P3P is a standard specified by the W3C that allows Web site managers to describe their Privacy and Preferences Polices in XML format. The specification is not very complicated, but to create these files with only an XML editor would take quite a bit of time. Fortunately, IBM has released P3P Policy Editor. This article covers the Beta 1.10 version of the product, which supports the P3P recommendation.
Get to know the P3P standard
For a run-through of the basics of Platform for Privacy Preferences, or P3P, check out Roy Hoobler’s article on the XML standard.
What is the P3P editor?
IBM's P3P Policy Editor allows a user to create P3P XML files that can be deployed to a Web site. Internet Explorer 6.0 and other browsers analyze these XML files to help users decide whether the site is '”safe” or uses sound privacy policies. P3P Policy Editor does a good job of producing the necessary XML files, beginning with a set of templates. Most user interactions in the editor are "drag and drop" or ask the user to fill in text boxes to complete information. Using the editor is not a development task, but the user should understand P3P, which probably means a developer or product manager. Figure A provides a glimpse of the editor interface.
|The IBM P3P Policy Editor interface offers drag-and-drop ease.|
Changing policy properties
Beginning with templates
IBM has provided a number of standard templates that solve most problems you might encounter when creating a P3P XML policy file. These include access logging, logging with user tracking, purchasing, and request for information (registering). These templates allow the user to view and learn from example files.
Using the editor to modify a P3P file
After creating a new policy or loading a template, the main editor interface allows you to modify the policy using two tree views or a tabs view, located near the editor’s bottom. The first tree view, on the left, is a view of all possible data elements that can be used in a P3P file. The tree view on the right is a list of the groups used in the current policy. To get started, using the groups created from the template should be sufficient. However, if you collect gender information while purchasing or registering, you can drag and drop the User's Gender data element from the left tree view into the Mailing Registration group on the right. If you don't collect demographic information, it’s easy to delete this from the Mailing Registration group by selecting the User Item and choosing Cut from the Selected menu. The bottom tabs are primarily for checking and previewing the policy file. The Errors tab is great for finding out what needs to be done before the policy is complete.
Creating a new group creates a new statement in the P3P XML file. Statements mainly answer why the data is collected and what type of data is collected. So, for each action (registering, purchasing, tracking), you can create a group (statement) explaining this part of the policy. It’s also worth noting that you can add data element folders (i.e., User's Information) or just data elements (First Name) to the group, whichever is most appropriate.
Groupsand the data elements in groups have properties. Once everything is included in the right tree view, go through each item's properties (choose Selected | Properties) to confirm that everything is correct.
Working with dynamic data and cookies
Cookies and click-stream data fall into a separate category. Again, the P3P editor does a good job of providing the most common types of data in the Basic Information or Cookies groups. Within this group is also the HTTP Cookies element. After selecting this element, choose Properties from the Selected menu. A dialog box with two tabs will appear. The first is a simple tab that explains whether the cookie data is optional for normal use of the Web site. The second tab, labeled Category, allows the user to select which type of data is stored in cookies on the Web site. If the shopping cart, content, or navigation (link history) is stored in a cookie, you should select the corresponding item(s).
Defining third-party data
The Third Party elements in the P3P elements are not necessarily information about third-party cookies but about other third parties that receive a user's information, such as the IRS for a financial Web site. The P3P editor is not very clear about this, and there doesn't seem to be much information about using P3P for third-party cookies.
Creating a P3P reference file
Deploying the P3P policy file requires a reference file. Agents and browsers actually look for this file first. This file is necessary because a server may contain virtual Web sites, each with its own policy. You can select to reference either a single or a multiple-policy XML file and generate the P3P XML files. These files should already be deployed to the production server; if not, you'll have to re-create or modify the reference file later.
A handy option
If you need to implement P3P on your site, you have a choice: learn P3P or spend some time using IBM's P3P Policy Editor. This is one tool that actually works and makes life easier. It’s a Beta release, but I've had no problems. I’ve worked with a number of Web sites to implement P3P, and the help files are much more complete than I expected. At first, I thought the P3P editor wasn't complete enough, but at the time I didn't know a lot about P3P. The more I work with P3P, the more I find IBM's P3P Policy Editor a good match.