Implementing a Privacy Policy Using P3P

Question: What is P3P?

Answer: It is a W3C standard on how to specify privacy policies for a web site. The standard has both a human readable part to it, as well as a machine readable part. The standard can be found here: http://www.w3.org/TR/2000/CR-P3P-20001215/, with errata at http://www.w3.org/P3P/updates.html, and other information about it at http://www.w3.org/P3P/.

Question: Why is it important that I know anything about it?

Answer: IE6 will be supporting a feature that reads the machine readable P3P policy of a web site. Depending on the settings in the options dialog, it may disable certain features of the browser, such as the capability of setting cookies, unless there is a P3P file in place, and the file matches the user's preferences. So unless you implement a P3P policy on your web site, some users may have a bad experience visiting your site.

Question: How can I easily create P3P policies?

Answer: The P3P file specification, and requirements for locating the files are given in the references above. However, I have personally found it difficult to read. There is a deployment guide at http://www.w3.org/TR/2001/NOTE-p3pdeployment-20010510 that is a somewhat easier guide. There is a free editor available for download from the IBM web site at http://www.alphaworks.ibm.com/tech/p3peditor. It works, although it is difficult to set up right the first time.

Question: How do I know I did it right?

Answer: There is a validator at http://www.w3.org/P3P/validator/20001215/, that will check out your web site and report any P3P problems.

You need to take the following steps to make your site p3p compliant:

1. You need to create three files:

   1. A HTML description of your policies, say called policy.html
   2. A p3p reference file, called p3p.xml
   3. p3p policy file, say called policy.xml

   These files must be created using the syntax given in the p3p specification. The p3p specification is overly complex in my opinion, taking into account the most horrendously complex privacy policy that you can imagine. I strongly suggest using an editor, such as the IBM p3p editor mentioned in my first post, on the subject to help you create them.

   The editor will help you construct the correct syntax and descriptions. Setting up the editor was tricky as you first had to install the java files from the Sun site. The interface is consistent but a little weird. It gets the job done, and is far easier than working through the p3p spec. I'll try to help with questions about it if anyone has them.

2. Create a directory called /w3c off the root of your domain and locate all three files in that directory.

3. Help user agents find the files. There are three ways that a web browser can use to find the the files.

   1. By looking for the /w3c directory
   2. By looking at the HTTP header
   3. By looking at a link tag within the file

   It is suggested that you help the web browser with all three techniques. The directory is already done. To do the HTTP header, you need to add a line that makes it look like this:

   P3P: policyref="/w3c/p3p.xml"

   Now exactly how you do that depends on your web server. In Active Server Pages, you can either configure IIS to do it in the IIS management dialogs, or you can add the following line to the top of your ASP document:

   >Call Response.AddHeader("P3P", "policyref=""/w3c/p3p.xml""")

   The link tag should look like this:

   <link rel="P3Pv1" href="/w3c/p3p.xml"></link>

   and should be added to every document on your web site.

4. This shows the XML files that make up the privacy policy:

   • The p3p.xml file
   • The policy.xml file