Web Privacy with P3P

By Lorrie Faith Cranor

Frequently Asked Questions About P3P Enabling a Web Site

This is a compilation of answers to questions posted on the www-p3p-policy mailing list as well questions about P3P sent directly to me. This file will be updated as additional questions get posted.

You can join the www-p3p-policy@w3.org mailing list and ask your questions there. To subscribe, email www-p3p-policy-request@w3.org with "subscribe" in the Subject. This mailing list is publicly archived at http://lists.w3.org/Archives/Public/www-p3p-policy/. I subscribe to this mailing list and often answer questions posted there. I prefers to answer P3P questions on the mailing list than via direct email, as answering questions on the mailing list allows many people to benefit from the answers (and reduces the number of times I have to answer the same questions).


Q: Where can I get information about how to P3P-enable a web site?

A: For online information on what P3P is, how it works, and the basics of how to create P3P files, see the P3P Implementation Guide (http://p3ptoolbox.org/guide/). For more technical details online, see the P3P Deployment Guide (http://www.w3.org/TR/p3pdeployment) or the P3P 1.0 Specification (http://www.w3.org/TR/P3P/). For a complete guide to implementing P3P see my book (to be published September 2002), Web Privacy with P3P and the accompanying website http://p3pbook.com/.

Q: What software can I use to generate P3P policies, compact policies, or policy reference files?

A: You can find a list of P3P policy generators and related tools on the W3C web site at http://www.w3.org/P3P/implementations. There is a similar list at http://p3ptoolbox.org/tools/resources1.shtml. Personally, I recommend the IBM P3P Policy Editor, available as a free download from http://alphaworks.ibm.com/tech/p3peditor.

Q: What is the easiest way to P3P-enable a web site?

A: P3P enabling a web site is usually a fairly easy process from a technical standpoint. However,it may require web site operators to take a more detailed look at their data practices than they may have done previously,and to coordinate policies and practices across the hosts in their domain. Here is an overview of the steps required to P3P enable a web site.

  1. Create a privacy policy.
  2. Analyze the use of cookies and third-party content on your site.
  3. Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site -- a single policy for the entire site is easiest.
  4. Create a P3P policy (or policies)for your site.
  5. Create a policy reference file for your site.
  6. Configure your server for P3P -- for most sites this simply means placing the P3P policy and policy reference files on the server and giving them the appropriate file names; you may also need to configure your servers to send compact policy headers when cookies are set.
  7. Test your site to make sure it is properly P3P enabled.

The easiest way to P3P enable a site is to create one P3P policy for the entire site and place it on one of your servers. Then place a policy reference file on each host in your domain that references the P3P policy and applies it to all of the content on those servers. Thus you would apply the same policy to all of your content and cookies across every host in your domain. You can create your P3P files using a P3P editor (see previous question). This is what most web sites seem to be doing. The downside of having a single P3P policy for your entire site is that users who are only interested in parts of a site that don't collect much information see privacy information that suggests a lot more information might be collected (and cookie blocking decisions, etc. might get made accordingly).

Q: What do I need to do to prevent IE6 from blocking cookies?

A: The privacy features in IE6 can be used to selectively block cookies based on their P3P compact policies. For detailed information about these features see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/ie6privacyfeature.asp (reproduced as Appendix C in Web Privacy with P3P). In the default IE6 settings, third-party cookies are blocked when they do not have compact policies or when they have "unsatisfactory" compact policies. To prevent IE6 from blocking cookies on your site you need to make sure that all of the cookies that are being set in a third-party context have compact policies associated with them, and that those compact policies are considered satisfactory (see the Microsoft document for the details of what this means). Any host that sets a P3P compact policy must also have a corresponding full P3P policy. Users can change their IE6 settings so that cookies will be blocked under other conditions as well, however, placing satisfactory compact policies on third-party cookies will prevent most IE6 cookie blocking.

Q: How can I setup my site so that I can have an English P3P policy apply to pages that are in English, a French P3P policy apply to pages that are in French, etc.?

A: The simplest thing to do is to arrange your site so that all the content of a particular language is in the same directory. For example, all English content might be in the /en/ directory and all French content might be in the /fr/ directory. Then you can create a P3P policy reference file that applies one policy to the /en/ directory and another policy to the /fr/ directory. Alternatively, if your policies for English and French content are identical except for the language of human-readable explanations, you can configure your web server to read the request header indicating a user's language preference and serve the appropriate P3P policy.

Q: How can I apply different P3P policies to different dynamically generated pages?

A: Some web sites include a lot of dynamically generated content that has URLs that look something like: http://www.example.com/some-cgi/bigdll.dll?color&foo. These sites can use INCLUDE and EXCLUDE tags in their policy reference files to indicate what parts of the site a policy applies to. As long as you can enumerate all of your different URLs (or use the * wildcard appropriately) you can assign as many different policies as you like. A P3P user agent should take an entire URL into consideration (including the part after the ?) when figuring out which policy applies to a particular page.

Q: What is the difference between the "nonident" ACCESS element and the "NON-IDENTIFIABLE" element?

A: The nonident (web site does not collect identified data) ACCESS element and NON-IDENTIFIABLE (web site does not collect identifiable data) element are very different beasts. Nonident is for use by sites who don't provide access because they don't have any data that they can use to readily identify an individual. Such sites may or may not qualify to also use NON-IDENTIFIABLE, which requires that neither the site nor a third party be able to identify the individual. A site with no forms, but logs IP address can probably use nonident but would not be able to use NON-IDENTIFIABLE without cleansing its logs. Also, when NON-IDENTIFIABLE is use there must be an explanation in the human-readable policy.

Q: If we have a form on our site that people can use to sign up to receive a newsletter, what would be the appropriate P3P purpose element?

A: Assuming that newsletter may sometimes (or always) contain marketing or promotional information, the purpose should be both "current" and "contact required="opt-in". You will also need to specify an "opt-uri" and place a web page at that URI that provides instructions for mailing list removal.

Q: I tried to P3P-enable my web site but something doesn't seem to be working. How can I figure out what the problem is?

A: Try using the W3C P3P Validator (http://www.w3.org/P3P/validator) to check your site's P3P configuration. This should give you some indication as to where the problem is. Generally the problem is one or more of the following: syntax error in P3P policy or policy reference file, policy or policy reference file in the wrong location, policy reference file that does not properly apply a policy to all the URLs it is supposed to, or compact policy not getting served with every cookie to which it is supposed to apply.

Web Privacy with P3P
by Lorrie Faith Cranor
with Foreword by Lawrence Lessig
September 2002
O'Reilly & Associates
ISBN 0-59600-371-4
344 pages, $39.95

Privacy policy