P3P: Difference between revisions

P3P
Platform for Privacy Preferences
Abbreviation	P3P
Native name	Platform for Privacy Preferences
Status	Retired
First published	16 April 2002
Latest version	1.1
Committee	P3P Specification Working Group
Editors	Rigo Wenning; Matthias Schunter;
Authors	Lorrie Cranor; Brooks Dobbs; Serge Egelman; Giles Hogben; Jack Humphrey; Marc Langheinrich; Massimo Marchiori; Martin Presler-Marshall; Joseph Reagle; Matthias Schunter; David A. Stampley; Rigo Wenning;
Base standards	HTTP; XML;
Website	www.w3.org/TR/P3P11/

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 11:14, 16 March 2023

The Platform for Privacy Preferences Project (P3P) is an obsolete protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. Internet Explorer and Microsoft Edge were the only major browsers to support P3P. Microsoft has ended support from Windows 10 onwards. Internet Explorer and Edge on Windows 10 no longer support P3P.^[3] The president of TRUSTe has stated that P3P has not been implemented widely due to the difficulty and lack of value.^[4]

Purpose

As the World Wide Web became a genuine medium in which to sell products and services, electronic commerce websites tried to collect more information about the people who purchased their merchandise. Some companies used controversial practices such as tracker cookies to ascertain the users' demographic information and buying habits, using this information to provide specifically targeted advertisements. Users who saw this as an invasion of privacy would sometimes turn off HTTP cookies or use proxy servers to keep their personal information secure. P3P was designed to give users a more precise control of the kind of information that they allow to release. According to the W3C, the main goal of P3P "is to increase user trust and confidence in the Web through technical empowerment".^[5]

P3P is a machine-readable language that helps to express a website’s data management practices. P3P manages information through privacy policies. When a website used P3P, they set up a set of policies that allows them to state their intended uses of personal information that may be gathered from their site visitors. When a user decided to use P3P, they set their own set of policies and state what personal information they will allow to be seen by the sites that they visit. Then when a user visited a site, P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P would inform the user and ask if he/she is willing to proceed to the site, and risk giving up more personal information.^[6] As an example, a user may store in the browser preferences that information about their browsing habits should not be collected. If the policy of a Website stated that a cookie is used for this purpose, the browser would automatically reject the cookie. The main content of a privacy policy is the following:

which information the server stores:
- which kind of information is collected (identifying or not);
- which particular information is collected (IP address, email address, name, etc.);
use of the collected information:
- how this information is used (for regular navigation, tracking, personalization, telemarketing, etc.);
- who will receive this information (only the current company, third party, etc.);
permanence and visibility:
- how long information is stored;
- whether and how the user can access the stored information (read-only, optin, optout).

The privacy policy can be retrieved as an XML file or can be included, in compact form, in the HTTP header. The location of the XML policy file that applies to a given document can be:

specified in the HTTP header of the document
specified in the HTML head of the document
if none of the above is specified, the well-known location /w3c/p3p.xml is used (for a similar location compare /favicon.ico)

P3P allows to specify a max-age for caching. A dummy /w3c/p3p.xml file could use this feature:

<META xmlns="http://www.w3.org/2002/01/P3Pv1">
  <POLICY-REFERENCES>
    <EXPIRY max-age="10000000"/><!-- about four months -->
  </POLICY-REFERENCES>
</META>

User agent support

Yahoo!'s P3P policy as viewed in Internet Explorer 6.

Microsoft's Internet Explorer and Edge were the only mainstream web browsers that supported P3P.^[7] Other browsers have not implemented it due to the perceived lack of value it provides. IE provides the ability to display P3P privacy policies, and compare the P3P policy with the browser's settings to decide whether or not to allow cookies from a particular site. However, the P3P functionality in Internet Explorer extends only to cookie blocking, and will not alert the user to an entire web site that violates active privacy preferences. Microsoft considers the feature deprecated in its browsers and totally removed P3P support on Windows 10.^[7]

Mozilla supported some P3P features for a few years, but all P3P related source code was removed by 2007.^[8]

The Privacy Finder^[9] service was also created by Carnegie Mellon's Usable Privacy and Security Laboratory. It is a publicly available "P3P-enabled search engine." A user can enter a search term along with their stated privacy preferences, and is then presented with a list of search results which are ordered based on whether the sites comply with their preferences. This works by crawling the web and maintaining a P3P cache for every site that ever appears in a search query. The cache is updated every 24 hours so that every policy is guaranteed to be relatively up to date. The service also allows users to quickly determine why a site does not comply with their preferences, as well as allowing them to view a dynamically generated natural language privacy policy based on the P3P data. This is advantageous over simply reading the original natural language privacy policy on a web site because many privacy policies are written in legalese and are extremely convoluted. Additionally, in this case the user does not have to visit the web site to read its privacy policy.

Benefits

P3P allows browsers to understand their privacy policies in a simplified and organized manner rather than searching throughout the entire website. By setting privacy settings on a certain level, the user enables P3P to automatically block any cookies that the user might not want on their computer. Additionally, the W3C explains that P3P will allow browsers to transfer user data to services, ultimately promoting an online sharing community.

