i nternet privacy and p3 p
play

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc - PowerPoint PPT Presentation

Apr 07, 2023 •140 likes •1.59k views

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich, Switzerland www.inf.ethz.ch/~langhein/ Outline Part I WWW10 Tutorial May 1, 2001 ! What is Privacy? ! Solutions Definitions Privacy

  1. Privacy Policies WWW10 Tutorial – May 1, 2001 ! Policies let consumers know about site’s privacy practices ! Consumers can then decide whether or not practices are acceptable, when to opt-in or opt- out, and who to do business with I I I . Solutions ! The presence or privacy policies increases consumer trust 24

  2. Privacy Policy Draw backs WWW10 Tutorial – May 1, 2001 ! BUT policies are often –difficult to understand –hard to find –take a long time to read ! usually 3-4 pages! I I I . Solutions –changed without notice 25

  3. Voluntary Guidelines WWW10 Tutorial – May 1, 2001 ! Online Privacy Alliance http://www.privacyalliance.org ! Direct Marketing Association Privacy Promise http://www.thedma.org/library/ privacy/privacypromise.shtml I I I . Solutions 26

  4. OECD Fair I nform ation Principles WWW10 Tutorial – May 1, 2001 ! Collection limitation ! Data quality ! Purpose specification ! Use limitation ! Security safeguards ! Openness ! Individual participation I I I . Solutions ! Accountability http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM 27

  5. Sim plified Principles WWW10 Tutorial – May 1, 2001 ! Notice and disclosure ! Choice and consent ! Data security ! Data quality and access ! Recourse and remedies I I I . Solutions 28

  6. Seal Program s WWW10 Tutorial – May 1, 2001 ! TRUSTe – http://www.truste.org ! BBBOnline – http://www.bbbonline.org ! CPA WebTrust – http://www.cpawebtrust.org/ ! Japanese Privacy Mark http://www.jipdec.or.jp/security/p I I I . Solutions rivacy/ 29

  7. Seal Program Problem s WWW10 Tutorial – May 1, 2001 ! Basic Principle: – Publish a policy ( any policy) and follow it ! Only few require base-level standard – BBBOnline requires client in good standing with Better Business Bureau I I I . Solutions ! Effect: – Good notices of bad practices 30

  8. Law s and Regulations WWW10 Tutorial – May 1, 2001 ! Privacy laws and regulations vary widely throughout the world ! US has mostly sector-specific laws, with relatively minimal protections – Self-Regulation favored over comprehensive Privacy Laws – Fear that regulation hinders e-commerce ! Europe has long favoured strong privacy laws I I I . Solutions – First data protection law in the world: State of Hesse, Germany (1970) – Privacy commissions in each country (some countries have national and state commissions) 31

  9. Som e US Privacy Law s WWW10 Tutorial – May 1, 2001 ! Bank Secrecy Act, 1970 ! Fair Credit Reporting Act, 1971 ! Privacy Act, 1974 ! Right to Financial Privacy Act, 1978 ! Cable TV Privacy Act, 1984 ! Video Privacy Protection Act, 1988 ! Family Educational Right to Privacy Act, 1993 I I I . Solutions ! Electronic Communications Privacy Act, 1994 ! Freedom of Information Act, 1966, 1991, 1996 32

  10. US Law – Recent Additions WWW10 Tutorial – May 1, 2001 ! HIPAA (Health Insurance Portability and Accountability Act, 1996) – Privacy Rule in effect 04/ 2001; allows until 04/ 2003 for implementation (changes probable) – Protects all medical records and other individually identifiable health information ! COPPA (Children‘s Online Privacy Protection Act, 1998) – Certain Web sites must obtain parental consent I I I . Solutions before collecting personal information from children (effective 04/ 2000) ! GLBA (Gramm-Leach-Bliley-Act, 1999) – requires privacy policy disclosure and opt-out mechanisms from financial service institutions 33

  11. EU Data Directive WWW10 Tutorial – May 1, 2001 ! 1995 Data Protection Directive 95/ 46/ EC – sets a benchmark for national law for processing personal information in electronic and manual files – facilitates data-flow between member states and restricts export of personal data to „unsafe“ non-EU countries ! 1997 Telecommunications Directive – establishes specific protections covering telecommunications systems – July 2000 proposal to strengthen and extend directive to cover „electronic communications“ I I I . Solutions ! Member states responsible for passing relevant national laws by 10/ 1998 – 10 out of 15 member states have passed legislation, 5 are still pending (as of 04/ 2001) 34

