Presentation on theme: "U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act."— Presentation transcript:
U.S. Department of Commerce Web Advisory Group http://www.osec.doc.gov/webresources/ Implementing Machine Readable Privacy Requirements of the E-Gov Act of 2002 (Server Admin)
Objectives of This Training What is meant by “machine readable technology”? What is P3P? Policy Reference Files (XML Version)? What is a “Compact Policy”? How are Compact Policies implemented? How does machine readable technology interact with users’ web browsers? Objectives of This Training
Location of the policy reference file The location of the policy reference file can be indicated using one of the following: At the server level: –may be located in a predefined "well-known" location (well known to the browser), http://www.agency.gov/w3c/p3p.xml –through an HTTP header At the web page level –a document may indicate a policy reference file through an HTML link tag or XHTML link tag
Policy Reference File Web sites MAY (and are strongly encouraged to) place a policy reference file in a "well-known" location. –To do this, make the policy reference file available on the site at the path /w3c/p3p.xml This mechanism ensures that the P3P policy will be accessible to user agents before any other resources are requested from the site. For more information about placing the policy reference file in a “well known” location, see: –http://www.w3.org/TR/P3P/#Well_Known_Location
APPEL (A P3P Preference Exchange Language) APPEL (A P3P Preference Exchange Language) – A P3P Option P3P specifications don’t require that browsers use APPEL allows user to express their privacy preferences W3C specification to provide standard language for expressing the users privacy preferences W3C APPEL standards: –http://www.w3.org/TR/P3P-preferences/#P3Ppolicies APPEL Ruleset Editor (Free): –http://p3p.jrc.it/downloadP3P.php
Server Implementation of CP Server Implementation of the Optional CP Included in Server HTTP Header In Apache Web Server –Add the Compact Policy line to the http header response in the configuration file (“httpd.conf” or “.htaccess”) In Internet Information Server 4.0 + –“Add/Edit Custom HTTP Header” –In the “custom header” field, enter “P3P” –In the “custom header value” field, enter your compact policy Example
Apache Web Server Implementation Sample CP: NOI NID ADMa OUR LEG DSP COR Example of P3P in HTTP Header: HTTP/1.1 200 OK Date: Wed, 05 Jun 2002 20:42:55 GMT Server: Apache/1.3.2-3 P3P: CP=“NOI NID ADMa OUR LEG DSP COR“ To view HTTP headers - http://www.delorie.com/web/headers.html Back Apache Web Server
Internet Information Server (IIS) Implementation Internet Information Server (IIS) The Microsoft Management Console (MMC) can be used to specify a P3P HTTP header. –Within MMC, expand the Internet Information Server line, and then expand the ServerName line. At Default Web Site, right click and then choose Properties. Select the HTTP Headers tab. In Custom HTTP Headers, click Add. Under Custom Header Name, type in the following: P3P Next, in Custom Header Value, type in policyref="http://www.mydomain.gov/w3c/p3p.xml", CP=" NOI NID ADMa OUR LEG DSP COR " Click OK twice. –IIS should now be ready to serve the P3P header within the default set of HTTP headers. Back
Web Page Compact Policies TechnologyCode HTML PHPHeader(“P3P: CP=’your compact policy string’”) ASPResponse.AddHeader “P3P”,”CP=’your compact policy string’” JSPResponse.setHeader(“P3P”,”CP=’your compact policy string’”) Use of Optional Compact Policies on Web Pages If you choose to implement a CP on a per page basis, you can set the CP using one of the following methods, depending on the technologies employed by your servers.
How Users Are Notified -Web Browser Alerts How Users Are Notified Web Browser Alerts Web visitors who want to take advantage of P3P enabled sites have to set their personal privacy preferences in their web browser.
Browser Support Browser implementation of P3P is concerned with the issue of cookies When the browser encounters a cookie from a web page that either does not have a compact P3P policy, or that has a P3P policy that does not match the user’s privacy preferences, the user is alerted via icons. Browsers supporting Compact P3P Policy: –Netscape 7 –Mozilla –Internet Explorer 6 –AT&T Privacy Bird (Plug-in for Internet Explorer)
To Assist DOC Web Developers Web Advisory Group will post guidance on the WAG site to help webmasters meet the December 2004 deadline (http://www.osec.doc.gov/webresources/) –Links to various tools we have tested –Examples –“How to" information –Reference materials (W3C)