P3P-The platform for Privacy Preference Project
Download
Report
Transcript P3P-The platform for Privacy Preference Project
P3P-The platform for Privacy
Preference Project
資管研一 戴志洋 R89725014
資管研一 余丹楓 R89725015
P3P簡介
P3P─透過User agent來協調Web site和
User之間Privacy Policy的自動化機制
P3P policies
use an XML encoding of the P3P
vocabulary
enumerate the types of data or data
elements collected, and explain how the
data will be used
P3P User Agents
P3P1.0 user agents can be built into web
browsers, browser plug-ins, or proxy servers.
They can also be implemented as Java
applets or JavaScript; or built into electronic
wallets, automatic form-fillers, or other user
data management tools
P3P user agent would retrieve P3P policies,
compare them with user's preferences, and
authorize the release of data only if
a) the policy is consistent with the user's
preferences and
b) the requested data transfer is consistent with
the policy
Example of P3P in Use
Tellme
http://www.catalog.example.com
•Assume that CatalogExample has placed P3P policies on all their pages.
•Web browser with P3P built in.
preferences
Tellme has
given it
browser
Check:match
HTTP access
standard log
Web site
Enter other
catalog
Enter checkout
Yes
No
Check:match
Need more information
software uses cookies to
implement a "shopping
cart" feature
Need
telephone
complete Cancel
P3P1.0
W3C Working Draft 18 October 2000
The Platform for Privacy Preferences
1.0 (P3P1.0) Specification
Provide web site to encode its datacollection and data-use practices in a
machine-readable XML format known
as a P3P policy
P3P1.0 specification defines:
A standard schema for data a Web site may
wish to collect, known as the "P3P base data
schema"
A standard set of uses, recipients, data
categories, and other privacy disclosures
An XML format for expressing a privacy policy
A means of associating privacy policies with
Web pages or sites, and cookies
A mechanism for transporting P3P policies
over HTTP
Goal of P3P version 1.0
it allows Web sites to present their datacollection practices in a standardized,
machine-readable, easy-to-locate manner.
enables Web users to understand what data
will be collected by sites they visit, how that
data will be used, and what data/uses they
may "opt-out" of or "opt-in" to
Future Version of P3P
a mechanism to allow sites to offer a choice
of P3P policies to visitors
a mechanism to allow visitors (through their
user agents) to explicitly agree to a P3P
policy
mechanisms to allow for non-repudiation of
agreements between visitors and web sites
a mechanism to allow user agents to transfer
user data to services
Policy References
The URI where a P3P policy is found
The URIs or regions of URI-space covered by this
policy
The URIs or regions of URI-space not covered by this
policy
The regions of URI-space for embedded content on
other servers that are covered by this policy
The cookies that are or are not covered by this policy
The access methods for which this policy is applicable
The period of time for which these claims are
considered to be valid
Locating Policy Reference Files
"well-known" location
non-ambiguity
http://cgi.example.com/w3c/p3p.xml
HTTP Headers
[1]p3p-header =`P3P: `p3p-header-field*(`,` p3p-header-field)
[2]p3p-header-field = policy-ref-field | extension-field
[3]policy-ref-field = `policyref="` URI `"`
[4]extension-field = token [`=` (token | quoted-string) ]
1. Client makes a GET
request.
GET /index.html HTTP/1.1
Host: catalog.example.com
Accept: */*
Accept-Language: de, en
User-Agent: WonderBrowser/5.2 (RT-11)
2. Server returns content and
the P3P header pointing to
the policy of the page.
HTTP/1.1 200 OK
P3P:policyref=http://catalog.example.com/P3P/PolicyReferences.xml
Content-Type: text/html
Content-Length: 7413Server: CC-Galaxy/1.3.18
The HTML link Tag
[5]p3p-link-tag=`<link rel="P3Pv1" href="` URI `">
<link rel=
"P3Pv1“ href="http://catalog.example.com/P3P/PolicyReferences.xml">
Policy Reference File
<META xmlns="http://www.w3.org/2000/10/18/P3Pv1">
<POLICY-REFERENCES>
<EXPIRY max-age="172800"/>
<POLICY-REF about="/P3P/Policy1.xml">
<INCLUDE>/*</INCLUDE>
<EXCLUDE>/catalog/*</EXCLUDE>
<EXCLUDE>/cgi-bin/*</EXCLUDE>
<EXCLUDE>/servlet/*</EXCLUDE>
</POLICY-REF>
<POLICY-REF about="/P3P/Policy2.xml">
<INCLUDE>/catalog/*</INCLUDE>
</POLICY-REF>
<POLICY-REF about="/P3P/Policy3.xml">
<INCLUDE>/cgi-bin/*</INCLUDE>
<INCLUDE>/servlet/*</INCLUDE>
<EXCLUDE>/servlet/unknown</EXCLUDE>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
Policy reference file lifetimes
and the EXPIRY element
[6]
prf
[7]
policyrefs = "<POLICY-REFERENCES>“
[expiry]
*policyref
"</POLICY-REFERENCES>"
[8]
expiry
= "<EXPIRY" (absdate|reldate) "/>"
[9]
absdate
= `date="` HTTP-date `"`
[10] reldate
= `<META
xmlns="http://www.w3.org/2000/10/18/P3Pv1">`
policyrefs
[policies]
PCDATA
"</META>"
= `max-age="` delta-seconds `"`
The POLICY-REF element
<META xmlns="http://www.w3.org/2000/10/18/P3Pv1">
<POLICY-REFERENCES>
<POLICY-REF about="/P3P/Policy1.xml">
<INCLUDE>/docs/*</INCLUDE>
<INCLUDE>/other/index.html</INCLUDE>
<EMBEDDED-INCLUDE>
http://*.example.com/ads/*
</EMBEDDED-INCLUDE>
<EMBEDDED-EXCLUDE>
http://*.example.com/ads/network/*
</EMBEDDED-EXCLUDE>
<COOKIE-INCLUDE>*</COOKIE-INCLUDE>
<COOKIE-EXCLUDE>
obnoxious- cookie..example.com/
</COOKIE-EXCLUDE>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
Non-ambiguity
A very important rule of policy
references is that of non-ambiguity: For
each resource at a website there MUST
be at most one policy active at any
given time. Thus two non-expired policy
reference files on a given site MUST
NOT declare two or more different
policy URIs for the same resource.