  12. Safe Harbor WWW10 Tutorial – May 1, 2001 ! Membership – US companies self-certify adherance to requirements – Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/SafeHarborInfo.htm ! Signatories must provide – notice of data collected, purposes, and recipients – choice of opt-out of 3rd-party transfers, opt-in for sensitive data – access rights to delete or edit inaccurate information I I I . Solutions – security for storage of collected data – enforcem ent mechanisms for individual complaints ! Approved July 26, 2000 by EU – reserves right to renegotiate if remedies for EU citizens prove to be inadequate 35

  13. Privacy around the W orld WWW10 Tutorial – May 1, 2001 ! ! Japan Australia* – Currently: self-regulation & – Proposed: Privacy prefectural laws Amendment (Private – In talks with EU officials Sector) Bill in 2000 ! Russia – In talks with EU officials – Law on I nformation, ! Brazil Informatization, and – Proposed: Bill No. 61 in Inform. Protect. 1995 1996 (pending) – In Progress: updated to ! comply with EU directive Canada* ! South Africa – Passed: Bill C-6 in 4/ 2000 – Planned: Privacy and Data – Under review by EU I I I . Solutions Protection Bill ! Hong Kong* ! Switzerland* – Passed: Personal Data – EU-certified safe third (Privacy) Ordinance in 1995 country for data transfers http://www.privacyinternational.org/survey/ * Has National Privacy Commissioner 36

  14. Data Protection Agencies WWW10 Tutorial – May 1, 2001 ! Australia: http://www.privacy.gov.au/ ! Canada: http://www.privcom.gc.ca/ ! France: http://www.cnil.fr/ ! Germany: http://www.bfd.bund.de/ ! Hong Kong: http://www.pco.org.hk/ ! Italy: http://www.privacy.it/ ! Spain: http://www.ag-protecciondatos.es/ ! Switzerland: http://www.edsb.ch/ I I I . Solutions ! UK: http://www.dataprotection.gov.uk/ … And many more 37

  15. Privacy W eb Sites WWW10 Tutorial – May 1, 2001 ! http://www.privacyinternational.org ! http://www.privacyfoundation.org ! http://www.privacyexchange.org ! http://www.privacycouncil.com ! http://www.privacyplace.com ! http://www.junkbusters.com ! http://www.privacy.org I I I . Solutions ! http://www.pandab.org ! http://www.epic.org ! http://www.cdt.org 38

  16. Books WWW10 Tutorial – May 1, 2001 ! Database Nation by Simson Garfinkel ! The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent I I I . Solutions Developments by Marc Rotenberg 39

  17. Privacy Tools WWW10 Tutorial May 1, 2001 ! ! What is Privacy? Solutions – Definitions – Privacy Policies – Public Concern – Laws and Regulations ! – Privacy Tools How do they get my Data? ! Privacy Tools – Browser Chatter – Cookies – Encryption – Ad Networks – Anonymity – Web Bugs – Management – Spyware – Trust

  18. Privacy Tools WWW10 Tutorial – May 1, 2001 ! Encryption tools – Prevent others from listening in on your communications ! Anonymity tools – Prevent your actions from being linked to you I V. Privacy Tools ! Transparency tools – Make informed choices about how your information will be used ! Trust tools – Know that assurances about information practices are trust worthy 41

  19. Encryption Standards WWW10 Tutorial – May 1, 2001 ! Public Key Cryptography I V. Privacy Tools - Encryption – Allows secure key exchange over insecure channel ! Applications & Protocols – IPSec – Secure IP – SSH – Secure Shell – SSL – Secure Socket Layer – SET – Secure Electronic Transactions – PGP – Pretty Good Privacy 42

  20. Anonym ity – Low Tech WWW10 Tutorial – May 1, 2001 ! Wander around cyber cafes I V. Privacy Tools - Anonym ity ! Use free e-mail service instead of ISP ! Set up a pre-paid cash account with ISP – give all phony information ! Forge e-mail, spoof IP, etc. . . . And don’t give out any personally-identifiable data! 43

  21. The Anonym izer WWW10 Tutorial – May 1, 2001 ! Acts as a proxy for users I V. Privacy Tools - Anonym ity ! Hides information from end servers Request Request Anonymizer Reply Reply Client Server ! Sees all web traffic ! Adds ads to pages (free service; subscription service also available) http://www.anonymizer.com 44

  22. Rew ebber.com WWW10 Tutorial – May 1, 2001 ! Created at Hagen University, Germany I V. Privacy Tools - Anonym ity ! Provides both Client- and Server-Anonymity ! Only as subscription service ($5-$15 per month) http://www.rewebber.de/surf_encrypted/ Server URL, encrypted with Rewebber Public Key MTAEnTAGeFgIKptXbYujx485lYY74 ebsKRyPu9nxTFn5ixNjgnUHB8TAOb Encrypted or Unen- ENizPs5PVXZwUerQjXWJmpm$Baq crypted Transfer CQiSeBrF59Cm4rG3rAWo9U0banGt pkNnrwa3 u1DMHOM8Eo= (depending on server) • Decodes Target URL • Checks (internal) Blacklist 2 1 • Anonymizes Transport Protocol Info (i.e. Headers) https Rewebber.com Client Server • Anonymizes Header 4 3 • Analyzes Contents • Encrypts all embedded References 45

