Frequently Asked Questions
This section contains answers to frequently asked questions about P3P. If you have additional questions on P3P or want more information, please visit the W3C Web site. If you do not see an answer to your P3P question here, please email firstname.lastname@example.org.
Basic Question: What is P3P
- Q: What is P3P?
Basic Questions: Use of P3P
- Q: How do consumers use P3P?
- A: P3P-enabled tools are available today through web browsers and
programs that plug into browsers. Though the tools adopt a variety of designs, they generally allow users to set their privacy preferences and then take some action based on the P3P policy found at a given site. The action
take by the user's P3P tool might include displaying information about the site policy, presenting a warning sign if the site's policy conflicts with the users preferences, or blocking the placement of cookies that collect personal information against the users wishes.
Basic Questions: Development of P3P
- Q: Who created P3P? How was P3P created?
P3P is created through the consensus-based W3C Process. Participants
in the development of P3P represent leadership in industry,
government, and research. Chaired by Dr. Lorrie Cranor of AT&T
Labs-Research, they include 180solutions.com; Akamai Technologies;
American Express; America Online, Inc.; AT&T; AvenueA; University of
California, Irvine; Center for Democracy and Technology, USA; Charles
Schwab Consultants; Citigroup; Doubleclick Inc.; Electronic Network
Consortium (ENC), Japan; Engage; Ericsson; GMD/Fraunhofer; Hewlett
Packard Company; IBM; IDcide; Independent Center for Privacy Protection
Schleswig-Holstein, Germany; Internet Education Foundation; Joint
Research Center of the European Commission; Microsoft; NCR; NEC;
Ontario Office of Information and Privacy; PrivacyBank;
along with invited experts.
- Q: What is a Web standard?
- A: Web standards are technical agreements about how web browsers,
servers, and documents that are part of the Web will operate
together. Web standards have enabled the Web to reach around
the world, be accessible from a wide variety of hardware and
software devices in a competitive environment. Well-known Web
standards include HTML, XML, and Cascading Style Sheets.
- Q: What is the World Wide Web Consortium?
- A: The W3C was created to lead the Web to its full potential by
Developing common protocols that promote its evolution and ensure its
interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, nearly 500 organizations are Members of the Consortium.
For more information visit the W3C Web site.
- Q: What will happen now that the standard is finalized? Does everyone
Have access to the benefits of P3P?
- A: By creating a common language for privacy, P3P has already enabled
The development of a whole new class of Web tools and services that address privacy. Some of these tools are already available in popular Web browsers and Web server software. As P3P is more widely adopted by Web sites, we expect many more tools to be introduced that will help users to protect their privacy and enable businesses to manage their handling of personal information seamlessless and responsibly.
Basic Question: P3P User Agents
- Q: What tools can consumers use to take advantage of P3P?
- A: AT&T and Microsoft have created P3P-enable user agents and other user agents are in development that will be available across a variety of platforms. For more information on specific user agents, visit the tools section of P3Ptoolbox.
Basic Question: P3P Adoption Rate
- Q: How many web sites have adopted P3P?
- A: The P3P adoption rate continues to grow at a steady pace. While there is no definitive list of Web sites that are P3P compliant, you can visit P3Ptoolbox maintains a sample list of P3P enabled Web sites. In addition, you can visit the W3C list
of sites which tell them they are implementers.
Basic Questions: Implementation of P3P
- Q: Is it difficult for web sites to use P3P?
which is at the discretion of the site owner and regulations which may apply in their region.
- Q: How can web sites learn how to become P3P compliant?
- A: Visit P3PToolbox's Implementation Guide and look at the W3C's Deployment Guide.
- Q: Will Internet Explorer 6.0 read compact policies from secure servers?
- A: If people use http set-cookie, and Internet Explorer handles those headers then compact policies will be read as user preferences dictate. Thus if a user goes to https://site.com with default preferences then, yes, Internet Explorer will process compact policies.
Also note that a bug was found recently where the wrong privacy report is displayed when sites use the METHOD element in their PRF. For more details, visit the Microsoft support Web site for details.
