Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ 06.12.2005.

PublishEvangeline Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ 06.12.2005."— Presentation transcript:

1 CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ 06.12.2005

2 Outline Overview of P3P Privacy Policies Privacy Preferences Current P3P implementations P3P Tools Conclusion

3 Overview of P3P Developed by the World Wide Web Consortium (W3C) Provides an a formal way for web sites to release their privacy policies in a standard format Policies let web users know about site’s privacy practices Web users gain control over their private information Enables the development of P3P user agents (built into browsers or separate applications) that Summarize privacy policies Compare policies with user preferences Alert and advise users on conflicts

4 Privacy Policies An XML format in which a web site can release its data usage privacy policies Contains the following information: Name and contact information for site The kind of access provided Mechanisms for resolving privacy disputes The kinds of data collected How collected data is used Whether/when data may be shared Data retention policy (The time to preserve data) A web site can use a policy for the whole site or can specify different policies for different parts of the site A policy reference file is needed for specifying different policies

5 Sample Policy

6 Policy Description P3P policies are described as a sequence of STATEMENT elements CONSEQUENCE: the purpose for collecting information in human-readable text PURPOSE: purposes for which information is collected. Consists of 12 predefined values, some examples: current: completion and support of activity for which data was provided individual-decision: inferring habits, interests, and other characteristics of individuals contact: contacting visitors for marketing of services or products through a communication channel other than voice telephone RECIPIENT: the users of the collected information Consists of 6 predefined values, some examples: ours: ourselves same: legal entities following our practices, and unrelated: legal entities whose practices are unknown to us.

7 Policy Description(2) A policy can provide opt-in or opt-out values for the required attribute of PURPOSE and RECIPIENT elements opt-in : says that the user must provide explicit consent to the stated purpose/recipient opt-out : gives the user flexibility to reject the specified purpose/recipient, but user needs to take additional action for the opt-out to take effect RETENTION: the duration for which the collected information will be kept Consists of 12 predefined values, some examples: stated-purpose: discarded at the earliest time possible business-practice: long term retention with a destruction time- table Indefinitely DATA-GROUP and DATA: the list of individual data items that are collected for stated purposes in the statement. CATEGORIES: provide hints to users as to the intended data usage (inside a DATA) Ex:,,

8 Privacy Preferences Users should not have to trust privacy defaults set by software vendors A P3P Preference Exchange Language (APPEL) is used to define user privacy preferences Privacy preferences can be expressed in APPEL as a list of RULEs Rule behavior: specifies the action to be taken if the rule fires  request or block Rule body: Provides the pattern that is matched against a policy An Apple Engine is used to test the rules defined in the body section against the privacy policy of a web site

9 Sample Preference File

10 P3P with HTTP GET /w3c/p3p.xml HTTP/1.1 Host: www.att.com Request Policy Reference File Send Policy Reference File GET /index.html HTTP/1.1 Host: www.att.com... Request web page HTTP/1.1 200 OK Content-Type: text/html... Send web page Request P3P PolicySend P3P Policy Web Server

11 Sample Policy Reference /news/* /news/top/* /news/top/* /photos/* /ads/*

12 Current P3P implementations Client-Centric Architecture Web sites create and install policy files at their sites. The users browse a web site, their preferences are checked against a site’s policy before they access the site Server-Centric Architecture A website deploys P3P, and installs its privacy policies in a database system Database querying at the server is used for matching a user’s preferences against privacy policies Actually Client-Centric Architecture are used. Server- Centric Architecture is just a proposal. We will discuss tools related to Client-Centric Architecture

13 Client-Centric Preference Matching

14 Server-Centric Preference Matching

15 Client-Centric Architecture Implementations IE6 implementation:IE6 allows a user to specify her privacy preference for handling cookies When the user requests a page from a web site, IE6 allows the website to place a cookie only if: The site provides a compact version of the applicable P3P privacy policy That policy is compatible with the user’s preference The user can manually override this decision by specifying websites whose cookies should always be allowed Privacy Bird: AT&T Privacy Bird is a browser extension to IE It accepts user-defined APPEL privacy preferences Includes an APPEL engine to compare a user’s APPEL preference with a web site’s P3P policy Puts bird icon at top of browser window that changes to indicate whether site matches user’s privacy preferences Reads P3P policies at all P3P-enabled sites automatically

16 P3P Tools P3P validator W3C P3P Validator Creating Policies P3PEdit: web-based privacy policy generator IBM Tivoli Privacy Wizard: web-based GUI tool to define privacy policies Creating APPEL Preferences JRC APPEL Preference Editor: Java-based editor for preparing APPEL preferences Checking APPEL Preferences JRC P3P Proxy: Centralized proxy service that conducts P3P privacy policy checking on behalf of subscribed users

17 Conclusion P3P’s goal is to provide: Web sites to express their policies Users to compare their preferences with web site policies The presence of privacy policies increases web users trust P3P does not solve all privacy issues, but it can be part of a larger, more comprehensive set of technical and legal solutions.

18 Questions? THANKS A LOT !

Download ppt "CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ 06.12.2005."

Similar presentations

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.

U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.
P3P Implementation Tips : Observations for approaching Design, Build and Deploy PricewaterhouseCoopers Brendon Lynch.

P3P Implementation Tips : Observations for approaching Design, Build and Deploy PricewaterhouseCoopers Brendon Lynch.
CHAPTER 30 THE HTML 5 FORMS PROCESSING. LEARNING OBJECTIVES What the three form elements are How to use the HTML 5 tag to specify a list of words’ form.

CHAPTER 30 THE HTML 5 FORMS PROCESSING. LEARNING OBJECTIVES What the three form elements are How to use the HTML 5 tag to specify a list of words’ form.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CMU Usable Privacy and Security Laboratory Power Strips, Prophylactics, and Privacy, Oh My! Julia Gideon, Serge Egelman, Lorrie.

CMU Usable Privacy and Security Laboratory Power Strips, Prophylactics, and Privacy, Oh My! Julia Gideon, Serge Egelman, Lorrie.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Deploying P3P.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Deploying P3P.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

Similar presentations

Ads by Google