  23. Proxym ate WWW10 Tutorial – May 1, 2001 ! „Lucent Personal Web Assistant“ (LPWA) 1997 I V. Privacy Tools - Anonym ity ! Automatically generates user name, password and email address unique to each web site you visit ! Allows selective blocking of email aliases ! http: / / www.proxymate.com/ (ended in July 2000) mfjh, x45t, zzh@lpwa.com quote.com Proxymate asef, 4rt5, lihz@lpwa.com dsfdf, 56yh, kjhkd3@lpwa.com nytimes.com expedia 46

  24. Mixes [ Chaum 8 1 ] WWW10 Tutorial – May 1, 2001 Sender Destination I V. Privacy Tools - Anonym ity msg dest,msg k C Mix C B, C k B k A dest,msg k C Mix A dest,msg k C C k B Mix B k X = encrypted with public key of Mix X Sender routes message randomly through network of “Mixes”, using layered public-key encryption. 47

  25. Realization of Mixes WWW10 Tutorial – May 1, 2001 ! Onion Routing (Office of Naval I V. Privacy Tools - Anonym ity Research) – http://www.onion-router.net – service ended 01/ 2000 ! Freedom (Zero-Knowledge Systems, Canada) – http://www.zeroknowledge.com ! Java Anon Proxy (TU Dresden) – http://anon.inf.tu-dresden.de 48

  26. Crow ds WWW10 Tutorial – May 1, 2001 ! Users join a Crowd of other users I V. Privacy Tools - Anonym ity ! Web requests from the crowd cannot be linked to any individual ! Protection from – end servers – other crowd members – system administrators – eavesdroppers ! First system to hide data shadow on the web without trusting a central authority http://www.research.att.com/projects/crowds/ 49

  27. WWW10 Tutorial – May 1, 2001 Web servers 1 2 Crow ds I llustrated 3 5 4 6 50 5 Crowd members 6 4 1 3 2 I V. Privacy Tools - Anonym ity

  28. Anonym ous Em ail WWW10 Tutorial – May 1, 2001 ! Anonymous remailers allow people I V. Privacy Tools - Anonym ity to send email anonymously ! Similar to anonymous web proxies ! Some can be chained and work like mixes http://anon.efga.org/~rlist 51

  29. Filters WWW10 Tutorial – May 1, 2001 ! Cookie Cutters I V. Privacy Tools - Anonym ity – Block cookies, allow for more fine-grained cookie control, etc. – Some also filter ads, referer header, and browser chatter http://www.junkbusters.com/ht/en/links.html#measures ! Child Protection Software – Block the transmission of certain information via email, chat rooms, or web forms when child is using computer – Limit who a child can email or chat with http://www.getnetwise.org/ 52

  30. I nfom ediaries I V. Privacy Tools – Trust & Transp. WWW10 Tutorial – May 1, 2001 ! Hagel/ Singer: „Net Worth“ 1997 ! Services and tools that help people manage their online identities – Digitalme - http://www.digitalme.com – Jotter - http://www.jotter.com – Lumeria - http://www.lumeria.com – PrivacyBank - http://www.privacybank.com – Privaseek – http://www.privaseek.com 53

  31. I nfom ediaries - Exam ples I V. Privacy Tools – Trust & Transp. WWW10 Tutorial – May 1, 2001 ! Jotter-Toolbar Usernames and Passwords Shopping Web-Formulare Show Privacy Policy Ads Auto-Fill 54

  32. I nfom ediaries - Exam ples I V. Privacy Tools – Trust & Transp. WWW10 Tutorial – May 1, 2001 PrivacyBank ! PrivacyBank.Com bookm ark ! Bookmark allows access to – privacy policy – automatic form-fill 55

  33. PrivacyBank bookmark WWW10 Tutorial – May 1, 2001 Infomediary example: PrivacyBank 56 I V. Privacy Tools – Trust & Transp.

  34. Sum m ary – Part I WWW10 Tutorial – May 1, 2001 ! What is Privacy? ! Solutions – Definitions – Privacy Policies – Public Concern – Laws and Regulations ! How do they get – Privacy Tools my Data? ! Privacy Tools – Browser Chatter – Encryption – Cookies – Anonymity – Ad Networks – Management – Web Bugs – Trust – Spyware 57

  35. Privacy Tools WWW10 Tutorial – May 1, 2001 The Internet Anonymizing Regulatory and agent self-regulatory framework Secure Cookie cutter User Service channel I V. Privacy Tools Regulatory and Negotiation self-regulatory framework agent/ trust engine 58

  36. Outline – Part I I WWW10 Tutorial – May 1, 2001 ! P3P – Overview – Referencing Policies – Vocabulary – Base Data Set ! P3P Deployment – Site Installation – Client Examples ! Summary & Outlook 59

  37. P3 P Overview WWW10 Tutorial May 1, 2001 ! P3P – Overview – Referencing Policies – Vocabulary – Base Data Set ! P3P Deployment – Site I nstallation – Client Examples ! Summary & Outlook

  38. Original I dea behind P3 P WWW10 Tutorial – May 1, 2001 A framework for automated privacy discussions – Web sites disclose their privacy practices in standard machine- readable formats V. P3 P - Overview – Web browsers automatically retrieve P3P privacy policies and compare them to users’ privacy preferences – Sites and browsers can then negotiate about privacy terms 61

  39. P3 P1 .0 – A First Step WWW10 Tutorial – May 1, 2001 ! Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format – Can be deployed using existing web servers V. P3 P - Overview ! This will enable the development of tools that: – Provide snapshots of sites’ policies – Compare policies with user preferences – Alert and advise the user 62

  40. P3 P1 .0 Spec Defines WWW10 Tutorial – May 1, 2001 ! A standard vocabulary for describing set of uses, recipients, data categories, and other privacy disclosures ! A standard schema for data a Web site may wish to collect (base data schema) ! An XML format for expressing a privacy policy V. P3 P - Overview in a machine readable way ! A means of associating privacy policies with Web pages or sites ! A protocol mechanism for transporting P3P policies over HTTP 63

  41. Future Versions of P3 P WWW10 Tutorial – May 1, 2001 ! Allow web sites to offer a choice of policies – P3P 1.0 supports only one policy per resource ! Allow for “negotiation” and explicit agreements to be reached between user agent and web site – P3P 1.0 policies are “take-it-or-leave-it” ! Allow for non-repudiation of agreements, signatures from third-party seal providers, etc. V. P3 P - Overview – P3P 1.0 offers no mechanism to prove that certain communication took place ! Facilitate automated data transfer – P3P 1.0 requires external mechanisms (e.g., automatic form-fill) to transfer data 64

  42. P3 P is a Partial Solution WWW10 Tutorial – May 1, 2001 ! P3P1.0 helps users understand privacy policies but is not a complete solution – Encryption tools ! secure data in transit and storage – Anonymity tools ! reduce the amount of information revealed while V. P3 P - Overview browsing – Seal programs and regulations ! help ensure that sites comply with their policies – Laws and codes of practice ! provide a base line level for acceptable policies 65

  43. A sim ple HTTP Transaction WWW10 Tutorial – May 1, 2001 Web Server GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK V. P3 P - Overview Content-Type: text/html . . . Send web page 66

  44. P3 P1 .0 over HTTP WWW10 Tutorial – May 1, 2001 Web Server GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK P3P: policyref=“http://foo.com/p3p.xml“ Content-Type: text/html V. P3 P - Overview . . . Send web page Request Policy Reference File Send Policy Reference File Request P3P Policy Send P3P Policy 67

  45. Or using p3p.xml File WWW10 Tutorial – May 1, 2001 GET /w3c/p3p.xml HTTP/1.1 Web Host: foo.com Server Request Policy Reference File Send Policy Reference File Request P3P Policy V. P3 P - Overview Send P3P Policy GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page 68

  46. P3 P1 .0 Clients WWW10 Tutorial – May 1, 2001 ! Client can be implemented as browser, proxy, plug-in, java applet, JavaScript, etc. – Can be entirely server side – Can be part of an infomediary service, shopping tool bar, automatic form filler, etc. ! Look for link to P3P policy and fetch policy with HTTP GET request V. P3 P - Overview ! Parse policy and take appropriate action – Display symbol, play sound, prompt user, etc. – Action can optionally be based on user preferences – Action can optionally allow data to be automatically filled into form or transferred from electronic wallet 69

  47. User Privacy Preferences WWW10 Tutorial – May 1, 2001 ! P3P 1.0 agents may (optionally) take action based on user preferences – Users should not have to trust privacy defaults set by software vendors – User agents that can read APPEL (A P3P Preference Exchange Language) files can V. P3 P - Overview offer users a number of canned choices developed by trusted organizations – Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch 70

  48. P3 P Policies WWW10 Tutorial – May 1, 2001 ! Machine-readable (XML) version of web site privacy policies ! Use P3P Vocabulary to express data practices ! Use P3P Base Data Set to express type of data collected V. P3 P - Overview ! Capture common elements of privacy policies but may not express everything (sites may provide further explanation in human-readable policies) 71