Additionally, the P3P Toolbox^[10] developed by the Internet Education Foundation recommends that anyone who is concerned about increasing their users’ trust and privacy should consider implementing P3P. The P3P toolbox site explains how companies have taken individuals data in order to promote new products or services. Furthermore, in recent years companies have taken individuals information and created profiles, which they then market without the individual's consent. Moreover, all this data is misused and we as consumers pay the price and become worrisome of issues such as: junk mail, identity theft and forms of discrimination; therefore implementing P3P's protocol is good and beneficial for internet browsers.

Moreover, since there has been an increase of browsers there are more users at risk running into privacy problems. But the Internet Education Foundation points out that, “P3P has been developed to help steer the force of technology a step further toward automatic communication of data management practices and individual privacy preferences.”^[10]

Criticisms

The Electronic Privacy Information Center (EPIC) has been critical of P3P and believes P3P makes it too difficult for users to protect their privacy.^[11] In 2002 it assessed P3P and referred to the technology as a "Pretty Poor Policy".^[11] According to EPIC, some P3P software is too complex and difficult for the average person to understand, and many Internet users are unfamiliar with how to use the default P3P software on their computers or how to install additional P3P software. Another concern is that websites are not obligated to use P3P, and neither are Internet users. Moreover, the EPIC website claims that P3Ps protocol would become burdensome for the browser and not as beneficial or efficient as it was intended to be.

A key problem that occurs with the use of P3P is that there is a lack of enforcement. Thus, promises made to users of P3P can go unfulfilled. Though by using P3P a company/website makes a promise of privacy and of the use of gathered data to the site’s users, there are no real legal ramifications if the company decides to use the information for other functions. Currently, there are no actual laws that have been passed by the United States about data protection. Though, ideally, companies should be honest as to their use of customers' personal information, there is no binding reason that the company must actually adhere to the rules it says it will comply by. Though using P3P technically qualifies as a contract, the lack of federal regulation downplays the need for companies to abide.^[12]

The agreement to use P3P not only puts in place unenforceable promises, but it also prolongs the adoption of federal laws that would actually inhibit the access and ability to use private information. If the government were to step in and attempt to protect Internet users with federal laws on what information can be accessed, and specific regulations on how user information can be used, companies would not maintain the leeway they do now to use information as they please, despite what they may actually tell users. In 2002, then EPIC employee Chris Hoofnagle argued that P3P was displacing chances for government regulation of privacy.^[13]

Critics of P3P also argue that non-compliant sites are excluded. According to a study done by CyLab Privacy Interest Group at Carnegie Mellon University^[14] only 15% of the top 5,000 websites incorporate P3P. Therefore, many sites that do not include the code but do practice high privacy standards will not be accessible to users who use P3P as their only online privacy guide.

EPIC also talks about how the development and implementation of P3P can cause a monopoly of private information. Since it tends to be only major companies who implement P3P on their websites, only these major companies are tending to then gather this information seeing as only their privacy policies can compare to privacy preferences of users. The EPIC website says, "The incredible complexity of P3P, combined with the way that popular browsers are likely to implement the protocol would seem to preclude it as a privacy-protective technology," EPIC continues on to state, "Rather, P3P may actually strengthen the monopoly position over personal information that U.S. data marketers now enjoy."^[11]

The failure for its immediate adoption can be related to the idea of it being a notice and choice approach that does not comply with the Fair Information Practices. According to the Chairman of the FTC,^[15] privacy laws are key in today’s society in order to protect the consumer from providing too much personal information for others’ benefit. Some believe that there should be a limit to the collection and use of the consumer’s personal data online. Currently, sites are not required under any United States laws to comply with the privacy policies they publish, therefore P3P causes some controversy with consumers who are concerned about the release of their personal information and are only able to rely on P3P’s protocol to protect their privacy.

Michael Kaply from IBM is reported saying the following when the Mozilla Foundation was considering the removal of P3P support from their browser-line in 2004:^[16]

Ah the memories.
We (IBM) wrote the original P3P implementation and then Netscape proceeded to write their own. So both our companies wasted immense amounts of time that everyone thought was a crappy proposal to begin with.
Remove it.

Live Leer, a PR manager for Opera Software, explained in 2001 the deliberate lack of P3P support in their browser:^[17]

At the moment, we aren't sure whether P3P is the best solution. P3P is among the specifications we are considering for support in the future. There have been some issues with how well P3P will protect privacy, and for that reason we have decided to wait until these are resolved.

Alternatives

P3P user agents are not the only option available for Internet users that want to ensure their privacy. Several of the main alternatives to P3P include using web browsers' privacy mode, anonymous e-mailers and anonymous proxy servers.

The main alternative to P3P may not be these technologies, but instead stronger laws to regulate what kind of information from Internet users can be collected and retained by websites. For example, in Europe, the General Data Protection Regulation provides individuals with a certain set of principles about how personal information is collected and the person's rights to protecting their personal data.^[18] The act allows individuals to control the type of information that is being collected from them. Various principles are included within the act, such as the rule that individual has the right to retrieve the data collected about them at any time under certain conditions. Moreover, the individual's personal information cannot be kept longer than necessary, and not be used for purposes other than those agreed upon to begin with.

