Re: help me!!! from Rigo Wenning on 2006-04-15 (www-p3p-dev@w3.org from April 2006)

From: Rigo Wenning <rigo@w3.org>
Date: Sat, 15 Apr 2006 15:06:07 +0200
To: "Nguyen Viet Ha" <HaNV@fsoft.com.vn>
Cc: www-p3p-dev@w3.org
Message-Id: <200604151506.14467@rigo>
Dear Nguyen, 

Am Friday 14 April 2006 14:41, sprach Nguyen Viet Ha:
> I have been trying to understand what is involved with P3P and I was
> dubious about whether a single line of code in a header would solve any
> problem, and even worse, if its insertion would open a whole can of
> compliance worms.

P3P is a protocol and a data format to tell a user's computer what personal 
data is collected about him and how this information is processed and 
transferred to third parties, where the user can complain about things etc.. 
Read the introduction of the specification to get  a feeling. Often, for 
cookies and other protocol information or forms, users don't really know 
what's happening to the information they are giving away. P3P is giving them 
the necessary information. User agents are displaying the information to the 
user in many ways. E.g. Privacy Bird is an icon that turns red once the 
privacy policy does not correspond to the user's preset preferences. 
>
> >From what I've read regarding P3P there are 3 levels of policy:
>
> 1. Compact policy - that can be inserted into a header for example
> - I think this is what eGS have suggested.

Note that the compact policy is only an abbreviated form of the full XML 
policy. There MUST NOT BE a mismatch. But compact policies are less 
expressive, so normally the compact policy overstates a bit.

> 2. XML policy for machine reading (which can be referenced on each
> page, modified for each page, or modified for sections)

This is the normative one for P3P. It MUST BE also present if you implement 
compact policies to be conformant to P3P.

> 3. Text policy for human readability

Yes, this is the normal privacy policy that explains the use of personal data, 
retention etc in your system and company/organization. The P3P specification 
is a good checklist of questions that should be answered in the human 
readable policy. But there exist also software that translates P3P back to 
human readable policies. There should be no mismatch between the human 
readable policy and the XML Policy.
>
>
>
> I understand that P3P is good practice and not a technical nor legal
> requirement, but,

This is not really a true statement. One should NOT lie in those policies as 
this might have legal consequences, especially when confronted with 
consumers.
>
> What needs clarification is
>
> -          I understand that even though our system is JSP we can still
> include the required HTTP declaration in a header. - is that right?

In fact, in the HTTP-header, you convey not only the compact tokens, but also 
the information on where to find the policy reference file. A user agent will 
analyze the header, recognize and use the tokens, look for the policy 
reference file. The policy reference file contains a link to the policy and 
the user will fetch that policy and analyze it. Normal caching is 24 hours, 
but you can tune to longer. The W3C-site has caching for one week.
>
> -          Is there a genuine technical requirement to have a P3P
> policy, compact or otherwise, ie: will it be a significant benefit to
> our system?

No, there is no technical requirement. The benefit is greater trust from the 
users that know what their data is used for. Some browsers also handle 
cookies depending on the presence of a P3P Policy (compact and full). If a 
thirdparty cookie has no P3P policy, it will be blocked in those browsers.
>
> -          Can a compact policy statement code in a header stand alone
> as the privacy policy in an application, or it will need the other XML
> and text policies to reference to?

No, this is not conformant. A performance improvement can be done if the P3P 
Policy is in the same file as the Policy reference file. This is possible for 
simple policies.
>
> -          If a line of code can stand alone in the headers - what
> should that code be? (verify the code Gareth Boden has suggested)

The description of the code is dependend on your usage of personal 
information. There MUST be a link to a policy reference file and optionally, 
there can be the compact tokens. (For cookies you should also have the 
tokens). There are Privacy Policy editors that help you to write your policy 
and the compact tokens. See: http://www.w3.org/P3P/implementations

>
> -          Will the line of code impact in others ways - new
> accessibility issues for eg: other browser problems / user agents.  How
> much back testing will be involved?

A user agent that does not know anything about P3P will just ignore all that 
data. User agents/browsers that are P3P enabled will behave dependent on the 
privacy policy that they find. If the policy announces lots of data 
collection and unlimited transfer to third parties, the browser might block 
the site. If the policy is privacy friendly, the browser might open up more 
than it would without P3P policy. 

Best, 
-- 
Rigo Wenning            W3C/ERCIM
Staff Counsel           Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis
Received on Saturday, 15 April 2006 13:08:08 UTC