  49. The P3 P Vocabulary WWW10 Tutorial – May 1, 2001 ! ! Who is collecting data? To what information does the data collector provide ! What data is collected? access? ! For what purpose will ! What is the data data be used? retention policy? ! Is there an ability to ! How will disputes about change preferences about the policy be resolved? (opt-in or opt-out) of V. P3 P - Overview ! some data uses? Where is the human- readable privacy policy? ! Who are the data recipients (anyone beyond the data collector)? 72

  50. P3 P Base Data Schem a WWW10 Tutorial – May 1, 2001 ! A set of common data elements that all P3P implementations should know about ! Includes user , thirdparty , and business elements such as name, address, phone number, etc. V. P3 P - Overview ! Includes “Dynamic” elements such as indicators that a site collects click- stream, uses cookies, collects info of a certain category, etc. ! Extensible using custom data schemas 73

  51. Exam ple Privacy Policy WWW10 Tutorial – May 1, 2001 At CatalogExample, we care about your privacy. When you come to our site to look for an item, we will only use this information to improve our site and will not store it in an identifiable way. CatalogExample is a licensee of the PrivacySealExample Program. … Questions regarding this statement should be directed to: CatalogExample 1-248-392-6753 When you browse through our site we collect: V. P3 P - Overview The basic information about your computer and connection to make sure that we can get you the proper information and for security purposes Aggregate information on what pages consumers access or visit to improve our site We purge the browsing information that we collect regulalry 74

  52. P3 P/ XML Encoding WWW10 Tutorial – May 1, 2001 <POLICY xmlns="http://www.w3.org/2000/12/P3Pv1" discuri="http://www.catalog.example.com/Privacy.html"> <ENTITY><DATA-GROUP><DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.loccode"> 248</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.number"> 3926753</DATA> </DATA-GROUP></ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.exampleorg" <REMEDIES><correct/></REMEDIES> V. P3 P - Overview <IMG src="http://www.PrivacySeal.example.org/Logo.gif"/> </DISPUTES></DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> <DATA-GROUP> </STATEMENT> </POLICY> 75

  53. Referencing P3 P Policies WWW10 Tutorial May 1, 2001 ! P3P – Overview – Referencing Policies – Vocabulary – Base Data Set ! P3P Deployment V. P3 P – Site I nstallation – Client Examples ! Summary & Outlook

  54. Policy References WWW10 Tutorial – May 1, 2001 ! Allows web sites to indicate what policy V. P3 P – Referencing Policies applies to what resource ! Allows user agents to determine what policy applies to what resource ! Performance optimization – Send reference rather than full policy with each response – Only parse and process each policy once as long as results are cached 78

  55. Policy Reference Files ( PRF) WWW10 Tutorial – May 1, 2001 ! Allow specification of which policy applies to V. P3 P – Referencing Policies which resources on a site – <EXPIRY> ! Determines how long PRF is valid – <POLICY-REF> ! URI of policy – <INCLUDE>, <EXCLUDE> ! URI prefixes (local) to which policy applies / doesn‘t apply – <EMBEDDED-INCLUDE>, <EMBEDDED-EXCLUDE> ! Absolute URI to 3 rd party content to which policy applies / does not apply – <COOKIE-INCLUDE>, <COOKIE-EXCLUDE> ! Associates / disassociates cookies with policy – <METHOD> ! Methods to which policy applies 79

  56. PRF Exam ple WWW10 Tutorial – May 1, 2001 <META xmlns="http://www.w3.org/2000/P3Pv1"> <POLICY-REFERENCES> V. P3 P – Referencing Policies <EXPIRY max-age="172800" /> <!–- relative expiry: 2 days --> <POLICY-REF about="/P3P/Policy1.xml"> <INCLUDE>/*</INCLUDE> <EXCLUDE>/catalog/*</EXCLUDE> <EXCLUDE>/cgi-bin/*</EXCLUDE> <EXCLUDE>/servlet/*</EXCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy2.xml"> <INCLUDE>/catalog/*</INCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy3.xml"> <INCLUDE>/cgi-bin/*</INCLUDE> <INCLUDE>/servlet/*</INCLUDE> <EXCLUDE>/servlet/unknown</EXCLUDE> </POLICY-REF> </POLICY-REFERENCES> </META> 80

  57. EXPI RY WWW10 Tutorial – May 1, 2001 ! States how long policy reference V. P3 P – Referencing Policies file (or policy) stays valid ! Relative time (in seconds) – Denotes time before a new policy can replace existing one – Minimum: 24 hours (86400 seconds) ! Absolute time (GMT/ UTC) – Used to phase out policies – If date is in the past: no policy! 81

  58. METHOD WWW10 Tutorial – May 1, 2001 ! Allows different P3P policies for the V. P3 P – Referencing Policies same resource when accessed through different methods . ! E.g., Web publishing systems might only collect clickstream data for GET requests, but collects login information for PUT and DELETE methods. ! Notice: GET and HEAD requests must use same policies! 82

  59. PRF exam ple WWW10 Tutorial – May 1, 2001 <META xmlns="http://www.w3.org/2000/P3Pv1"> V. P3 P – Referencing Policies <POLICY-REFERENCES> <EXPIRY max-age="172800" /> <!–- relative expiry: 2 days --> <POLICY-REF about="/P3P/Policy1.xml"> <INCLUDE>/docs/*</INCLUDE> <METHOD> HEAD </METHOD> <METHOD> GET </METHOD> </POLICY-REF> <POLICY-REF about="/P3P/Policy2.xml"> <INCLUDE>/docs/*</INCLUDE> <METHOD> PUT </METHOD> <METHOD> DELETE </METHOD> </POLICY-REF> </POLICY-REFERENCES> </META> 83

  60. Em bedded Content WWW10 Tutorial – May 1, 2001 ! User agents should check for policies on V. P3 P – Referencing Policies all embedded content (images, frames, etc.) – Good use of policy reference files should reduce need for extra round trips ! < EMBEDDED-INCLUDE/ EXCLUDE> – Performance optimization: allows declaration of 3 rd party contents (< INCLUDE> allows only local URIs) – Specified policy only applies when accessed from site making declaration ! avoids „sticky“ misdeclarations from rogue sites 84

  61. PRF Exam ple WWW10 Tutorial – May 1, 2001 ! Example policy at www.example.org: V. P3 P – Referencing Policies <META xmlns="http://www.w3.org/2000/12/P3Pv1"> <POLICY-REFERENCES> <POLICY-REF about="/P3P/Policy1.xml"> <INCLUDE>/docs/*</INCLUDE> <INCLUDE>/other/index.html</INCLUDE> <EMBEDDED-INCLUDE> http://*.adserver.example.com/ads/* </EMBEDDED-INCLUDE> <EMBEDDED-EXCLUDE> http://*.adserver.example.com/ads/network/* </EMBEDDED-EXCLUDE> </POLICY-REF> </POLICY-REFERENCES> </META> ! Policy1.xml only applies to adserver.example.com/ ads if accessed from www.example.org pages! 85

  62. Form s WWW10 Tutorial – May 1, 2001 ! Forms are special kind of V. P3 P – Referencing Policies embedded content („ACTION“ URL) – User agents should be especially careful not to unknowingly submit data when no policy is available – Check well-known location before submitting form data, if policy is unknown 86

  63. Cookies WWW10 Tutorial – May 1, 2001 ! P3P policy only applies to resource , not V. P3 P – Referencing Policies its associated cookies! ! < COOKIE-INCLUDE/ EXCLUDE> – Associates P3P policy to (named) cookie ! „cookie“-policy must cover – Data stored in, or linked via, the cookie – All purposes associated with stored or linked data – If data collection done via HTTP, then separate policy must also cover that data transfer 87

  64. Cookies Exam ple WWW10 Tutorial – May 1, 2001 Declares only policy1 V. P3 P – Referencing Policies Entrance clickstream data Page. Sets logging. covers unique_ id for session tracking. policy2 covers Contact page. Sets unique_ id Declares collection associated with customer data. of contact info Set_cookie (optional, only required for Set_cookie „ACTION“ URL policy3 handling the POST of the data) covers Assigns unique id for state m anagem ent , but also allows linking Declares contact info and to contact inform ation . state m anagem ent 88

  65. PRF exam ple WWW10 Tutorial – May 1, 2001 <META xmlns="http://www.w3.org/2000/12/P3Pv1"> V. P3 P – Referencing Policies <POLICY-REFERENCES> <POLICY-REF about="/P3P/Policy1.xml"> <COOKIE-INCLUDE>* * *</COOKIE-INCLUDE> <COOKIE-EXCLUDE>obnoxious-cookie .example.com /</COOKIE-EXCLUDE> </POLICY-REF> <POLICY-REF about="/P3P/Policy2.xml"> <COOKIE-INCLUDE>obnoxious-cookie .example.com /<COOKIE-INCLUDE> </POLICY-REF> </POLICY-REFERENCES> </META> 89

  66. Locating a PRF WWW10 Tutorial – May 1, 2001 ! Well-known file V. P3 P – Referencing Policies – /w3c/p3p.xml is standard location for policy reference file ! HTTP Header – References appear in response headers ! LINK tags – References appear in LINK tags 90

  67. HTTP Header WWW10 Tutorial – May 1, 2001 ! Example (2.1) V. P3 P – Referencing Policies Client request: GET /index.html HTTP/1.1 Host: catalog.example.com Accept: */* Accept-Language: de, en User-Agent: WonderBrowser/5.2 (RT-11) Server response: HTTP/1.1 200 OK P3P: policyref="http://www.example.com/P3P/p1.xml" Content-Type: text/html Content-Length: 7413 Server: CC-Galaxy/1.3.18 91

  68. LI NK Tags WWW10 Tutorial – May 1, 2001 ! LINK tag embedded in an HTML V. P3 P – Referencing Policies document encodes the information that could be expressed using the P3P PolicyRef header ! Most useful for entities that wish to supply P3P policies but can’t put file in well-known location or change headers (Geocities homesteaders, for example) ! Example <link rel="P3Pv1" ref="http://www.example.com/P3P/p1.xml"> 92

  69. Safe Zone WWW10 Tutorial – May 1, 2001 ! User agents should ensure that V. P3 P – Referencing Policies minimal data collection takes place while fetching a P3P policy – Suppress transmission of unnecessary data – Try to fetch policy reference file from well-known location 93

  70. P3 P Vocabulary WWW10 Tutorial May 1, 2001 ! P3P – Overview – Referencing Policies – Vocabulary – Base Data Set ! P3P Deployment V. P3 P – Site I nstallation – Client Examples ! Summary & Outlook

  71. The POLI CY Elem ent WWW10 Tutorial – May 1, 2001 ! Contains a complete P3P policy ! Takes mandatory discuri attribute – indicates location of human-readable privacy policy V. P3 P – Vocabulary ! Sub-Elements – < ENTI TY> , < DISPUTES-GROUP> , < ACCESS> , < STATEMENT> , < TEST> , < EXTENSION> , < EXPI RY> ! Example: <POLICY xmlns= "http://www.w3.org/2000/12/P3Pv1" discuri = "http://www.catalog.example.com/Privacy.html"/> 95

  72. The ENTI TY Elem ent WWW10 Tutorial – May 1, 2001 ! Mandatory ! Identifies the legal entity making the representation of the privacy practices contained in the policy ! Uses the business.name data element and (optionally) other fields in the business. data set ! Example V. P3 P – Vocabulary <ENTITY><DATA-GROUP> <DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.intcode"> 1</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.loccode"> 248</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.number"> 3926753</DATA> </DATA-GROUP></ENTITY> 96

  73. The DI SPUTES Elem ent WWW10 Tutorial – May 1, 2001 ! Describes a dispute ! Attributes: – resolution-type* resolution procedure ! customer service – may be followed for ! independent org. disputes about a ! court service’s privacy ! applicable law practices V. P3 P – Vocabulary – service* (URI) ! Part of a – short-description <DISPUTES-GROUP> – verification (URI) ! Sub-Elements – allows several dispute resoultion procedures – < IMAGE> to be listed – < LONG-DESCRIPTION> – < REMEDIES> * Mandatory Attribute 97

  74. The REMEDI ES Elem ent WWW10 Tutorial – May 1, 2001 ! Sub element of DISPUTES element ! Specifies possible remedies in case a policy breach occurs – < correct/ > , < money/ > , < law/ > ! Example <DISPUTES-GROUP> V. P3 P – Vocabulary <DISPUTES-GROUP> <DISPUTES resolution-type ="independent" service ="http://www.PrivacySeal.org" description ="PrivacySeal.org" image =http://www.PrivacySeal.org/Logo.gif> <REMEDIES><correct/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> 98

  75. The ACCESS Elem ent WWW10 Tutorial – May 1, 2001 ! Indicates the ability of individuals to access their data – < nonident/ > – < all/ > – < contact-and-other/ > V. P3 P – Vocabulary – < ident-contact/ > – < other-ident/ > – < none> ! Example: <ACCESS><nonident/></ACCESS> 99

  76. The STATEMENT Elem ent WWW10 Tutorial – May 1, 2001 ! Data practices applied to data elements – mostly serves as a grouping mechanism ! Contains the following sub-elements: – < CONSEQUENCE> V. P3 P – Vocabulary – < NON-IDENTIFIABLE> – < PURPOSE> * – < RECIPIENT> * – < RETENTION> * – < DATA-GROUP> * * Mandatory Elements 100

  77. The CONSEQUENCE Elem ent WWW10 Tutorial – May 1, 2001 ! Consequences that can be shown to a human user – to explain why the suggested practice may be valuable in a particular V. P3 P – Vocabulary instance, even if the user would not normally allow the practice ! Example: <CONSEQUENCE>A site with clothes you would appreciate</CONSEQUENCE> 101

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

U BIQUITOUS I NTERNET @ IIT-CNR T OWARDS A HUMAN - CENTRIC I NTERNET Andrea Passarella Ubiquitous

U BIQUITOUS I NTERNET @ IIT-CNR T OWARDS A HUMAN - CENTRIC I NTERNET Andrea Passarella Ubiquitous

U BIQUITOUS I NTERNET @ IIT-CNR T OWARDS A HUMAN - CENTRIC I NTERNET Andrea Passarella Ubiquitous Internet Group a.passarella@iit.cnr.it U BIQUITOUS I NTERNET G ROUP @ IIT-CNR Research Personnel (26 People) Permanent Researchers (14)

534 views • 6 slides
I NTERNET GOVERNANCE DI SCUSSI ON AND W SI S Bertrand de LA CHAPELLE Director

I NTERNET GOVERNANCE DI SCUSSI ON AND W SI S Bertrand de LA CHAPELLE Director

I NTERNET GOVERNANCE DI SCUSSI ON AND W SI S Bertrand de LA CHAPELLE Director wsis-online.net W sis-online.net / February 2 6 , 2 0 0 4 I TU W orkshop on I nternet Governance W HAT DI D W SI S PHASE 1 BRI NG ? W sis-online.net /

246 views • 22 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
I nternet , intranet and W eb L ecture I T echnologies and protocols for application

I nternet , intranet and W eb L ecture I T echnologies and protocols for application

I nternet , intranet and W eb L ecture I T echnologies and protocols for application communications Marco Solieri marco.solieri@lipn.univ-paris13.fr Info et Rseaux en Apprentissage, Sup Galile, Paris 13 November 3 rd, 2014 O utline 1 C

811 views • 53 slides
FG4 Friday, June 6, 2003 10:30 AM S OFTWARE D EVELOPMENT ON I NTERNET T IME -F ASTER , C HEAPER ,

FG4 Friday, June 6, 2003 10:30 AM S OFTWARE D EVELOPMENT ON I NTERNET T IME -F ASTER , C HEAPER ,

BIO PRESENTATION FG4 Friday, June 6, 2003 10:30 AM S OFTWARE D EVELOPMENT ON I NTERNET T IME -F ASTER , C HEAPER , W ORSE ? Girish Seshagiri Advanced Information Services International Conference On Software Management &amp; Applications of

570 views • 40 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering &amp; Public Policy Lorrie Faith Cranor November 11, 2014 y &amp; c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering &amp; Public Policy Lorrie Faith Cranor October 29, 2013 y &amp; c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in

Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in

Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in PMC 2006 January 25. Published in final edited form as: Clin Toxicol (Phila) . 2005 ; 43(2): 129130. The revised position papers on gastric

36 views • 3 slides
TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation

TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation

Presented By: Ankur Sharma (EE) Tamal Das (CSE) Slides By: Nishant Khadria (Siemens, Germany) TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation Principles of personal vision Freedom to choose

828 views • 39 slides
Data privacy: an overview Vicen c Torra December, 2019 Hamilton Institute, Maynooth

Data privacy: an overview Vicen c Torra December, 2019 Hamilton Institute, Maynooth

Data privacy: an overview Vicen c Torra December, 2019 Hamilton Institute, Maynooth University, Ireland Overview Outline Overview What is data privacy? Why is it necessary and why it is challenging/difficult? Some definitions

2.02k views • 188 slides
CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out: Sept. 29, 2000 Due: Oct. 13, 2000 TA: Luke Deqing Chen ( lukechen@cs ) 1 Introduction This fortnights assignment is mainly in systems,

388 views • 14 slides
Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt

Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt

Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt Objectives Why occupational health plays second fiddle to safety What this means for behaviour change in the workplace, and Think work

626 views • 24 slides
The Orange House Not secret, yet safe Working area Blijf groep North Holland and Flevoland

The Orange House Not secret, yet safe Working area Blijf groep North Holland and Flevoland

The Orange House Not secret, yet safe Working area Blijf groep North Holland and Flevoland Orange Houses Long-stay shelters + non-residential services Alkmaar Amsterdam Almere Facts &amp; Figures 2018 *633 Kids in the shelters *3.836

611 views • 36 slides
Contemporary Issues 1 to develop students understanding of contemporary 1. Language of

Contemporary Issues 1 to develop students understanding of contemporary 1. Language of

22/09/2011 Social Education All modules are 1 credit each. Task and Leaving Cert Exam are 10 credits. Social and Health Ed 1 Session 1 and 2 Social and Health Ed 2 1 st Year (February to June) Session 3 and 4 Contemporary Issues 1 LCA

226 views • 4 slides
Thank you very much, Begonia, for that lovely introduction. What my talk tonight will be about,

Thank you very much, Begonia, for that lovely introduction. What my talk tonight will be about,

Thank you very much, Begonia, for that lovely introduction. What my talk tonight will be about, mostly, is how to achieve and maintain healthy relationships. Why do I think that healthy relationships are important? Because good relationships

267 views • 23 slides

More recommend