Multiple Languages
Multiple language versions (translations)
of the same policy can be offered by the
server using the HTTP "Content-Language"
header to properly indicate that a
particular language has been used for
the policy. This is useful so that humanreadable fields such as entity and
consequence can be presented in
multiple languages.
Non-Discrimination of Policies
Servers SHOULD make every effort to
help user agents find P3P policies. In
particular, servers SHOULD place a
policy reference file at the well-known
location whenever possible.
Security of Policy Transport
P3P policies and references to P3P
policies SHOULD NOT, in themselves,
contain any sensitive information.
Policy Updates
Note that when a web site changes its
P3P policy, the old policy applies to data
collected when it was in effect. It is the
responsibility of the site to keep records
of past P3P policies and policy reference
files along with the dates when they
were in effect, and to apply these
policies appropriately.
P3P Guiding Principles
(Non-normative)
Notice and Communication
Service providers should:
Communicate explicitly about data collection
and use, identifying the purpose for which
personal information is collected and the extent
to which it may be shared.
Prominently post clear, human-readable privacy
policies.
P3P Guiding Principles
(Non-normative)
User agents should:
Provide users an option that allows them to
easily preview and agree to or reject each
transfer of personal information that the user
agent facilitates.
Not by default to transfer personal information
without the user's consent.
Inform users about the privacy-related options
offered by the user agent
P3P Guiding Principles
(Non-normative)
Choice and Control
Service providers should:
Limit their requests to information necessary
for fulfilling the level of service desired by the
user.
Obtain informed consent prior to the collection
and use of personal information.
Provide information about the ability to review
and correct personal information.
P3P Guiding Principles
(Non-normative)
User agents should:
Include configuration tools that allow users to
customize their preferences.
Allow users to import and customize P3P
preferences from trusted parties.
Present options to users in a way that is neutral
or biased towards privacy.
P3P Guiding Principles
(Non-normative)
Fairness and Integrity
Service providers should:
Use information only for the stated purpose
and retain it only as long as necessary.
Ensure that information is accurate, complete,
and up-to-date.
ontinue to treat information according to the
policy in effect when the information was
collected, unless users give their informed
consent to a new policy.
P3P Guiding Principles
(Non-normative)
User agents should:
Act only on behalf of the user according to the
preferences specified by the user.
Accurately represent the practices of the
service provider.
P3P Guiding Principles
(Non-normative)
Security
Service providers should:
Provide mechanisms for protecting any
personal information they collect.
Use appropriate trusted protocols for the
secure transmission of data.
P3P Guiding Principles
(Non-normative)
User agents should:
Protect the personal information that stored in
the agent.
Use appropriate trusted protocols for the
secure transmission of data.
Warn users when an insecure transport
mechanism is being used.
P3P: Pretty Poor Privacy?
Current Internet Privacy Risks
Failure to Establish Privacy Standards
Exclusion of Non-Compliant Sites
Absence of Enforcement
Prognosis for Adoption
impact on Privacy if P3P is Deployed
P3P Fails to Satisfy Jurisdictions with
Strong Privacy Standards
Current Internet Privacy Risks
Today the Internet faces a wide range of
privacy problems. The Internet Protocol (IP)
used to transmit web pages creates a privacy
risk that is not imposed by web browsers but
in the transmission of web pages through the
IP. When a browser requests a page from a
server, the browser's IP address is
transmitted as the return address to which
the requested page is to be sent. Various
services are available today to disguise one's
IP address.
Failure to Establish Privacy Standards
P3P builds on the notice and choice
privacy approach. This is a weak model
for privacy protection because it fails to
ensure the observance of Fair
Information Practices. This is also not
the approach that the United States has
typically taken to ensure privacy
protection in other sectors with rapidly
changing technology.
Exclusion of Non-Compliant Sites
P3P is developed from a self-regulatory
aspect giving web sites the option of whether
to incorporate the P3P protocol on their web
site. When a web site collects too much data
they probably will not incorporate the P3P
protocol. If few sites support P3P, consumers
will have little incentive to use the technology,
thus creating a sort of chicken and egg
problem.
Absence of Enforcement
P3P lacks any means to enforce
privacy policies.
Even where there is agreement about the
privacy terms for a particular transaction,
P3P provides no means to ensure
enforcement of the stated privacy policies
and the P3P developers do not seem
particularly concerned about this problem.
Prognosis for Adoption
There is no user base and no user
demand. Companies have been
reluctant to adopt the complicated
protocol structure, and governments
has shown little indication that it will
address public concerns about privacy
protection.
Impact on Privacy if P3P is Deployed
Microsoft and Netscape/AOL are likely
to implement P3P in a way that sets
very low privacy preference defaults.
This is true because these companies
are paid through advertisements and
data collecting, so it in their best
interest to have the lowest privacy
preference as defaults.
P3P Fails to Satisfy Jurisdictions
with Strong Privacy Standards
P3P has not impressed those
jurisdictions that have considered
its use to implement legal rules for
privacy.
The European Union, which does have
baseline, legally enforceable privacy rights
in the form of the EU Data Directive, has
explicitly rejected P3P as part of its privacy
protection framework.