Presentation is loading. Please wait.

Presentation is loading. Please wait.

P3P-The platform for Privacy Preference Project 資管研一 戴志洋 R89725014 資管研一 余丹楓 R89725015.

Published byShanon Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "P3P-The platform for Privacy Preference Project 資管研一 戴志洋 R89725014 資管研一 余丹楓 R89725015."— Presentation transcript:

1 P3P-The platform for Privacy Preference Project 資管研一 戴志洋 R89725014 資管研一 余丹楓 R89725015

2 P3P 簡介 P3P ─ 透過 User agent 來協調 Web site 和 User 之間 Privacy Policy 的自動化機制

3 P3P policies use an XML encoding of the P3P vocabularyXML enumerate the types of data or data elements collected, and explain how the data will be used

4 P3P User Agents P3P1.0 user agents can be built into web browsers, browser plug-ins, or proxy servers. They can also be implemented as Java applets or JavaScript; or built into electronic wallets, automatic form-fillers, or other user data management tools P3P user agent would retrieve P3P policies, compare them with user's preferences, and authorize the release of data only if a) the policy is consistent with the user's preferences and b) the requested data transfer is consistent with the policy

5 Example of P3P in Use http://www.catalog.example.com Assume that CatalogExample has placed P3P policies on all their pages. Web browser with P3P built in. Tellme browser Web site HTTP access standard log preferences Tellme has given it Check:match Enter other catalog software uses cookies to implement a "shopping cart" feature Need more information Check:match Enter checkout Need telephone YesNo Cancelcomplete

6 P3P1.0 W3C Working Draft 18 October 2000 The Platform for Privacy Preferences 1.0 (P3P1.0) Specification Provide web site to encode its data- collection and data-use practices in a machine-readable XML format known as a P3P policy

7 P3P1.0 specification defines: A standard schema for data a Web site may wish to collect, known as the "P3P base data schema" A standard set of uses, recipients, data categories, and other privacy disclosures An XML format for expressing a privacy policy A means of associating privacy policies with Web pages or sites, and cookies A mechanism for transporting P3P policies over HTTP

8 Goal of P3P version 1.0 it allows Web sites to present their data- collection practices in a standardized, machine-readable, easy-to-locate manner. enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may "opt-out" of or "opt-in" to

9 Future Version of P3P a mechanism to allow sites to offer a choice of P3P policies to visitors a mechanism to allow visitors (through their user agents) to explicitly agree to a P3P policy mechanisms to allow for non-repudiation of agreements between visitors and web sites a mechanism to allow user agents to transfer user data to services

10 Policy References The URI where a P3P policy is found The URIs or regions of URI-space covered by this policy The URIs or regions of URI-space not covered by this policy The regions of URI-space for embedded content on other servers that are covered by this policy The cookies that are or are not covered by this policy The access methods for which this policy is applicable The period of time for which these claims are considered to be valid

11 Locating Policy Reference Files "well-known" location non-ambiguity http://cgi.example.com/w3c/p3p.xml

12 HTTP Headers [1]p3p-header =`P3P: `p3p-header-field*(`,` p3p-header-field) [2]p3p-header-field = policy-ref-field | extension-field [3]policy-ref-field = `policyref="` URI `"` [4]extension-field = token [`=` (token | quoted-string) ]

13 1. Client makes a GET request. GET /index.html HTTP/1.1 Host: catalog.example.com Accept: */* Accept-Language: de, en User-Agent: WonderBrowser/5.2 (RT-11)

14 2. Server returns content and the P3P header pointing to the policy of the page. HTTP/1.1 200 OK P3P:policyref =http://catalog.example.com/P3P/PolicyReferences.xml Content-Type: text/html Content-Length: 7413Server: CC-Galaxy/1.3.18http://catalog.example.com/P3P/PolicyReferences.xml

15 The HTML link Tag [5]p3p-link-tag=`

16 Policy Reference File /* /catalog/* /cgi-bin/* /servlet/* /catalog/* /cgi-bin/* /servlet/* /servlet/unknown

17 Policy reference file lifetimes and the EXPIRY element [6]prf=` ` policyrefs [policies] PCDATA " " [7]policyrefs=" “ [expiry] *policyref " " [8]expiry=" [9]absdate=`date="` HTTP-date `"` [10]reldate=`max-age="` delta-seconds `"`

18 The POLICY-REF element /docs/* /other/index.html http://*.example.com/ads/* http://*.example.com/ads/network/* * obnoxious- cookie..example.com/

19 Non-ambiguity A very important rule of policy references is that of non-ambiguity: For each resource at a website there MUST be at most one policy active at any given time. Thus two non-expired policy reference files on a given site MUST NOT declare two or more different policy URIs for the same resource.

20 Multiple Languages Multiple language versions (translations) of the same policy can be offered by the server using the HTTP "Content-Language " header to properly indicate that a particular language has been used for the policy. This is useful so that human- readable fields such as entity and consequence can be presented in multiple languages.

21 Non-Discrimination of Policies Servers SHOULD make every effort to help user agents find P3P policies. In particular, servers SHOULD place a policy reference file at the well-known location whenever possible.

22 Security of Policy Transport P3P policies and references to P3P policies SHOULD NOT, in themselves, contain any sensitive information.

23 Policy Updates Note that when a web site changes its P3P policy, the old policy applies to data collected when it was in effect. It is the responsibility of the site to keep records of past P3P policies and policy reference files along with the dates when they were in effect, and to apply these policies appropriately.

24 P3P Guiding Principles (Non-normative) Notice and Communication Service providers should:  Communicate explicitly about data collection and use, identifying the purpose for which personal information is collected and the extent to which it may be shared.  Prominently post clear, human-readable privacy policies.

25 User agents should:  Provide users an option that allows them to easily preview and agree to or reject each transfer of personal information that the user agent facilitates.  Not by default to transfer personal information without the user's consent.  Inform users about the privacy-related options offered by the user agent P3P Guiding Principles (Non-normative)

26 Choice and Control Service providers should:  Limit their requests to information necessary for fulfilling the level of service desired by the user.  Obtain informed consent prior to the collection and use of personal information.  Provide information about the ability to review and correct personal information. P3P Guiding Principles (Non-normative)

27 User agents should:  Include configuration tools that allow users to customize their preferences.  Allow users to import and customize P3P preferences from trusted parties.  Present options to users in a way that is neutral or biased towards privacy. P3P Guiding Principles (Non-normative)

28 Fairness and Integrity Service providers should:  Use information only for the stated purpose and retain it only as long as necessary.  Ensure that information is accurate, complete, and up-to-date.  ontinue to treat information according to the policy in effect when the information was collected, unless users give their informed consent to a new policy. P3P Guiding Principles (Non-normative)

29 User agents should:  Act only on behalf of the user according to the preferences specified by the user.  Accurately represent the practices of the service provider.

30 P3P Guiding Principles (Non-normative) Security Service providers should:  Provide mechanisms for protecting any personal information they collect.  Use appropriate trusted protocols for the secure transmission of data.

31 P3P Guiding Principles (Non-normative) User agents should:  Protect the personal information that stored in the agent.  Use appropriate trusted protocols for the secure transmission of data.  Warn users when an insecure transport mechanism is being used.

32 P3P: Pretty Poor Privacy? Current Internet Privacy Risks Failure to Establish Privacy Standards Exclusion of Non-Compliant Sites Absence of Enforcement Prognosis for Adoption impact on Privacy if P3P is Deployed P3P Fails to Satisfy Jurisdictions with Strong Privacy Standards

33 Current Internet Privacy Risks Today the Internet faces a wide range of privacy problems. The Internet Protocol (IP) used to transmit web pages creates a privacy risk that is not imposed by web browsers but in the transmission of web pages through the IP. When a browser requests a page from a server, the browser's IP address is transmitted as the return address to which the requested page is to be sent. Various services are available today to disguise one's IP address.

34 Failure to Establish Privacy Standards P3P builds on the notice and choice privacy approach. This is a weak model for privacy protection because it fails to ensure the observance of Fair Information Practices. This is also not the approach that the United States has typically taken to ensure privacy protection in other sectors with rapidly changing technology.

35 Exclusion of Non-Compliant Sites P3P is developed from a self-regulatory aspect giving web sites the option of whether to incorporate the P3P protocol on their web site. When a web site collects too much data they probably will not incorporate the P3P protocol. If few sites support P3P, consumers will have little incentive to use the technology, thus creating a sort of chicken and egg problem.

36 Absence of Enforcement P3P lacks any means to enforce privacy policies. Even where there is agreement about the privacy terms for a particular transaction, P3P provides no means to ensure enforcement of the stated privacy policies and the P3P developers do not seem particularly concerned about this problem.

37 Prognosis for Adoption There is no user base and no user demand. Companies have been reluctant to adopt the complicated protocol structure, and governments has shown little indication that it will address public concerns about privacy protection.

38 Impact on Privacy if P3P is Deployed Microsoft and Netscape/AOL are likely to implement P3P in a way that sets very low privacy preference defaults. This is true because these companies are paid through advertisements and data collecting, so it in their best interest to have the lowest privacy preference as defaults.

39 P3P Fails to Satisfy Jurisdictions with Strong Privacy Standards P3P has not impressed those jurisdictions that have considered its use to implement legal rules for privacy. The European Union, which does have baseline, legally enforceable privacy rights in the form of the EU Data Directive, has explicitly rejected P3P as part of its privacy protection framework.

Download ppt "P3P-The platform for Privacy Preference Project 資管研一 戴志洋 R89725014 資管研一 余丹楓 R89725015."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.

U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.

16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google