homepage Welcome to WebmasterWorld Guest from 54.204.231.253
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
P3P and the Default Settings of Internet Explorer 6
How Both Could Affect Your Site
grnidone




msg:563258
 1:15 pm on Jul 10, 2002 (gmt 0)

P3P and the Default Settings of Internet Explorer 6
How Both Could Affect Your Site

Internet Explorer 6 takes a proactive stance to P3P by automatically taking action based on the user's privacy settings. This may be done with little or no knowledge of the human surfing the web and could change the browsing experience intended by the webmaster. Currently, Internet Explorer 6 is the only widely used browser that could potentially change the intended user experience of a site based on a P3P policy. (It will be interesting to see if this changes in the future.)

This report explains what P3P is, how Internet Explorer 6 works with compliant and non-compliant sites, and lists some considerations to take before making your site P3P compliant.

What P3P Is

P3P, the Platform for Privacy Preferences, enables web sites to express their privacy policy in a standard machine- and human-readable format. It allows users to quickly be informed about the use of their private information as well as automating how and when it is released.

The P3P Specification includes an XML protocol for expressing data collection practices as well as a format to transport P3P policies over the web. It also includes a standard set of data elements all P3P agents must be aware and a standard set of uses and recipients for private information.

What P3P Is Not

P3P does not include a mechanism to transfer data to or from a web site. It also does not secure private data from being collected, nor does it insure web sites act according to their stated data collection practices.

Requirements of a P3P Policy

All P3P policies must contain the following elements:

  • Data Categories and Purposes of Data Collection
  • Recipients of the Data Collected
  • Who to contact for privacy-related disputes
  • How long the Privacy Policy is valid
  • How a user can access the data collected
  • What remedies can be taken for privacy breaches
  • Information stored in cookies or made accessible by cookies.

Cookies and P3P

P3P policy information related to cookies are stored in a 'mini' P3P policy called a compact policy. The compact policy applies to all data stored within cookies set by the requested web page as well as to any data those cookies give access.

Compact policies contain enough information for user agents to interpret and automatically make decisions with a user's information. They were created to speed up the process of sending and receiving P3P policies and are sent by the server along with the web page that is requested in a custom http response header.

While Compact Policies are considered optional by the W3C Spec for both user agents and servers, they are required in order for Internet Explorer 6 to interpret a P3P policy. In fact, the only thing I.E. 6 observes is the compact policy.

Internet Explorer 6 and P3P

I.E. 6 uses what it calls 'advanced cookie filtering' to determine which cookies are acceptable based on the contents of the site's compact policy -- or lack of one -- and the user's privacy settings in the browser.

In order to understand how the default settings of I.E. 6 could affect a web site, one needs to have a thorough understanding of how cookies work.

Brief Tutorial on Cookies: Basic Facts

Cookies are pieces of information generated by a web server and stored in the user's computer, ready for future access. They were implemented to allow sites to be customized for individual users and are stored as plain text.

Cookies can only be read by the entity(s) allowed to read them. The webmaster writes a list of list of domains or servers allowed to access the cookie's information when it is programmed. If no list is written, the only entity able to read the cookie is the domain that set the cookie.

For example, if Brett set a cookie from WebmasterWorld.com and wanted the information accessible to SearchEngineWorld.com, he'd have to write both domains into the access list of the cookie. Otherwise, by default, only WebmasterWorld.com would be able to access the information stored in it.

Cookies are fairly secure. The instances of other servers accessing cookie information has been due to security holes in different internet browsers, and not to the cookies themselves.

Two Types of Cookies

Cookies are classified by two things: their status, or how long they last, and where they come from, their context.

Status of a Cookie: Persistent Cookies vs Session Cookies

Persistent Cookies are cookies that can be read by the server after the browsing session ends and are stored on the computer's hard drive. A familiar example of a persistent cookie is the cookie used on WebmasterWorld.com which keeps you from having to log in every day to see your Stickymail. Persistent cookies are also used with shopping carts: if an item is placed in the cart today, it will still be in the cart tomorrow.

Session Cookies are stored in the computers RAM and are erased when the web browser is closed. These cookies are used to prevent the same pop-ups from being shown over and over during a visit to a web site.

Context of a Cookie: First- and Third-Party Context

The only time a cookie's context matters is if it is being read by more than one server or domain. Also, the concept is difficult to explain without an example.

First, the definitions:

  • First-party cookie: Cookies associated with the host server or domain. (Also called a 'cookie in the first-party context'.)
  • Third-party cookie: Cookies associated with domains other than the host server or domain. (Also called a 'cookie in the third-party context'.)

