Wrestling with P3P

I wouldn’t be surprised if this site is the first blog with a P3P-compliant privacy policy. Why? Why not?

Well, actually, since this web stuff is sort of my profession, I thought I should play around with P3P as a learning exercise.

P3P is a privacy protocol being developed by W3. Since it’s under the auspice of W3, it is likely to be the standard. If it becomes a widely adopted standard, I’m going to need to know. And I already know a few major corporations are adopting it.

How it is supposed to work is that a site creates a privacy policy and publishes it both in human-readable format and machine-readable format. The machine readable format is XML. Then when a P3P compliant user agent, such as Internet Explorer 6, hits your site, it can read the XML file and see if your site policy meets site visitor’s privacy preferences. For example, if you collect e-mail addresses, and the user doesn’t ever want to give out his e-mail address, IE6 will warn the user of the site policy.

Of course, I wonder how many users will want to see these nag warnings all the time? I can’t imagine too many users now have their browsers set to warn them when a site is setting a cookie.

On the other hand, that won’t be the only way users can take advantage of P3P.

To get started with P3P, I went the W3 site for the issue. Read the top of the specification, skimmed the rest and surfed around the rest of the site. Yeah, so far I haven’t dug into all of the documentation.

I was more eager to actually try creating a P3P policy, so I downloaded one of the P3P editors — in this case, the one from IBM.

IBM’s editor does make creating a policy pretty easy. It allows you to identify and define the policy topics applicable to your site, and then it generates an HTML file and an XML file for publication. And who would want to manually create such an XML file? That part is cool.

Where I ran into trouble was with cookies. How I use cookies is so minimal and innocuous that I can’t imagine anybody would object. Cookies are used as part of one of my stats packages, and ColdFusion sets some cookies that have nothing to do with any site visitor except me. These cookies have nothing to do with any of the personal information collected by this site (when you leave a comment or send feedback), nor with one of the third party stat packages I use.

But the IBM package made no allowance for this complete disconnect from user data and the cookies. There was no way to write a policy that was both truthful and could avoid this warning:

Unsatisfactory policy: this compact policy is considered unsatisfactory according to the rules defined by Internet Explorer 6. The behavior of Internet Explorer 6 regarding cookies set under this compact policy is as follows:

In detail, the warning says:

A policy which is considered unsatisfactory by Internet Explorer 6 contains certain categories of data which are used or shared in a particular manner. This policy is placed in the unsatisfactory category, because the following categories of data are associated with this policy’s cookies:
  • Physical contact information is collected.
  • Online contact information is collected.
In addition, the data is used in the following manner, marking the policy as unsatisfactory:
  • The data is used for other purposes.
  • The data is given to other organizations with different privacy practices.
  • The data is made public.
Note that allowing an opt-out will make this policy acceptable under the Low and Medium settings, and under Medium High for first-party cookie usage. At the High setting, and at the Medium High setting for third-party cookies, all of these data uses must be opt-in for the policy to be considered satisfactory.

Again, the cookies have nothing to do with comments being left on the site, so I don’t really understand this warning, but I guess, at least until I understand things better, I’ve got to leave it on my privacy policy. I’ll probably try one of the other P3P editors at some point to see how it handles the same policy settings. Maybe this is just a quirk of IBM’s package.

One thing I wanted to figure out in this process was way some corporations are leaving their P3P policies in the hands for their attorneys. To my way of thinking, this is an administrative and technical issue, not a legal issue. The only thing the lawyers need to know is that you have a privacy policy, that it is technically in compliance with P3P and that you have a mechanism in place for enforcing it and resolving disputes. The details, the language, the actual policy are purely an administrative issues that have more to do with business practices than with the law. So far, I haven’t found anything that contradicts my assumption on this point.

Here is my human-readable policy, and her is my XML policy.

UPDATE: I just remembered, on the comments I allow users to set cookies to remember who they are, so the form is automatically populated with their info when they comment on the next visit. Yuk, now I’ll have to review my policy and see if it changes anything. I think the P3P editor might just gagged on this bit of info.

This entry was posted in Uncategorized and tagged by . Bookmark the permalink.

Leave a Reply