P3P and the Default Settings of Internet Explorer 6
How Both Could Affect Your Site
Internet Explorer 6 takes a proactive stance to P3P by automatically taking action based on the user's privacy settings. This may be done with little or no knowledge of the human surfing the web and could change the browsing experience intended by the webmaster. Currently, Internet Explorer 6 is the only widely used browser that could potentially change the intended user experience of a site based on a P3P policy. (It will be interesting to see if this changes in the future.)
This report explains what P3P is, how Internet Explorer 6 works with compliant and non-compliant sites, and lists some considerations to take before making your site P3P compliant.
What P3P Is
The P3P Specification includes an XML protocol for expressing data collection practices as well as a format to transport P3P policies over the web. It also includes a standard set of data elements all P3P agents must be aware and a standard set of uses and recipients for private information.
What P3P Is Not
P3P does not include a mechanism to transfer data to or from a web site. It also does not secure private data from being collected, nor does it insure web sites act according to their stated data collection practices.
Requirements of a P3P Policy
All P3P policies must contain the following elements:
- Data Categories and Purposes of Data Collection
- Recipients of the Data Collected
- Who to contact for privacy-related disputes
- How a user can access the data collected
- What remedies can be taken for privacy breaches
- Information stored in cookies or made accessible by cookies.
Cookies and P3P
P3P policy information related to cookies are stored in a 'mini' P3P policy called a compact policy. The compact policy applies to all data stored within cookies set by the requested web page as well as to any data those cookies give access.
Compact policies contain enough information for user agents to interpret and automatically make decisions with a user's information. They were created to speed up the process of sending and receiving P3P policies and are sent by the server along with the web page that is requested in a custom http response header.
While Compact Policies are considered optional by the W3C Spec for both user agents and servers, they are required in order for Internet Explorer 6 to interpret a P3P policy. In fact, the only thing I.E. 6 observes is the compact policy.
Internet Explorer 6 and P3P
I.E. 6 uses what it calls 'advanced cookie filtering' to determine which cookies are acceptable based on the contents of the site's compact policy -- or lack of one -- and the user's privacy settings in the browser.
In order to understand how the default settings of I.E. 6 could affect a web site, one needs to have a thorough understanding of how cookies work.
Brief Tutorial on Cookies: Basic Facts
Cookies are pieces of information generated by a web server and stored in the user's computer, ready for future access. They were implemented to allow sites to be customized for individual users and are stored as plain text.
Cookies can only be read by the entity(s) allowed to read them. The webmaster writes a list of list of domains or servers allowed to access the cookie's information when it is programmed. If no list is written, the only entity able to read the cookie is the domain that set the cookie.
For example, if Brett set a cookie from WebmasterWorld.com and wanted the information accessible to SearchEngineWorld.com, he'd have to write both domains into the access list of the cookie. Otherwise, by default, only WebmasterWorld.com would be able to access the information stored in it.
Cookies are fairly secure. The instances of other servers accessing cookie information has been due to security holes in different internet browsers, and not to the cookies themselves.
Two Types of Cookies
Cookies are classified by two things: their status, or how long they last, and where they come from, their context.
Status of a Cookie: Persistent Cookies vs Session Cookies
Persistent Cookies are cookies that can be read by the server after the browsing session ends and are stored on the computer's hard drive. A familiar example of a persistent cookie is the cookie used on WebmasterWorld.com which keeps you from having to log in every day to see your Stickymail. Persistent cookies are also used with shopping carts: if an item is placed in the cart today, it will still be in the cart tomorrow.
Session Cookies are stored in the computers RAM and are erased when the web browser is closed. These cookies are used to prevent the same pop-ups from being shown over and over during a visit to a web site.
Context of a Cookie: First- and Third-Party Context
The only time a cookie's context matters is if it is being read by more than one server or domain. Also, the concept is difficult to explain without an example.
First, the definitions:
- First-party cookie: Cookies associated with the host server or domain. (Also called a 'cookie in the first-party context'.)
- Third-party cookie: Cookies associated with domains other than the host server or domain. (Also called a 'cookie in the third-party context'.)
To make it easy, you can think of the host domain as the domain the browser is currently pointed to.
In a previous example, Brett wrote a cookie that could be read by both the WebmasterWorld.com and SearchEngineWorld.com domains. The cookie was set by WebmasterWorld.com, and I'll refer to it as 'Cookie A'.
When the host domain -- the domain the browser is pointed to -- is WebMasterWorld.com, Cookie A is considered a first-party cookie: the host domain is the same domain that set the cookie.
