business.contact-info.postal.stateprov">MD</DATA> <DATA ref="#business.contact-info.postal.postalcode">20814</DATA> <DATA ref="#business.contact-info.postal.country">USA</DATA> <DATA ref="#business.contact-info.online.email"> steve@stevesstore.com</DATA> <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephone.loccode">301</DATA> <DATA ref="#business.contact-info.telecom.telephone.number"> 3926753</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.example.org"> <IMG src=http://www.PrivacySeal.example.org/Logo.gif alt="PrivacySealExample logo"/> <REMEDIES><correct/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES>
If you are familiar with XML (Extensible Markup Language), this encoding may look familiar to you. It is important to note that P3P policies are not designed to be read by end users. User agents will interpret these policies on a user's behalf. In addition, every policy should contain the URL of the web site's human-readable privacy policy.
only for RuBoard - do not distribute or recompile |