Currently, the United States has no federal law protecting the privacy of personal information shared online. However, there are some sectoral laws at the federal and state level that offer some protection for certain types of information collected about individuals.^[19] For example, the Fair Credit Reporting Act (FCRA) of 1970 makes it legal for consumer reporting agencies to disclose personal information only under three specified circumstances: credit, employment or insurance evaluation; government grant or license; or a “legitimate business need” that involves the consumer. A list of other sectoral privacy laws in the United States can be viewed at the Consumer Privacy Guide's website.^[19]

The future of P3P

There are many groups who are working to further the future of P3P to make it easier for people to use. Some of these groups are:

Transparent Accountable Datamining Initiative (TAMI) is a group out of MIT’s Computer Science and Artificial Intelligence Laboratory. The goal of TAMI is to create technical, legal, and policy foundations for transparency and accountability in large-scale aggregation. TAMI hopes to help people manage privacy risks in a world where technology is constantly changing.

Policy Aware Web (PAW) is a scalable mechanism for the exchange of rules and proofs for unlimited access control to the Web. “It creates a system of Policy Aware infrastructure using systematic Web rules language with a theorem prover”.^[20]

References

^ "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification Publication History - W3C". W3C. Retrieved 2021-04-04.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q Cranor, Lorrie; Dobbs, Brooks; Egelman, Serge; Hogben, Giles; Humphrey, Jack; Langheinrich, Marc; Marchiori, Massimo; Reagle, Joseph; Schunter, Matthias; Stampley, David A.; Wenning, Rigo. Wenning, Rigo; Matthias, Schunter (eds.). "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification". Retrieved 2021-04-04.
^ "P3P is no longer supported". Microsoft Docs. 15 December 2016. Retrieved 8 July 2020.
^ Richmond, Riva (17 September 2010). "A Loophole Big Enough for a Cookie to Fit Through". The New York Times: Bits. Retrieved 8 July 2020.
^ "Michael Young – Binäre Optionen – Tipps und Tricks – p3ptoolbox.org". www.p3ptoolbox.org (in German).
^ "Section 2 What is P3P and How Does it Work?". Archived from the original on 2002-06-12.
^ ^a ^b "Internet Explorer's and Edge's P3P Support". Archived from the original on 2018-01-26. Retrieved 2018-01-25.
^ Bug 225287 - Remove p3p from the default build
^ www.privacyfinder.org
^ ^a ^b "Section 1 Why Implement P3P?". Archived from the original on 2002-09-07.
^ ^a ^b ^c "Pretty Poor Privacy: An Assessment of P3P and Internet Privacy". Electronic Privacy Information Center. June 2000.
^ "P3P: Pretty Poor Privacy? By Karen Coyle".
^ Tech Republic: Despite big-name support, new privacy standard slow to catch on, June 10, 2002
^ 2006 Privacy Policy Trends Report
^ Fair Information Practices In The Electronic Marketplace, 2000
^ "225287 - Remove p3p from the default build".
^ "P3P: Protector of Consumers' Online Privacy". 17 August 2001.
^ "Data protection".
^ ^a ^b "ConsumerPrivacyGuide.org | Law Protection". Archived from the original on 2002-02-06. Retrieved 2008-03-08.
^ W3C P3P site

External links

W3C P3P site
- W3C P3P 1.0 Specification, published as a Recommendation in 2002
- W3C P3P 1.1 Specification, published as a Note in 2006
P3P in Internet Explorer 6 (Archived version from March 2014)
Center for Democracy and Technology: P3P Privacy
Facebook's statement on P3P Archived 2022-06-08 at the Wayback Machine
Google's statement on P3P

[w3c-history-1] "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification Publication History - W3C". W3C. Retrieved 2021-04-04.

[w3c-page-2] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ ^o ^p ^q Cranor, Lorrie; Dobbs, Brooks; Egelman, Serge; Hogben, Giles; Humphrey, Jack; Langheinrich, Marc; Marchiori, Massimo; Reagle, Joseph; Schunter, Matthias; Stampley, David A.; Wenning, Rigo. Wenning, Rigo; Matthias, Schunter (eds.). "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification". Retrieved 2021-04-04.

[3] "P3P is no longer supported". Microsoft Docs. 15 December 2016. Retrieved 8 July 2020.

[4] Richmond, Riva (17 September 2010). "A Loophole Big Enough for a Cookie to Fit Through". The New York Times: Bits. Retrieved 8 July 2020.

[5] "Michael Young – Binäre Optionen – Tipps und Tricks – p3ptoolbox.org". www.p3ptoolbox.org (in German).

[p3ptoolbox2-6] "Section 2 What is P3P and How Does it Work?". Archived from the original on 2002-06-12.

[p3psupport-7] "Internet Explorer's and Edge's P3P Support". Archived from the original on 2018-01-26. Retrieved 2018-01-25.

[8] Bug 225287 - Remove p3p from the default build

[9] www.privacyfinder.org

[p3ptoolbox1-10] "Section 1 Why Implement P3P?". Archived from the original on 2002-09-07.

[epicreports-11] "Pretty Poor Privacy: An Assessment of P3P and Internet Privacy". Electronic Privacy Information Center. June 2000.

[12] "P3P: Pretty Poor Privacy? By Karen Coyle".

[13] Tech Republic: Despite big-name support, new privacy standard slow to catch on, June 10, 2002

[14] 2006 Privacy Policy Trends Report

[15] Fair Information Practices In The Electronic Marketplace, 2000

[16] "225287 - Remove p3p from the default build".

[17] "P3P: Protector of Consumers' Online Privacy". 17 August 2001.

[18] "Data protection".

[cpglaw-19] "ConsumerPrivacyGuide.org | Law Protection". Archived from the original on 2002-02-06. Retrieved 2008-03-08.

[20] W3C P3P site

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

@@ Line 1: / Line 1: @@
+{{Short description|Platform for website privacy preferences}}
 {{for|the PlayStation Portable video game|Persona 3 Portable}}
+{{Infobox technology standard
-The '''Platform for Privacy Preferences Project''' ('''P3P''') is a [[protocol (computing)|protocol]] allowing [[website]]s to declare their intended use of information they collect about [[web browser]] users.  Designed to give users more control of their personal information when browsing, P3P was developed by the [[World Wide Web Consortium]] (W3C) and officially recommended on April 16, 2002.  Development ceased shortly thereafter and there have been very few implementations of P3P.  Microsoft [[Internet Explorer]] and [[Microsoft Edge|Edge]] were the only major browsers to support P3P.  The president of [[TRUSTe]] has stated that P3P has not been implemented widely due to the difficulty and lack of value.<ref>[http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/ A Loophole Big Enough for a Cookie to Fit Through]</ref>
+| title             = P3P
+| long_name         = Platform for Privacy Preferences
+| native_name       = Platform for Privacy Preferences
+| native_name_lang  = en
+| image             =
+| caption           =
+| status            = Retired
+| year_started      = <!-- {{Start date|YYYY|MM|DD|df=y}} -->
+| first_published   = {{Start date|2002|04|16|df=y}}<ref name="w3c-history">{{Cite web|url=https://www.w3.org/standards/history/P3P11|title=The Platform for Privacy Preferences 1.1 (P3P1.1) Specification Publication History - W3C|website=W3C|access-date=2021-04-04}}</ref><ref name="w3c-page">{{Cite web|url=https://www.w3.org/TR/P3P11/|title=The Platform for Privacy Preferences 1.1 (P3P1.1) Specification
+|editor-first1=Rigo|editor-last1=Wenning
+|editor-first2=Schunter|editor-last2=Matthias
+|author-first1=Lorrie|author-last1=Cranor
+|author-first2=Brooks|author-last2=Dobbs
+|author-first3=Serge|author-last3=Egelman
+|author-first4=Giles|author-last4=Hogben
+|author-first5=Jack|author-last5=Humphrey
+|author-first6=Marc|author-last6=Langheinrich
+|author-first7=Massimo|author-last7=Marchiori
+|author-first8=Joseph|author-last8=Reagle
+|author-first9=Matthias|author-last9=Schunter
+|author-first10=David A.|author-last10=Stampley
+|author-first11=Rigo|author-last11=Wenning
+|access-date=2021-04-04}}</ref>
+| version           = 1.1 <ref name="w3c-page" />
+| version_date      =
+| preview           =
+| preview_date      =
+| organization      =
+| committee         = P3P Specification Working Group<ref name="w3c-page" />
+| editors           = {{Plainlist|
+* Rigo Wenning<ref name="w3c-page" />
+* Matthias Schunter<ref name="w3c-page" />
+}}
+| authors           = {{Plainlist|
+* [[Lorrie Cranor]]<ref name="w3c-page" />
+* Brooks Dobbs<ref name="w3c-page" />
+* Serge Egelman<ref name="w3c-page" />
+* Giles Hogben<ref name="w3c-page" />
+* Jack Humphrey<ref name="w3c-page" />
+* Marc Langheinrich<ref name="w3c-page" />
+* [[Massimo Marchiori]]<ref name="w3c-page" />
+* Martin Presler-Marshall<ref name="w3c-page" />
+* [[Joseph M. Reagle Jr.|Joseph Reagle]]<ref name="w3c-page" />
+* Matthias Schunter<ref name="w3c-page" />
+* David A. Stampley<ref name="w3c-page" />
+* Rigo Wenning<ref name="w3c-page" />
+}}
+| base_standards    = {{Plainlist|
+* [[HTTP]]
+* [[XML]]
+}}
+| related_standards =
+| abbreviation      = P3P
+| domain            =
+| license           =
+| website           = {{URL|https://www.w3.org/TR/P3P11/}}
+}}
+The '''Platform for Privacy Preferences Project''' ('''P3P''') is an obsolete [[protocol (computing)|protocol]] allowing [[website]]s to declare their intended use of information they collect about [[web browser]] users. Designed to give users more control of their [[personal information]] when browsing, P3P was developed by the [[World Wide Web Consortium]] (W3C) and officially recommended on April 16, 2002.  Development ceased shortly thereafter and there have been very few implementations of P3P. [[Internet Explorer]] and [[Microsoft Edge]] were the only major browsers to support P3P. [[Microsoft]] has ended support from [[Windows 10]] onwards. Internet Explorer and Edge on Windows 10 no longer support P3P.<ref>{{cite web |url= https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/mt146424(v=vs.85) |title=P3P is no longer supported |date=15 December 2016 |work=Microsoft Docs |access-date=8 July 2020}}</ref> The president of [[TRUSTe]] has stated that P3P has not been implemented widely due to the difficulty and lack of value.<ref>{{cite news |title=A Loophole Big Enough for a Cookie to Fit Through |first=Riva |last=Richmond |url= https://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/ |newspaper=The New York Times: Bits |date=17 September 2010 |access-date=8 July 2020}}</ref>
 ==Purpose==
-As the [[World Wide Web]] became a genuine medium in which to sell products and services, [[electronic commerce]] websites tried to collect more information about the people who purchased their merchandise. Some companies used controversial practices such as tracker [[HTTP cookie|cookies]] to ascertain the users' [[demographic profile|demographic]] information and buying habits, using this information to provide specifically targeted advertisements. Users who saw this as an invasion of [[privacy]] would sometimes turn off HTTP cookies or use [[anonymous proxy server|proxy server]]s to keep their personal information secure. P3P is designed to give users a more precise control of the kind of information that they allow to release. According to the W3C the main goal of P3P “is to increase user trust and confidence in the Web through technical empowerment.”<ref name="p3ptoolbox2">http://www.p3ptoolbox.org/guide/section2.shtml</ref>
+As the [[World Wide Web]] became a genuine medium in which to sell products and services, [[electronic commerce]] websites tried to collect more information about the people who purchased their merchandise. Some companies used controversial practices such as tracker [[HTTP cookie|cookies]] to ascertain the users' [[demographic profile|demographic]] information and buying habits, using this information to provide specifically targeted advertisements. Users who saw this as an invasion of [[privacy]] would sometimes turn off HTTP cookies or use [[anonymous proxy server|proxy server]]s to keep their personal information secure. P3P was designed to give users a more precise control of the kind of information that they allow to release. According to the W3C, the main goal of P3P "is to increase user trust and confidence in the Web through technical empowerment".<ref>{{cite web|title=Michael Young – Binäre Optionen – Tipps und Tricks – p3ptoolbox.org|url=http://www.p3ptoolbox.org/author/blogadmin/|website=www.p3ptoolbox.org|language=de-DE}}</ref>
-P3P is a machine-readable language that helps to express a website’s data management practices. P3P manages information through privacy policies. When a website uses P3P, they set up a set of policies that allows them to state their intended uses of personal information that may be gathered from their site visitors. When a user decides to use P3P, they set their own set of policies and state what personal information they will allow to be seen by the sites that they visit. Then when a user visits a site, P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P will inform the user and ask if he/she is willing to proceed to the site, and risk giving up more personal information.<ref name="p3ptoolbox2" /> As an example, a user may store in the browser preferences that information about their browsing habits should not be collected. If the policy of a Website states that a cookie is used for this purpose, the browser automatically rejects the cookie.
+P3P is a machine-readable language that helps to express a website’s data management practices. P3P manages information through privacy policies. When a website used P3P, they set up a set of policies that allows them to state their intended uses of personal information that may be gathered from their site visitors. When a user decided to use P3P, they set their own set of policies and state what personal information they will allow to be seen by the sites that they visit. Then when a user visited a site, P3P will compare what personal information the user is willing to release, and what information the server wants to get – if the two do not match, P3P would inform the user and ask if he/she is willing to proceed to the site, and risk giving up more personal information.<ref name="p3ptoolbox2">{{cite web |url=http://www.p3ptoolbox.org/guide/section2.shtml |url-status=dead |archive-url=https://web.archive.org/web/20020612084749/http://www.p3ptoolbox.org/guide/section2.shtml |archive-date=2002-06-12 |title=Section 2 What is P3P and How Does it Work?}}</ref> As an example, a user may store in the browser preferences that information about their browsing habits should not be collected. If the policy of a Website stated that a cookie is used for this purpose, the browser would automatically reject the cookie.
 The main content of a privacy policy is the following:
 * which information the server stores:
 ** which kind of information is collected (identifying or not);
-** which particular information is collected (IP address, email address, name, etc.);
+** which particular information is collected ([[IP address]], [[email address]], name, etc.);
 * use of the collected information:
 ** how this information is used (for regular navigation, tracking, personalization, telemarketing, etc.);
@@ Line 23: / Line 82: @@
 # specified in the [[HTTP]] header of the document
 # specified in the [[HTML]] head of the document
-# if none of the above is specified, the ''well-known location'' <tt>/w3c/p3p.xml</tt> is used (for a similar location compare <tt>[[Favicon|/favicon.ico]]</tt>)
+# if none of the above is specified, the ''well-known location'' <code>/w3c/p3p.xml</code> is used (for a similar location compare <code>[[Favicon|/favicon.ico]]</code>)
-P3P allows to specify a <code>max-age</code> for caching. A dummy <tt>/w3c/p3p.xml</tt> file could use this feature:
+P3P allows to specify a <code>max-age</code> for caching. A dummy <code>/w3c/p3p.xml</code> file could use this feature:
-<source lang="xml">
+<syntaxhighlight lang="xml">
 <META xmlns="http://www.w3.org/2002/01/P3Pv1">
   <POLICY-REFERENCES>
@@ Line 32: / Line 91: @@
   </POLICY-REFERENCES>
 </META>
+</syntaxhighlight>
-</source>
 ==User agent support==
 [[Image:IE P3P Policy.png|thumb|[[Yahoo!|Yahoo!'s]] P3P policy as viewed in [[Internet Explorer]] 6.]]
-[[Microsoft]]'s [[Internet Explorer]] and [[Microsoft Edge|Edge]] were the only mainstream web browsers that supported P3P.<ref name=p3psupport>[http://dev.modern.ie/platform/status/platformforprivacypreferences10p3p10/ Internet Explorer's and Edge's P3P Support]</ref> Other browsers have not implemented it due to the perceived lack of value it provides. IE provides the ability to display P3P privacy policies, and compare the P3P policy with the browser's settings to decide whether or not to allow cookies from a particular site. However, the P3P functionality in Internet Explorer extends only to cookie blocking, and will not alert the user to an entire web site that violates active privacy preferences.  Microsoft considers the feature deprecated in its browsers and totally removed P3P support on Windows 10.<ref name=p3psupport />
+[[Microsoft]]'s [[Internet Explorer]] and [[Microsoft Edge|Edge]] were the only mainstream web browsers that supported P3P.<ref name=p3psupport>{{Cite web |url=https://developer.microsoft.com/en-us/microsoft-edge/platform/status/platformforprivacypreferences10p3p10/ |title=Internet Explorer's and Edge's P3P Support |access-date=2018-01-25 |archive-date=2018-01-26 |archive-url=https://web.archive.org/web/20180126012442/https://developer.microsoft.com/en-us/microsoft-edge/platform/status/platformforprivacypreferences10p3p10/ |url-status=dead }}</ref> Other browsers have not implemented it due to the perceived lack of value it provides. IE provides the ability to display P3P privacy policies, and compare the P3P policy with the browser's settings to decide whether or not to allow cookies from a particular site. However, the P3P functionality in Internet Explorer extends only to cookie blocking, and will not alert the user to an entire web site that violates active privacy preferences.  Microsoft considers the feature deprecated in its browsers and totally removed P3P support on Windows 10.<ref name=p3psupport />