To make it easy, you can think of the host domain as the domain the browser is currently pointed to.

In a previous example, Brett wrote a cookie that could be read by both the WebmasterWorld.com and SearchEngineWorld.com domains. The cookie was set by WebmasterWorld.com, and I'll refer to it as 'Cookie A'.

When the host domain -- the domain the browser is pointed to -- is WebMasterWorld.com, Cookie A is considered a first-party cookie: the host domain is the same domain that set the cookie.

When a user surfs to SearchEngineWorld.com, Cookie A is considered a cookie in the third-party context, or a third-party cookie. The host domain is now SearchEngineWorld.com and Cookie A was set by a domain other than the host: WebmasterWorld.com.

For clarification, it is possible to have:

  • Persistent cookie in a first-party context
  • Persistent cookie in a third-party context
  • Session cookie in a first-party context
  • Session cookie in a third-party context

Back to Our Regularly Scheduled Program: Internet Explorer 6 and P3P

As stated earlier, Internet Explorer 6 determines which cookies are satisfactory based on the contents of the site's compact policy -- or lack of one --and the user's privacy settings in the browser.

Microsoft defines an unsatisfactory cookie as:

"Cookies which contain or allow access to personally identifiable information or information provided to unstated recipients without user consent."

Personally Identifiable Information (PII) includes:

  • Physical contact or location information
  • Online contact information (e-mail address)
  • Information used by the government (Social Security number)
  • Information about a person's finances.
  • Analysis that can be related to individual users
  • Actions based on a user's history.
  • Contact by means other than phone
  • Contact by phone

Please note that collecting PII is OK as long as the user has the option to allow its collection and gives consent for its use. Also, according to the P3P standard, the web site must clearly state the recipients of any collected information.

Cookies deemed 'satisfactory' by I.E. 6, or compliant with the user's privacy settings are accepted, that is, allowed to function as designed.

Unsatisfactory cookies have one of two things happen to them:

  • The status of the cookie is changed: either 'downgraded' or 'leashed'.
  • The cookie is rejected or 'denied'.

A downgraded cookie is a persistent cookie that has had its status changed to a session cookie. This means it will be deleted at the end of the browsing session. For example, if a consumer puts something in a shopping cart today and the cookie is downgraded, the item will not show in the shopping cart tomorrow.

A leashed cookie is a cookie that is only allowed to be read in the first-party context; that is, the cookie will not be sent to third-party entities. To use our example above, with I.E. 6, SearchEngineWorld.com will not be able to access the cookie set by WebmasterWorld.com, even though SEW is in the access list of the cookie.

A denied cookie is not accepted by the browser.

The Default Privacy Settings of Internet Explorer 6

Internet Explorer 6 has the default privacy setting of 'medium'. A summary of these settings are in the table below:
Cookie type and policy First-party context Third-party context
Persistent cookie with no compact policy Leash Deny
Persistent cookie with unsatisfactory compact policy Downgrade Deny
Persistent cookie with acceptable compact policy Accept Accept
Session cookie Accept Treat like a persistent cookie with regard to presence or content of the compact policy
(table taken directly from Privacy in Internet Explorer 6 paper referenced at the end.)

P3P: Things to Consider Before Making the Decision

Deciding if your site should have a P3P policy is not something that can be taken lightly. If you decide to implement P3P on your site, time must be allotted for thorough testing to insure cookies are always deemed 'satisfactory' -- at least for the default settings of Internet Explorer 6. The things you must consider before deciding to make your site P3P compliant:

1. Does your site use cookies to interact with other domains?

If the answer is yes, then you need to get a compatible compact policy on your sites. Otherwise, your site visitors may not be having the experience on your site you intended.

2. Is your brand name going to be hurt by not having a P3P policy?

Even though most consumers don't know what a P3P policy is or even how to check if one is there, a site with a well-known brand name could get bad publicity by not having it. (Keep in mind that when IE 6 reads only the compact policy, not at the P3P policy itself.)

Many large shopping sites are not P3P compliant. I speculate they have found that a P3P compact policy with cookies considered 'unsatisfactory' would hurt their shopping business more than if they don't have a policy at all. (Think how many online businesses would be hurt if their shopping carts got emptied after a consumer closed the browser.)

If You Decide Not to Implement P3P on Your Site

If you decide not to make your site P3P compliant at this time, here are some things you can do to make your current privacy policy a little more consumer-friendly.

Make your privacy policy easy to find.

