[prev in list] [next in list] [prev in thread] [next in thread]
List: www-p3p-dev
Subject: Re: help me!!!
From: Rigo Wenning <rigo () w3 ! org>
Date: 2006-04-15 13:06:07
Message-ID: 200604151506.14467 () rigo
[Download RAW message or body]
Dear Nguyen,
Am Friday 14 April 2006 14:41, sprach Nguyen Viet Ha:
> I have been trying to understand what is involved with P3P and I was
> dubious about whether a single line of code in a header would solve any
> problem, and even worse, if its insertion would open a whole can of
> compliance worms.
P3P is a protocol and a data format to tell a user's computer what personal
data is collected about him and how this information is processed and
transferred to third parties, where the user can complain about things etc..
Read the introduction of the specification to get a feeling. Often, for
cookies and other protocol information or forms, users don't really know
what's happening to the information they are giving away. P3P is giving them
the necessary information. User agents are displaying the information to the
user in many ways. E.g. Privacy Bird is an icon that turns red once the
privacy policy does not correspond to the user's preset preferences.
>
> >From what I've read regarding P3P there are 3 levels of policy:
>
> 1. Compact policy - that can be inserted into a header for example
> - I think this is what eGS have suggested.
Note that the compact policy is only an abbreviated form of the full XML
policy. There MUST NOT BE a mismatch. But compact policies are less
expressive, so normally the compact policy overstates a bit.
> 2. XML policy for machine reading (which can be referenced on each
> page, modified for each page, or modified for sections)
This is the normative one for P3P. It MUST BE also present if you implement
compact policies to be conformant to P3P.
> 3. Text policy for human readability
Yes, this is the normal privacy policy that explains the use of personal data,
retention etc in your system and company/organization. The P3P specification
is a good checklist of questions that should be answered in the human
readable policy. But there exist also software that translates P3P back to
human readable policies. There should be no mismatch between the human
readable policy and the XML Policy.
>
>
>
> I understand that P3P is good practice and not a technical nor legal
> requirement, but,
This is not really a true statement. One should NOT lie in those policies as
this might have legal consequences, especially when confronted with
consumers.
>
> What needs clarification is
>
> - I understand that even though our system is JSP we can still
> include the required HTTP declaration in a header. - is that right?
In fact, in the HTTP-header, you convey not only the compact tokens, but also
the information on where to find the policy reference file. A user agent will
analyze the header, recognize and use the tokens, look for the policy
reference file. The policy reference file contains a link to the policy and
the user will fetch that policy and analyze it. Normal caching is 24 hours,
but you can tune to longer. The W3C-site has caching for one week.
>
> - Is there a genuine technical requirement to have a P3P
> policy, compact or otherwise, ie: will it be a significant benefit to
> our system?
No, there is no technical requirement. The benefit is greater trust from the
users that know what their data is used for. Some browsers also handle
cookies depending on the presence of a P3P Policy (compact and full). If a
thirdparty cookie has no P3P policy, it will be blocked in those browsers.
>
> - Can a compact policy statement code in a header stand alone
> as the privacy policy in an application, or it will need the other XML
> and text policies to reference to?
No, this is not conformant. A performance improvement can be done if the P3P
Policy is in the same file as the Policy reference file. This is possible for
simple policies.
>
> - If a line of code can stand alone in the headers - what
> should that code be? (verify the code Gareth Boden has suggested)
The description of the code is dependend on your usage of personal
information. There MUST be a link to a policy reference file and optionally,
there can be the compact tokens. (For cookies you should also have the
tokens). There are Privacy Policy editors that help you to write your policy
and the compact tokens. See: http://www.w3.org/P3P/implementations
>
> - Will the line of code impact in others ways - new
> accessibility issues for eg: other browser problems / user agents. How
> much back testing will be involved?
A user agent that does not know anything about P3P will just ignore all that
data. User agents/browsers that are P3P enabled will behave dependent on the
privacy policy that they find. If the policy announces lots of data
collection and unlimited transfer to third parties, the browser might block
the site. If the policy is privacy friendly, the browser might open up more
than it would without P3P policy.
Best,
--
Rigo Wenning W3C/ERCIM
Staff Counsel Privacy Activity Lead
mail:rigo@w3.org 2004, Routes des Lucioles
http://www.w3.org/ F-06902 Sophia Antipolis
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic