u s department of commerce web advisory group http www osec doc gov webresources
Download
Skip this Video
Download Presentation
U.S. Department of Commerce Web Advisory Group osec.doc/webresources/

Loading in 2 Seconds...

play fullscreen
1 / 22

U.S. Department of Commerce Web Advisory Group osec.doc/webresources/ - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

Implementing Machine Readable Privacy Requirements of the E-Gov Act of 2002 (Server Admin). U.S. Department of Commerce Web Advisory Group http://www.osec.doc.gov/webresources/. Objectives of This Training. Objectives of This Training What is meant by “machine readable technology”?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' U.S. Department of Commerce Web Advisory Group osec.doc/webresources/' - ellard


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
u s department of commerce web advisory group http www osec doc gov webresources

Implementing Machine Readable Privacy Requirements of the E-Gov Act of 2002

(Server Admin)

U.S. Department of Commerce

Web Advisory Group

http://www.osec.doc.gov/webresources/

objectives of this training
Objectives of This Training

Objectives of This Training

  • What is meant by “machine readable technology”?
  • What is P3P?
  • Policy Reference Files (XML Version)?
  • What is a “Compact Policy”?
  • How are Compact Policies implemented?
  • How does machine readable technology interact with users’ web browsers?
the e gov requirements
The E-Gov Requirements

The E-Gov Requirements

The Privacy Provisions of the E-Government Act of 2002 require both a “human readable” Privacy Policy and agency use of machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences.

isn t the text version enough
Isn’t the Text Version Enough?

Isn’t the Text Version Enough?

  • Most users do not see the text Privacy Policy until after they have visited one or more of the site’s pages.
  • Text Privacy Policies are sometimes difficult for users to locate, too lengthy for users to read, difficult to understand, and can change without notice.
machine readable policy
Machine-Readable Policy

Machine-Readable Policy

  • P3P is the standard for machine-readable Privacy Policy.
  • P3P enables web sites to translate their privacy practices into a standardized format (Extensible Markup Language - XML) that can be retrieved automatically and easily interpreted by a user\'s browser.
how does p3p work
How Does P3P Work?

How Does P3P Work?

the policy reference file xml
The Policy Reference File - XML

The Policy Reference File (XML Version) Machine Readable Format

  • An XML format for expressing a privacy policy
    • Using a standard P3P base data schema
  • The policy reference file includes the following statements:
    • The URL where a P3P policy is found
    • The URLs or regions of URL-space included or excluded by this policy
    • The cookies that are or are not covered by this policy
    • The period of time for which these claims are considered to be valid

Example Policy Reference File

location of the policy reference file
Location of the policy reference file

The location of the policy reference file can be indicated using one of the following:

  • At the server level:
    • may be located in a predefined "well-known" location (well known to the browser),
      • http://www.agency.gov/w3c/p3p.xml
    • through an HTTP header
  • At the web page level
    • a document may indicate a policy reference file through an HTML link tag or XHTML link tag
policy reference file
Policy Reference File

Policy Reference File

  • Web sites MAY (and are strongly encouraged to) place a policy reference file in a "well-known" location.
    • To do this, make the policy reference file available on the site at the path /w3c/p3p.xml
  • This mechanism ensures that the P3P policy will be accessible to user agents before any other resources are requested from the site.
  • For more information about placing the policy reference file in a “well known” location, see:
    • http://www.w3.org/TR/P3P/#Well_Known_Location
policy reference file tools
Policy Reference File Tools

Policy Reference File Tools

Free editor tools

  • HiSoftware P3P Builder
    • www.hisoftware.com/access/valueaddp3p.html
  • IBM alphaWorks P3P Policy Editor
    • www.alphaworks.ibm.com/tech/p3peditor

Validator Tool

  • www.w3.org/P3P/validator.html
appel a p3p preference exchange language
APPEL(A P3P Preference Exchange Language)

APPEL(A P3P Preference Exchange Language) – A P3P Option

  • P3P specifications don’t require that browsers use APPEL
  • allows user to express their privacy preferences
  • W3C specification to provide standard language for expressing the users privacy preferences
  • W3C APPEL standards:
    • http://www.w3.org/TR/P3P-preferences/#P3Ppolicies
  • APPEL Ruleset Editor (Free):
    • http://p3p.jrc.it/downloadP3P.php
compact policy
Compact Policy

An Optional Part of P3P is the Compact Policy

  • An optional performance optimization for P3Pcompliance (but required by some browsers to determine the web site\'s privacy practices concerning cookies).
  • summarizes the privacy policy relating to cookies only, and provides browsers with policy information.
  • may be implemented at server level or web-page level.
sample cp
Sample CP

Sample CP – NOI NID ADMa OUR LEG DSP COR

  • NOI – No personally identifiable information (PII) collected
  • NID – No PII collected, therefore the web user cannot access
  • ADMa –Information is collected for web site and system admin (no user choice) (browser type, screen resolution, etc)
  • OUR –Who uses the information collected? (ourselves and/or entities acting as our agents)
  • LEG – How long is the information collected retained?
  • DSP – The privacy policy contains one or more DISPUTES elements
  • COR - Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service [e.g., web site owner]
implementing compact policy

Implementing Compact Policy

Implementing

the Optional Compact Policy

- Server Configuration -

The Compact Policy may be implemented on the server. This is valuable when all pages or sites on the server adhere to the same Privacy Policy.

server implementation of cp
Server Implementation of CP

Server Implementation of the Optional CP

Included in Server HTTP Header

  • In Apache Web Server
    • Add the Compact Policy line to the http header response in the configuration file (“httpd.conf” or “.htaccess”)
  • In Internet Information Server 4.0 +
    • “Add/Edit Custom HTTP Header”
    • In the “custom header” field, enter “P3P”
    • In the “custom header value” field, enter your compact policy

Example

Example

web page implementation of cp
Web Page Implementation of CP

Optional Web Page Implementation of CP

  • The Compact Policy may also be implemented on individual web pages.
  • This is especially valuable when one page requires a different Privacy Policy (e.g.,personal information collection such as name, phone number, etc.).
web page compact policies
Web Page Compact Policies

Use of Optional Compact Policies on Web Pages

If you choose to implement a CP on a per page basis, you can set the CP using one of the following methods, depending on the technologies employed by your servers.

how users are notified web browser alerts

How Users Are Notified

Web Browser Alerts

Web visitors who want to take advantage of P3P enabled sites have to set their personal privacy preferences in their web browser.

How Users Are Notified -Web Browser Alerts
browser support
Browser Support

Browser Support

Browser implementation of P3P is concerned with the issue of cookies

When the browser encounters a cookie from a web page that either does not have a compact P3P policy, or that has a P3P policy that does not match the user’s privacy preferences, the user is alerted via icons.

  • Browsers supporting Compact P3P Policy:
    • Netscape 7
    • Mozilla
    • Internet Explorer 6
    • AT&T Privacy Bird (Plug-in for Internet Explorer)
to assist doc web developers
To Assist DOC Web Developers

To Assist DOC Web Developers

  • Web Advisory Group will post guidance on the WAG site to help webmasters meet the December 2004 deadline (http://www.osec.doc.gov/webresources/)
    • Links to various tools we have tested
    • Examples
    • “How to" information
    • Reference materials (W3C)
reference materials
Reference Materials
  • W3C Platform for Privacy Preferences (P3P) Project
    • http://www.w3.org/P3P/
  • W3C P3P - 1.0 Specifications
    • http://www.w3.org/TR/P3P/
  • W3C References for P3P Implementations
    • http://www.w3.org/P3P/implementations
  • P3P Toolbox
    • http://www.p3ptoolbox.org/
ad