When a user surfs to SearchEngineWorld.com, Cookie A is considered a cookie in the third-party context, or a third-party cookie. The host domain is now SearchEngineWorld.com and Cookie A was set by a domain other than the host: WebmasterWorld.com.
For clarification, it is possible to have:
- Persistent cookie in a first-party context
- Persistent cookie in a third-party context
- Session cookie in a first-party context
- Session cookie in a third-party context
Back to Our Regularly Scheduled Program: Internet Explorer 6 and P3P
As stated earlier, Internet Explorer 6 determines which cookies are satisfactory based on the contents of the site's compact policy -- or lack of one --and the user's privacy settings in the browser.
Microsoft defines an unsatisfactory cookie as:
"Cookies which contain or allow access to personally identifiable information or information provided to unstated recipients without user consent."
Personally Identifiable Information (PII) includes:
- Physical contact or location information
- Online contact information (e-mail address)
- Information used by the government (Social Security number)
- Information about a person's finances.
- Analysis that can be related to individual users
- Actions based on a user's history.
- Contact by means other than phone
- Contact by phone
Please note that collecting PII is OK as long as the user has the option to allow its collection and gives consent for its use. Also, according to the P3P standard, the web site must clearly state the recipients of any collected information.
Cookies deemed 'satisfactory' by I.E. 6, or compliant with the user's privacy settings are accepted, that is, allowed to function as designed.
Unsatisfactory cookies have one of two things happen to them:
- The status of the cookie is changed: either 'downgraded' or 'leashed'.
- The cookie is rejected or 'denied'.
A downgraded cookie is a persistent cookie that has had its status changed to a session cookie. This means it will be deleted at the end of the browsing session. For example, if a consumer puts something in a shopping cart today and the cookie is downgraded, the item will not show in the shopping cart tomorrow.
A leashed cookie is a cookie that is only allowed to be read in the first-party context; that is, the cookie will not be sent to third-party entities. To use our example above, with I.E. 6, SearchEngineWorld.com will not be able to access the cookie set by WebmasterWorld.com, even though SEW is in the access list of the cookie.
A denied cookie is not accepted by the browser.
The Default Privacy Settings of Internet Explorer 6
Internet Explorer 6 has the default privacy setting of 'medium'. A summary of these settings are in the table below:
(table taken directly from Privacy in Internet Explorer 6 paper referenced at the end.)
|Cookie type and policy ||First-party context ||Third-party context |
|Persistent cookie with no compact policy ||Leash ||Deny |
|Persistent cookie with unsatisfactory compact policy ||Downgrade ||Deny |
|Persistent cookie with acceptable compact policy ||Accept ||Accept |
|Session cookie ||Accept ||Treat like a persistent cookie with regard to presence or content of the compact policy |
P3P: Things to Consider Before Making the Decision
Deciding if your site should have a P3P policy is not something that can be taken lightly. If you decide to implement P3P on your site, time must be allotted for thorough testing to insure cookies are always deemed 'satisfactory' -- at least for the default settings of Internet Explorer 6. The things you must consider before deciding to make your site P3P compliant:
If the answer is yes, then you need to get a compatible compact policy on your sites. Otherwise, your site visitors may not be having the experience on your site you intended.
2. Is your brand name going to be hurt by not having a P3P policy?
Even though most consumers don't know what a P3P policy is or even how to check if one is there, a site with a well-known brand name could get bad publicity by not having it. (Keep in mind that when IE 6 reads only the compact policy, not at the P3P policy itself.)
Many large shopping sites are not P3P compliant. I speculate they have found that a P3P compact policy with cookies considered 'unsatisfactory' would hurt their shopping business more than if they don't have a policy at all. (Think how many online businesses would be hurt if their shopping carts got emptied after a consumer closed the browser.)
If You Decide Not to Implement P3P on Your Site
People are intimidated by legalese. If possible, re-write some or all of your policy in laymen's terms.
Put in P3P required entities.
While you may not be able to write a P3P policy for your site, you should be able to include all of the entities a P3P policy requires: why the data is collected, who receives it, how long the policy is valid, how cookies are used and who the user can contact for privacy-related disputes. This information will come in handy if you need to make your site P3P compliant later.
Stay Tuned Next week
I will post a tutorial for using the IBM P3P tool to assist those of you who have decided to make their site compliant.
WC3 Platform for Privacy Initiative
WC3 P3P Frequently Asked Questions
Privacy in Internet Explorer 6
Cookie Central.com FAQ
Privacy.net Tutorial Explaining how companies track your private information using cookies. (Use a browser other than IE 6, otherwise it wonąt work.)