Free tools ease P3P deployment

I've advocated supporting P3P (the Platform for Privacy Preferences) for a long time. In the short run, implementing P3P Compact Policies keeps your customers from tossing their cookies. Using Compact Policies can keep Internet Explorer 6 from trashing or "downgrading" your site's cookies. In the long run, full support for P3P ensures that your site is compatible with W3C recommendations and the latest privacy software.

Unfortunately, implementing P3P can be challenging. P3P touches manyinterests in the web site team: server administrators, content developers, marketers, legal and business leaders. Reaching an understanding and agreement on policies with this large group can be difficult.

While the business process of making privacy decisions can be tough, the technical process of implementing isn't. Here are some resources that are useful when it comes to implementing P3P at your site.

P3P toolbox

http://www.p3ptoolbox.orgP3PToolbox is a site that provides information about implementing P3P. It's a valuable resource for news and information about tools for generating, validating and deploying P3P policies. A P3P implementation guide is available that discusses privacy issues, how P3P works, building teams for P3P implementation and a technical discussion about deployment.

Editing policy files can use any text or XML editor to craft policies, but IBM provides a free P3P tool, the IBM P3P Policy Editor, that makes it easy. It's a visual tool for creating a site's privacy policy in formats to support P3P. It's Java-based, so it works on a variety of platforms.

The P3P Policy Editor is easy to install and use. It allows you to create policies from scratch, or by using a template. There are six templates:

* Empty policy - this is for building a policy from scratch
* Safe-zone - for sites that have restrictive data collection policies
* Access logging - for sites that just collect access log data
* Access logging and user tracking - for sites that do anonymous user tracking with cookies
* On-line purchasing - for sites that capture user data for on-line commerce
* Request for info - for sites that collect user data for response purposesOnce you create a policy, you can edit the template elements. They are represented in a tree structure of elements that may be collected by your site. For example, under "User information", you can drill down to "User's Name", which contains elements such as the "Name Prefix" and "First Name". The templates give you a good starting point to work from. A predefined list of elements is provided, and elements can be dragged and dropped into your policy.

The Editor allows you to set global properties for your site. Theseinclude organization information, the web URL of your standard privacy policy, assurances covering the privacy policy, and its expiration date. This is sitewide information. The privacy policies themselves can be sitewide, or you can have multiple policies that cover various areas of your site.

As you edit the elements, the Editor creates the files needed to deploy your policy. It creates a HTML version, a XML version and a compact policy. The HTML version can be copied to any HTML editor to customize it for your site. The XML can be exported and posted to your site so that user agents can access it. The compact policy can be exported as text, so that it can be used to create custom headers for the cookies used at your site.

Finally, the Editor can be used to create a policy reference file. The policy reference file indicates what policies are in effect for the various areas of your site. For each P3P policy file, you enter URL patterns, such as a directory, that the policy file covers. Excluded URLs can be added to the policy. Cookies can also be added or excluded.

The policy reference file is stored in a standard location on your server: /w3c/p3p.xml. User agents know where to look for this file. When they come to your site, the user agent can find the policy reference, which explains which policy applies to each area of your site.


Once you've created your policies, they need to be deployed to your web servers. The W3C P3P Validator can be used to test your implementation. It's easy to use - you just enter the URL of your website, and it will look in the standard place for your policy reference file. It then reads and checks the validity of your policy. It checks the XML syntax of your files and reports on the compact policies in your headers.

This will tell you if there are any technical problems with the deployment of your files. However, it does not provide an easy way to verify that the correct policies are in effect for the various areas of your site.

Privacy bird provides a tool, Privacy Bird, that can be used to understand how P3P files are being interpreted. Privacy Bird is a user agent that integrates with Internet Explorer. It gives you immediate feedback on how the privacy practices of the web sites you visit compare to preferences that you've set.

Privacy Bird shows up in the upper right corner of IE, and its icon changes color according to the practices of the sites that you visit. Green indicates that the site's practices match your preferences; yellow means that it's unable to find a policy at that site; and red indicates that the site's policy conflicts with your preferences.

Privacy Bird defaults to "Medium" privacy level, meaning that it will warn you at sites that do things like use your personal identifying information to share with other companies, or that do not allow you to identify what information that they have collected about you.

In addition, it can generate a P3P Practices Summary. This is a software-generated report that takes a site's privacy policy and presents it in a readable format. This allows you to check the contents of the policy in effect, and also the site's contact information and links to the site's full policy and dispute information. Because of this, Privacy Bird can be used as a tool to help verify the contents of your P3P policies. It displays the relevant policy in text form, so even non-technical users can proof the contents of the policy.

These tools are professional, easy to use and they provide you with what you need to generate and test your P3P policy. Best of all, they are free. If you're deploying P3P, make sure that you check these tools out.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AT&TIBM AustraliaW3C

Show Comments