P3P: All the semantics, without the pedantics

Microsoft's Internet Explorer 6 added a lot of features for users, but it also introduced some potential headaches for web builders. One of the biggest challenges is the way that IE 6 handles cookies. IE 6 supports P3P, the Platform for Privacy Preferences. This is a W3C recommendation that is designed to allow web user agents, such as web browsers, to automatically interpret and act upon the privacy policies of web sites.

This has posed both tactical and strategic questions to e-businesses. First, companies have had to understand how IE's implementation affects the handling of cookies. Some companies have found that their cookies were being blocked or that functionality at their sites was diminished because of IE 6's cookie handling.

It is also forcing companies to examine the larger issue of web privacy. P3P exposes your privacy practices in a standardized, machine-readable format. This increases the visibility and actionability of privacy policies, encouraging companies to audit their privacy practices and even update their policies.

Deployment

The first question most people have about P3P is whether or not they need to worry about it. Any company that uses cookies must review P3P and its implementation in IE6. Failure to review IE 6's cookie handling can break parts of your site, and can also limit your ability to report on user activity.

The P3P specification was released in April. It is being adopted quickly, considering the complexity of implementing it. So far about 20% of the top 500 web sites are using it. This is a fairly rapid takeup of a new web technology, especially when you consider how slowly standards like XHTML and CSS are being adopted.

High on P3P

The W3C is pushing the P3P standard, for several reasons. According to Tim Berners-Lee, "P3P serves as the keystone to resolving larger issues of both privacy and security on the Web." P3P forces companies to express their privacy practices in a common language, instead of in complex legalese. This not only makes privacy policies easier to understand, but makes it possible for machines to interpret them.

The semantics without the pedantics

Another reason that Berners-Lee is excited about P3P is that it represents a widely deployed example of his concept of the Semantic Web. The Semantic Web is the idea that information can be represented on the Web in standardized formats that user agents can understand. This makes it possible to create software that cannot just display information from a variety of sites, but interpret what the information means. This idea is one of the main concepts underlying web services.

Unfortunately, both the Semantic Web and web services have been bogged down with pedantics. They often seem to be tailored to academic and technical questions, rather than with solving business problems. P3P, on the other hand, serves as an example of the Semantic Web that has successfully been put into practice, and supported by many companies.

Potential hazards

Implementing P3P, technically, is straightforward. At the minimum, you must create two new files on your web servers, a p3p.xml file and a policy file. The p3p file is the reference file; it contains references to areas of your site and associates each area with a policy file. The policy file is a XML implementation of your privacy statement. Sites that use cookies will also need to add custom headers for their cookies that include the compact version of their P3P files.

None of these tasks are particularly difficult. The stumbling blocks for implementing P3P are the business and legal issues that are involved. Standard privacy policies are difficult enough to craft. They can involve input from leaders from a variety of business units, marketing areas, E-business teams and legal consultants.

P3P adds another layer of complexity, because it expresses your privacy practices in a way that can affect the way your web site works. It's one thing to have a privacy policy that never gets read; even if it's full of legal jargon or if it's overly restrictive, it won't affect the way most people use your site. It's quite another thing when your privacy policy has the potential to break the way areas of your site works for some customers.

Here are some of the questions that must be answered in order to craft a P3P policy:

* What information is collected on the site?

* How can this information be categorized?

* How is this information used and by whom?

* How is it kept secure? Who has access to it?

* What backs up the stated privacy practices?

You may even have to consider whether it makes sense to have multiple privacy policies for various areas of your site. While companies often have one written privacy policy that covers the whole site, many companies will find that they need to have several P3P policies for their site. For example, it may make sense to have a policy for areas of the site where the only information collected is web log data, another policy for areas where private information is collected that is kept internal, and another for situations where information may be shared with business partners.

One additional stumbling block is that companies may have trouble shoe-horning their existing privacy policies into P3P form. P3P provides many options for describing the types of information collected on web sites and how this information is used. These options don't cover every situation, though. You may find that the nuances of your privacy policy are difficult to translate into P3P.

The irony of P3P

One of the ironies of P3P is that P3P does not protect your privacy. It doesn't limit how sites use your personal information. P3P just defines a way for companies to express their practices in a form that software can understand. This leaves it up to the user, and the user agent, such as a web browser, to control how private information is used.

An example of this can be found at Microsoft's site. If you browse Microsoft's site with IE 6, using the default privacy settings, the browser will not give you any warning about Microsoft's privacy practices, and nothing will be done to limit how your personal information is used. In fact, Microsoft uses a privacy policy on its home page that states that Microsoft may share your personal information with other companies, including financial information and personal identifying information.

It also states ways this information will be used:

* To contact you by e-mail and postal mail unless you opt-out* To contact you by phone, unless you opt-out* To deliver customized adsWhile IE6's support for P3P doesn't offer much in the way of privacy protection, it is important as a first step. Other software, including Netscape 7, now offers P3P support. As more companies support P3P, the variety and capabilities of these user agents is sure to expand.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftW3C

Show Comments

Market Place