 [[Mozilla]] supported some P3P features for a few years, but all P3P related source code was removed by 2007.<ref>[https://bugzilla.mozilla.org/show_bug.cgi?id=225287 Bug 225287 - Remove p3p from the default build]</ref>
-The Privacy Finder<ref>[http://www.privacyfinder.org/ www.privacyfinder.org]</ref> service was also created by [[Carnegie Mellon University|Carnegie Mellon's]] [[CUPS (CMU)|Usable Privacy and Security Laboratory]]. It is a publicly available "P3P-enabled search engine." A user can enter a search term along with their stated privacy preferences, and is then presented with a list of search results which are ordered based on whether the sites comply with their preferences. This works by crawling the web and maintaining a P3P cache for every site that ever appears in a search query. The cache is updated every 24 hours so that every policy is guaranteed to be relatively up to date. The service also allows users to quickly determine why a site does not comply with their preferences, as well as allowing them to view a dynamically generated natural language privacy policy based on the P3P data. This is advantageous over simply reading the original natural language privacy policy on a web site because many privacy policies are written in legalese and are extremely convoluted. Additionally, in this case the user does not have to visit the web site to read its privacy policy.
+The Privacy Finder<ref>[http://www.privacyfinder.org/ www.privacyfinder.org]</ref> service was also created by [[Carnegie Mellon University|Carnegie Mellon's]] [[CUPS (CMU)|Usable Privacy and Security Laboratory]]. It is a publicly available "P3P-enabled search engine." A user can enter a search term along with their stated privacy preferences, and is then presented with a list of search results which are ordered based on whether the sites comply with their preferences. This works by crawling the web and maintaining a P3P cache for every site that ever appears in a search query. The [[Cache (computing)|cache]] is updated every 24 hours so that every policy is guaranteed to be relatively up to date. The service also allows users to quickly determine why a site does not comply with their preferences, as well as allowing them to view a dynamically generated natural language privacy policy based on the P3P data. This is advantageous over simply reading the original natural language privacy policy on a web site because many privacy policies are written in legalese and are extremely convoluted. Additionally, in this case the user does not have to visit the web site to read its privacy policy.
 ==Benefits==
-P3P allows browsers to understand their privacy policies in a simplified and organized manner rather than searching throughout the entire website. By setting privacy settings on a certain level, the user enables P3P to automatically block any cookies that the user might not want on his computer. Additionally, the W3C explains that P3P will allow browsers to transfer user data to services, ultimately promoting an online sharing community.
+P3P allows browsers to understand their privacy policies in a simplified and organized manner rather than searching throughout the entire website. By setting privacy settings on a certain level, the user enables P3P to automatically block any cookies that the user might not want on their computer. Additionally, the W3C explains that P3P will allow browsers to transfer user data to services, ultimately promoting an online sharing community.
-Additionally, the P3P Toolbox<ref name="p3ptoolbox1">http://www.p3ptoolbox.com/guide/section1.shtml</ref> developed by the Internet Education Foundation recommends that anyone who is concerned about increasing their users’ trust and privacy should consider implementing P3P. The P3P toolbox site explains how companies have taken individuals data in order to promote new products or services. Furthermore, in recent years companies have taken individuals information and created profiles, which they then market without the individuals consent. Moreover, all this data is misused and we as consumers pay the price and become worrisome of issues such as: junk mail, identity theft and forms of discrimination; therefore implementing P3P's protocol is good and beneficial for internet browsers.
+Additionally, the P3P Toolbox<ref name="p3ptoolbox1">{{cite web |url=http://www.p3ptoolbox.com/guide/section1.shtml |url-status=dead |archive-url=https://web.archive.org/web/20020907163701/http://www.p3ptoolbox.com/guide/section1.shtml |archive-date=2002-09-07 |title=Section 1 Why Implement P3P?}}</ref> developed by the Internet Education Foundation recommends that anyone who is concerned about increasing their users’ trust and privacy should consider implementing P3P. The P3P toolbox site explains how companies have taken individuals data in order to promote new products or services. Furthermore, in recent years companies have taken individuals information and created profiles, which they then market without the individual's consent. Moreover, all this data is misused and we as consumers pay the price and become worrisome of issues such as: junk mail, [[identity theft]] and forms of discrimination; therefore implementing P3P's protocol is good and beneficial for internet browsers.
 Moreover, since there has been an increase of browsers there are more users at risk running into privacy problems. But the Internet Education Foundation points out that, “P3P has been developed to help steer the force of technology a step further toward automatic communication of data management practices and individual privacy preferences.”<ref name="p3ptoolbox1" />
@@ Line 53: / Line 112: @@
 ==Criticisms==
 The [[Electronic Privacy Information Center]] (EPIC) has been critical of P3P and believes P3P makes it too difficult for users to protect their privacy.<ref name="epicreports">{{cite web|url=https://epic.org/reports/prettypoorprivacy.html|title=Pretty Poor Privacy: An Assessment of P3P and Internet Privacy|date=June 2000|publisher=Electronic Privacy Information Center}}</ref>
-In 2002 it assessed P3P, and referred to the technology as a “Pretty Poor Policy”.<ref name="epicreports" /> According to the EPIC, some P3P software is too complex and difficult for the average person to understand, and many Internet users are unfamiliar with how to use the default P3P software on their computers or how to install additional P3P software. Another concern is that websites are not obligated to use P3P, and neither are Internet users. P3P has been known to undermine public confidence by collecting enormous amounts of information that can be used against its user. Moreover, the EPIC website claims that P3Ps protocol would become burdensome for the browser and not as beneficial or efficient as it was intended to be.
+In 2002 it assessed P3P and referred to the technology as a "Pretty Poor Policy".<ref name="epicreports" /> According to EPIC, some P3P software is too complex and difficult for the average person to understand, and many Internet users are unfamiliar with how to use the default P3P software on their computers or how to install additional P3P software. Another concern is that websites are not obligated to use P3P, and neither are Internet users. Moreover, the EPIC website claims that P3Ps protocol would become burdensome for the browser and not as beneficial or efficient as it was intended to be.
+A key problem that occurs with the use of P3P is that there is a lack of enforcement. Thus, promises made to users of P3P can go unfulfilled. Though by using P3P a company/website makes a promise of privacy and of the use of gathered data to the site’s users, there are no real legal ramifications if the company decides to use the information for other functions. Currently, there are no actual laws that have been passed by the [[United States]] about data protection. Though, ideally, companies should be honest as to their use of customers' personal information, there is no binding reason that the company must actually adhere to the rules it says it will comply by. Though using P3P technically qualifies as a contract, the lack of federal regulation downplays the need for companies to abide.<ref>{{Cite web|url=http://www.kcoyle.net/p3p.html|title=P3P: Pretty Poor Privacy? By Karen Coyle}}</ref>
-The basic idea of privacy protection can be misleading to the visitors on the site.  For example, people think that their privacy is actually being protected, but it is not. P3P facilitates data collection from websites.  If the actual intention of P3P was to protect visitors to web sites then the information gathering would not be so easy to pass along personal information.  Also, people who visit websites where P3P is present are uninformed and misunderstand the level of privacy that P3P provides.  There needs to be more effective ways of educating people on the level of privacy and what P3P actually does to protect people.
+The agreement to use P3P not only puts in place unenforceable promises, but it also prolongs the adoption of federal laws that would actually inhibit the access and ability to use private information. If the government were to step in and attempt to protect Internet users with federal laws on what information can be accessed, and specific regulations on how user information can be used, companies would not maintain the leeway they do now to use information as they please, despite what they may actually tell users. In 2002, then EPIC employee Chris Hoofnagle argued that P3P was displacing chances for government regulation of privacy.<ref>[https://archive.today/20120707050136/http://articles.techrepublic.com.com/5100-10878-1059571.html Tech Republic: Despite big-name support, new privacy standard slow to catch on], June 10, 2002</ref>
-Another main concern is that the data collected does not have an expiration date.  People who buy something on the internet will have that information saved for an indefinite amount of time, whether it will be recorded for a year or ten.  This problem has led people to question where their information is being distributed to and for how long third parties will have access to their information.  The idea that people’s personal information can be distributed to other people for an indeterminate amount of time makes people very uncomfortable.
+Critics of P3P also argue that non-compliant sites are excluded. According to a study done by CyLab Privacy Interest Group at [[Carnegie Mellon University]]<ref>[http://www.chariotsfire.com/pub/cpig-jan2007.pdf 2006 Privacy Policy Trends Report]</ref> only 15% of the top 5,000 websites incorporate P3P. Therefore, many sites that do not include the code but do practice high privacy standards will not be accessible to users who use P3P as their only online privacy guide.
-A key problem that occurs with the use of P3P is that there is a lack of enforcement. Thus, promises made to users of P3P can go unfulfilled. Though by using P3P a company/website makes a promise of privacy and of the use of gathered data to the site’s users, there are no real legal ramifications if the company decides to use the information for other functions. Currently, there are no actual laws that have been passed by the [[United States]] about data protection. Though it would be nice to be able to trust every company that states its use for our information, there is no binding reason that the company must actually adhere to the rules it says it will comply by. Though using P3P technically qualifies as a contract, the lack of federal regulation downplays the need for companies to abide.<ref>http://www.kcoyle.net/p3p.html</ref>