If you find any reproducable instances of wrong Internet Explorer 6.0 behavior with respect to P3P, please post the details and the Internet Explorer folks will look into them.
GUID: Using GUID to track preferences
- Q: Another example is -- say I use among other things a GUID to configure my ad server to serve new ads to a user, that same user has expressed a preference in our forums to have a 2 pane layout when they view our forums.
They have signed up for a user name in the forum. We use the same GUID to track their preferences for the frames.
- A: Again it comes down to the link ability. If, for instance, I require user authentication for on my forums server but then never log guid=abc123 with remote_user=bdobbs then bdobbs never links to seeing ad # 567889. It is all just A=B (cookie=remote_user), B=C (cookie=ad), C=A (remote_user=ad). If you fail to make either
of the first 2 associations than you never have "remote_user had seen these ads", which is what you are trying to avoid. So in this case since we know that it is vital that the unique cookie be associated with ads to keep functionality, then what must be avoided is associating PII with that cookie on other servers.
If there is nothing so rigid as remote_user being logged with cookie but rather only text that MAY contain a user's name in it logged with a cookie then the answer would be no. This person should also be aware that many times CGI will receive and process information not "seen" or logged by standard logs. For instance, just because a user fills out a form with his or her name in it and pass a unique cookie with the form, submittal does NOT mean that the cookie and the form data are linked. You need to understand what is logged by both the form and the logs. This association may or may not exist.
Linkage: Cookie linkage of Information
- Q: My Web site collects information via a globalID cookie to track recurrent visitors. If I run a contest on my site, for example, and someone enters a contest with their personal information, and then goes to browse the rest of our site - such as a "baldness cure" page, -- am I required to state that I collect personally
identifiable health information in my P3P policy?
- A: If PII is linked to the cookie on site "A" and then the cookie is logged on site "B" with the request for a URI called "/health/fixmybaldhead.html" - then "yes". If the PII collected with the contest is not linked through a persistent unique ID to content request then "no". Why?
Because if the Web site WANTED to attach names to who was viewing my baldness page, this is exactly how it would do it. This person's decision not to do that can be reflected in PURPOSES but the data is still linked.
Linkage: Declaring a linkage between PII and health information
- Q: It is our corporate policy NOT to monitor those forums, BUT the user posts frequently in the "Let's lose weight because I'm fat" forum. The user maintains, on another machine on our domain a web page for his
church group. As part of the web page, he posts his email and phone number and mailing address, so the people in his church can send him pictures to post on the web site. Are we also holding personally identifiable health information for him?
(You can assume for these examples that all our databases for the company are one copy of Oracle on one machine. And so are our web logs.)
- A: It is going to be a challenge to account for the differences between unintentional bleed from referrers and very intentional bleeds. It would be a much bigger problem if you log FULL refer strings than if you chop the query_string off of refers. Bottom line is if you absolutely understand and intend to receive a refer like www.someothersite.com/page/name/html/?acctnum=1234567, you are in murky water.
If you are concerned that P3P requires you to make declarations that you are uncomfortable with and indeed don't reflect the DATA that you actually "USE" but are unable to point to how your architecture is different from someone who DOES USE - you should declare. Building a database full of relational tables and then never running certain queries reflects the PURPOSES for which you have data, not what data you have.
P3P and Privacy Laws
- Q: Can P3P work with the wide variety of privacy laws that exist around the world?
- A: The P3P vocabulary was developed specifically with the global nature of the Web in mind. Working Group participants had expertise in a variety of different legal systems and we have received feedback from all around the world. P3P has already been successful implemented in Asia, Canada, Europe, and the United States.
- Q: Some privacy advocates have been critical of P3P and say that privacy laws, not P3P, is what is needed. What do you say to that?
- A: For users to be able to exercise meaningful control over their personal information on the Web, a combination of technical tools and legal protection is required.
- Q: Can you get the privacy report if you access the web through a proxy?
- A: There is a known issue here. If the proxy requires authentication then the policy fetch will fail. This is because we do not support proxy authentication for policy retrieval. This is known issue and may be addressed in a future service pack release.