SYSK 192: Compact Policies
The P3P specification (see yesterday’s blog post) requires websites to put their privacy policies in an XML format that can be read by modern browsers such as IE6 and NS7. Users can then easily view the web site’s privacy policy – check out for yourself by visiting http://www.microsoft.com (or other P3P compliant site), and then in IE click on View -> Privacy Report menu option, select Microsoft site and click Summary button.
When these policies are present, the browser makes decisions based on the browser privacy settings (Tools -> Internet Options -> Privacy tab) compared to the web site’s policy.
Part of the P3P specification implements privacy policies in a summary form called the Compact Policy. The compact policy is delivered to the web page in the HTTP header allowing the browser to make decisions before the page is displayed.
To implement the compact policy, the privacy policy is reduced to a set of tokens to reduce the amount of code that is sent to the browser. Each part of the privacy policy is represented in the compact policy. Since the compact policy is a summary, the most restrictive case of the privacy policy is the only element included in the P3P compact policy.
For example, http://www.microsoft.com uses the following compact policy, commonly used by other sites:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI”
which means the following:
ALL = Access is given to all identified data
IND = Information is retained for an indeterminate period of time.
DSP = The privacy policy contains DISPUTES elements.
COR = Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
ADM = Information may be used for the technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage.
CONo = Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Users may opt-out of the data being used for this purpose.
CUR = Information is used to complete the activity for which it was provided.
CUSo = Information may be used to customize the user's online experience as explicitly requested by the user. Users may opt-out of the data being used for this purpose.
IVAo = Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Users may opt-out of the data being used for this purpose.
IVDo = Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Users may opt-out of the data being used for this purpose.
PSA = Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.
PSD = Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.
TAI = Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Users cannot opt-in or opt-out of this usage (same as tag TAIa).
TELo = Information may be used to contact the individual via a voice telephone call for promotion of a product or service. Users may opt-out of the data being used for this purpose.
OUR = Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
SAMo = Legal entities following our practices. Users may opt-out of the data being used for this purpose.
CNT = The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.
COM = Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
INT = Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
NAV = Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
ONL = Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network.
PHY = Information that allows an individual to be contacted or located in the physical world -- such as telephone number or address.
PRE = Data about an individual's likes and dislikes -- such as favorite color or musical tastes
PUR = Information actively generated by the purchase of a product or service, including information about the method of payment.
UNI = Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
Sources:http://www.p3pwriter.com/LRN_111.asp and http://www.w3.org/TR/2006/WD-P3P11-20060210/Overview.html