Title: P3P Implementation Tips: Observations for approaching Design, Build and Deploy PricewaterhouseCoopers Brendon Lynch
1P3P Implementation Tips Observations for
approachingDesign, Build and Deploy
PricewaterhouseCoopersBrendon Lynch
2Assemble your team
- Your P3P Build and Deploy team needs a
combination of skill sets - IT
- Privacy
- Legal
- Marketing
- Content Management
- and perhaps.. Consultants
3Understand Your Website Architecture
- Perform a detailed review of your website to
determine - How reliant is your website on cookies?
- What states do users have on your site (e.g.
visitor (anon), registrant, transactor?) - Which cookies are associated with these states?
- How will a users experience be affected if
cookies are blocked or denied? - Does your website recognize when cookies are
blocked? - Are suitable work-around instructions provided
4Detect and instruct - example
5Other 3rd Party Cookies
- Some companies are missing the true impact,
example (now changed but)www.cnn.com served a
metric count cookie from www.cnnaudience.com - This is a 3P cookie in the IE6 logic and is
blocked at medium (default) - Solutions a suitable Compact Policy or an
architecture change to minimal level domain
6Determine 3rd Party Compliance
- Your third party cookie providers should be P3P
compliant by now - If not, what effect will this have on your site?
- Consider unique metric counts relied upon by
analysts - Engage in dialog with your 3rd Party cookie
vendors and work with them to implement P3P
compact policies
7Our Tools for Understanding Your Web Architecture
- WebCPOTM, a complete privacy technology developed
by Watchfire and PwC that scans and provides an
automated detailed analysis of your website
architecture, cookies and IE6 impact. - WebCPOTM will scan every link on the website,
identifying 3rd Parties, Cookies, Forms,
Security, domains, and other important privacy
criteria. - More details can be explained post-workshop
8IE 6 Cookie Handling Report
9Know the Spec!
- The specification is long and cumbersome, it
takes a while to digest - Simple, one Full P3P (verbose) instance is best,
but only IF your architecture permits - Use the P3P Generators but beware they are not
perfect, you still need to micro-audit, test and
pilot the outputs - P.S. Do you have the correct version of the spec?
10Understand Your Existing Narrative Privacy Policy
- Does your narrative privacy policy adequately
disclose all of the elements in the Spec? - Are you comfortable that your site conforms to
the statement? - Does your policy map to the binary disclosures
required in Full P3P policy? - Check some elements, (e.g. Data Retention)
- Indefinitely may sound bad, your company does
have retention standards, should this be
articulated in your narrative policy?
11Understand Your Existing Narrative Privacy Policy
- Be Aware - Your current policy may need to be
revised after a P3P Policy is created. - Simple items e.g. entity contact information,
phone number - Complex items - Access, Retention,
Multiple-choice
12Edit the Full Policy
- The Policy Building utilities are a good starting
point, but are not perfect(e.g. may not output
multiple statements) - If changes need to be made to the Full Policy, a
simple XML editor should be used to make the
changes - Avoid using a text editor or word processor to
make changes, they will not always work properly
13Full P3P Matrix
- Recommended
- Map each Data element by user state,
double/triple check, get a second pair of eyes,
(then code) - Discuss the mapping with the whole team, check
your binary i/o decisions with legal - Youd be surprised.
14Full Policy Some key areas
- Disputes sometimes legislation can also be
disclosed, see ATT example - Statement groups together a purpose element, a
recipient element, a data group element, and
optionally a consequence elements and one or more
extensions - NOTE create a statement per user state and
also the cookies associated with that state for
future proofing, also name your statements using
the extension syntax so they view in the Privacy
Report
15(No Transcript)
16User states confusing example
17Validate the Full Policy
- Use the W3C developed Validator to ensure Full
Policy does not have errors - http//www.w3.org/P3P/validator/20010928
- WARNING! the validator DOES NOT check all
logic, (e.g. prior version did not check for
opturi 3.2.2 mandatory if purpose elements
have opt-in or opt-out)
18Test View Privacy Report
- REMINDER IE6 uses the Full P3P policy to create
the View Privacy Report - Check if the Privacy Report displays accurately,
(e.g. the seal gifs, did you correctly code name
extensions on statements, did you have good
descriptions in the Other Purpose and Other
Categories?) - If Policy Reference File contains EXCLUDE
statements, the Full Policy should not work on
those areas of the site - double check the coding
and the accuracy of the elements - Recommend testing on a local webserver
environment - NOT in live environment
19Build a Compact Policy
- The Compact policy must associate the elements of
your Full P3P policy that relate to the actual
practices of the cookie, it would be normal to
have multiple CPs - REMINDER IE6 only evaluates the Compact Policy
20Validate the Compact Policy
- Manual Validation Required
- Reference P3P Specification for details around
tokens - Ensure that you have not created unsatisfactory
conditions by not specifying opt-in or opt-out
criteria - See IE6 guidance on msdn
- Be cognizant of Low, Medium and High (e.g. o
unsatisfactory at High setting) - Build site logic to recognize blocked cookies and
prompt users to accept
21Implement Test
- IE6 offers two good methods for testing P3P
- View Privacy Report Option
- Prompt for Cookies
- Tools / Internet Options / Privacy
- Advanced, check override
- Prompt 1P and 3P
- Once prompted, allow, block, more info displays
the full cookie properties including CP served
22Check All Cookies
- Make sure you have deployed the right CP on the
matching cookie and every cookie! - Youd be surprised.
- IT department should validate the purpose of each
cookie, get sign-off prior to launch - Again, if possible - deploy on test first
23Ongoing Monitoring
- Periodically review your website
- Preferably use an automated tool, such a
WebCPOTM, to ensure ongoing P3P compliance - Ensure that current and future 3P Cookies are P3P
compliant - New or changes in use of 1P cookies deployed must
be revisited - Implement automatic manual triggers human
change machine change