Put the link of the site's privacy policy in the footer on every page or on your index page. Simply seeing that it is there gives people more confidence when interacting with your site.

Make your privacy policy clear.

People are intimidated by legalese. If possible, re-write some or all of your policy in laymen's terms.

Put in P3P required entities.

While you may not be able to write a P3P policy for your site, you should be able to include all of the entities a P3P policy requires: why the data is collected, who receives it, how long the policy is valid, how cookies are used and who the user can contact for privacy-related disputes. This information will come in handy if you need to make your site P3P compliant later.

Stay Tuned Next week

I will post a tutorial for using the IBM P3P tool to assist those of you who have decided to make their site compliant.

References

WC3 Platform for Privacy Initiative
http://www.w3.org/p3p/

WC3 P3P Frequently Asked Questions
http://www.w3.org/P3P/p3pfaq.html

Privacy in Internet Explorer 6
http://msdn.microsoft.com/library/en-us/dnpriv/html/ie6privacyfeature.asp

Cookie Central.com FAQ
http://www.cookiecentral.com/faq/

Privacy.net Tutorial Explaining how companies track your private information using cookies. (Use a browser other than IE 6, otherwise it wonąt work.)
http://www.privacy.net/track/

 

Brett_Tabke




msg:563259
 2:26 pm on Jul 10, 2002 (gmt 0)

Wow, thanks. That is an excellent summary of the situation Grnidone. I'll have to study that a bit closer.

hstyri




msg:563260
 12:28 am on Jul 11, 2002 (gmt 0)

I've tried several tools and still prefer to hand code my P3P files. ;)

The most important issue in the first post of this thread is this:
While Compact Policies are considered optional by the W3C Spec for both user agents and servers, they are required in order for Internet Explorer 6 to interpret a P3P policy.

It's not entirely true that MSIE only observes the compact policy, but regarding cookies it is. In other words: [b]If you use cookies you better have a compact policy.[/]

If your ads are served by a third party, you probably should ask the provider to sort out the P3P on the ad server.

To learn more about P3P I also recommend playing with the AT&T Privacy Bird [privacybird.com]

The Zero-Knowledge Systems P3P Analyzer [p3p.zeroknowledge.com] also is a good tool when you're learning how to create the P3P declarations.

jayfjayf




msg:563261
 6:05 pm on Jul 11, 2002 (gmt 0)

Good info!

The section on cookies is slightly incorrect:


The webmaster writes a list of list of domains or servers allowed to access the cookie's information when it is programmed. If no list is written, the only entity able to read the cookie is the domain that set the cookie.

For example, if Brett set a cookie from WebmasterWorld.com and wanted the information accessible to SearchEngineWorld.com, he'd have to write both domains into the access list of the cookie. Otherwise, by default, only WebmasterWorld.com would be able to access the information stored in it.

Cookies can only be read within the domain and path that sets them. So, a cookie set for webmasterworld.com with a path of / is only sent to the server with URLs that include the domain webmasterworld.com and the path / (ex: www.webmasterworld.com and /forum21 will work). So, the more specific a cookie is, the more limited are the URLs that it is associated with. (And, also, more specific cookies take precedent over more general ones).

So, for example, a cookie set at www.webmasterworld.com and /forum21 will not be sent to the server for URLs under www.webmasterworld.com/forum20, or for any URLs at just webmasterworld.com.

Thrid-party cookies are what people call cookies set by domains different than that of the original page request. So, if I browse a page URL at www.webmasterworld.com and it returns a page with an image from doubleclick.net, then the idea is that browser can recognize that doubleclick.net is not the first-party domain, so is a third-party domain.

The only way a third-party domain can read a first-party cookie (with the exception of some browser security bugs) is via JavaScript that reads the first-party cookie and encodes its info into a URL that points to a third-party. This is a very important security liability that can be exploited in all JavaScript enabled browsers. This was the exploit people used, for example, in sending a message containing JavaScript to a Hotmail account, getting the user to open it, and then that message would post the user's personal info and Hotmail access cookie info to a third-party server (Hotmail regularly has patched these holes--so they are, I hope, all gone now).

(Note: because of this liability with cookies, it is vital not to include personally identifiable information or secure site access information in cookies.)

So, it looks like a "leashed" cookie in MS parlance means the cookie is supressed from being sent to the browser--the cookie is properly set by the browser (e.g., by a third party), but the browser does not send it back to the server the way it is supposed to under normal circumstances.

j f

Xoc




msg:563262
 3:20 am on Jul 12, 2002 (gmt 0)

See also this thread: [webmasterworld.com ]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved