Security

Implementing P3P shouldn't be difficult for most enterprises

Although P3P hasn't enjoyed widespread praise, it's nonetheless demanding attention from enterprises with consumer-facing sites. Learn why a developer with hands-on P3P experience says that implementation of the protocol may be easier than you think.


While P3P has been fairly slow to catch on, and its usefulness debated, the standard does have a fighting chance thanks to some big-name backers, including Microsoft, IBM, and AT&T. As a result, IT leaders—at least those at companies with consumer-oriented Web sites—may soon find the need to implement the protocol. Fortunately, the process is fairly straightforward for site developers, as one project manager with P3P experience relates.

Policy first, then P3P
P3P is an XML-based vocabulary used for describing a company’s privacy policies for site visitors. Since companies create their own individual P3P policies, there is no provision for third-party ratings of policies found with the W3C Platform for Internet Content Selection (PICS) content-rating technology. However, if a company uses site visitor information inconsistent with its stated policy, it could run into trouble with the FTC for committing an “unfair trade practice.”

Roy Hoobler, project manager at Net@Work and author of a recent article on P3P implementation, has hands-on experience with P3P. The first implementation step he recommends is a review of the site’s current privacy policy.

“The person implementing P3P should really know what the company is doing with the information—or plans to do with it,” said Hoobler.

Once the company has documented a policy, P3P implementation is essentially a matter of translating the policy into a machine-readable format. Several development tools are available to help speed the process.

“The first time I implemented P3P, it was without the IBM P3P Policy Editor, and most of the examples now online weren’t there,” Hoobler related. “It probably took about one week total.”

Hoobler estimates that he could now develop P3P policies in just a few hours for an average site, but that IT departments should allow more time the first time around. “Using the IBM P3P editor would really help, but I’d still give someone a couple of days of trying to create different P3P files,” he said.

Before the final rollout, developers can check their policies with the W3C's P3P Validator tool (shown in Figure A).

Figure A
The P3P Validator


For enterprises using Microsoft IIS servers, P3P implementation will be easier. “Other servers, such as Apache, are a little more complex,” Hoobler noted. “Of course, if someone has configured HTTP header files on Apache before, it should be as easy as IIS.”

Unfortunately, P3P isn’t yet compatible with all development tools. Hoobler said that there are many sites built with Front Page or Dreamweaver, but those products aren’t compatible with various Web technologies, including P3P, RDF (Resource Description Format, a recommendation from the W3C for defining the content of Web pages in XML), and XUL (XML-based User Interface Language).

“A seamless integration of these technologies is important,” Hoobler explained, “but I don't see commercial software catching up to the benefits of the technology until users demand it.”

Safeguarding consumer privacy
From his experience, Hoobler thinks that the P3P protocol has great promise, but isn’t as useful as it could be. For example, it would be useful if all browsers were able to present users with a message stating how and why their information will be used when they log in to a Web site. The tech professional is eagerly waiting for P3P to work seamlessly for users of single sign-on services.

“In the future, when integrated with Microsoft Passport and the future Liberty software, users could then be warned if a company is using their information in a way the user wouldn't want,” Hoobler explained.

Hoobler pointed out that P3P also specifies a “Safe Zone” that could be used to help make Internet surfing safer for children and students.

While the lack of a privacy standard won’t likely affect site traffic, Hoobler does believe that not implementing P3P could discourage online shoppers from registering and buying products.

That’s the primary reason Sagi Leizerov, an analyst specializing in technology and security for Ernst & Young LLP, believes P3P will ultimately capture tech leaders’ attention.

“If a Web site operator tells you today that he or she does not expect to implement P3P in the next year, that individual does not take into consideration that new Internet browsers that read full P3P policies will soon be common, and that consumer concerns over online privacy have been steadily increasing over the years and do not seem to ease,” said Leizerov.

More P3P tools
In addition to the free P3P Policy Editor from IBM’s alphaWorks division, other P3P tools include P3PEdit, which sells for $70, and the P3P Editor, which costs $30. For environments featuring the IBM WebSphere Application Server, developers may create policies with IBM’s free Tivoli Privacy Wizard. You can also visit the W3C site for a listing of more P3P tools.

 

Editor's Picks

Free Newsletters, In your Inbox