+EPIC also talks about how the development and implementation of P3P can cause a monopoly of private information. Since it tends to be only major companies who implement P3P on their websites, only these major companies are tending to then gather this information seeing as only their privacy policies can compare to privacy preferences of users. The EPIC website says, "The incredible complexity of P3P, combined with the way that popular browsers are likely to implement the protocol would seem to preclude it as a privacy-protective technology," EPIC continues on to state, "Rather, P3P may actually strengthen the monopoly position over personal information that U.S. data marketers now enjoy."<ref name="epicreports" />
-The agreement to use P3P not only puts in place unenforceable promises, but it also prolongs the adoption of federal laws that would actually inhibit the access and ability to use private information. If the government were to step in and attempt to protect Internet users with federal laws on what information can be accessed, and specific regulations on how user information can be used, companies wouldn’t maintain the leeway they do now to use information as they please, despite what they may actually tell users. In 2002, then EPIC employee Chris Hoofnagle argued that P3P was displacing chances for government regulation of privacy.<ref>[http://archive.is/20120707050136/http://articles.techrepublic.com.com/5100-10878-1059571.html Tech Republic: Despite big-name support, new privacy standard slow to catch on], June 10, 2002</ref>
+The failure for its immediate adoption can be related to the idea of it being a notice and choice approach that does not comply with the Fair Information Practices. According to the Chairman of the FTC,<ref>[http://www.ftc.gov/reports/privacy2000/privacy2000.pdf Fair Information Practices In The Electronic Marketplace, 2000]</ref> privacy laws are key in today’s society in order to protect the consumer from providing too much personal information for others’ benefit. Some believe that there should be a limit to the collection and use of the consumer’s personal data online. Currently, sites are not required under any United States laws to comply with the privacy policies they publish, therefore P3P causes some controversy with consumers who are concerned about the release of their personal information and are only able to rely on P3P’s protocol to protect their privacy.
-Critics of P3P also argue that non-compliant sites are excluded. According to a study done by CyLab Privacy Interest Group at [[Carnegie Mellon University]] <ref>[http://www.chariotsfire.com/pub/cpig-jan2007.pdf 2006 Privacy Policy Trends Report]</ref> only 15% of the top 5,000 websites incorporate P3P. Therefore, many sites that don’t include the code but do practice high privacy standards will not be accessible to users who use P3P as their only online privacy guide.
+Michael Kaply from [[IBM]] is reported saying the following when the [[Mozilla Foundation]] was considering the removal of P3P support from their browser-line in 2004:<ref>{{Cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=225287#c12|title = 225287 - Remove p3p from the default build}}</ref>
-EPIC, the technology's obviously largest critic, also talks about how the development and implementation of P3P can cause a monopoly of private information. Since it tends to be only major companies who implement P3P on their websites, only these major companies are tending to then gather this information seeing as only their privacy policies can compare to privacy preferences of users. The EPIC website says, "The incredible complexity of P3P, combined with the way that popular browsers are likely to implement the protocol would seem to preclude it as a privacy-protective technology," EPIC continues on to state, "Rather, P3P may actually strengthen the monopoly position over personal information that U.S. data marketers now enjoy."<ref name="epicreports" />
-The failure for its immediate adoption can be related to the idea of it being a notice and choice approach that doesn’t comply with the Fair Information Practices. According to the Chairman of the FTC,<ref>[http://www.ftc.gov/reports/privacy2000/privacy2000.pdf Fair Information Practices In The Electronic Marketplace, 2000]</ref> privacy laws are key in today’s society in order to protect the consumer from providing too much personal information for others’ benefit. Some believe that there should be a limit to the collection and use of the consumer’s personal data online. Currently sites are not required under any United States laws to comply with the privacy policies they publish, therefore P3P causes some controversy with consumers who are concerned about the release of their personal information and are only able to rely on P3P’S protocol to protect their privacy.
-As people become comfortable with P3P, the technology may be limiting the perceived need of related privacy legislation.
-Michael Kaply from IBM is reported saying the following when the [[Mozilla Foundation]] was considering the removal of P3P support from their browser-line in 2004:<ref>https://bugzilla.mozilla.org/show_bug.cgi?id=225287#c12</ref>
 <blockquote>
-''Ah the memories.''
+Ah the memories.
-''We (IBM) wrote the original P3P implementation and then Netscape proceeded to write their own. So both our companies wasted immense amounts of time that everyone thought was a crappy proposal to begin with.''
+We (IBM) wrote the original P3P implementation and then [[Netscape]] proceeded to write their own. So both our companies wasted immense amounts of time that everyone thought was a crappy proposal to begin with.
-''Remove it.''
+Remove it.
 </blockquote>
-Live Leer, a PR manager for [[Opera Software]], explained in 2001 the deliberate lack of P3P support in their browser:<ref>http://www.informationweek.com/story/IWK20010816S0004</ref>
+Live Leer, a PR manager for [[Opera Software]], explained in 2001 the deliberate lack of P3P support in their browser:<ref>{{Cite web|url=http://www.informationweek.com/story/IWK20010816S0004|title = P3P: Protector of Consumers' Online Privacy|date = 17 August 2001}}</ref>
 <blockquote>
-''At the moment, we aren't sure whether P3P is the best solution.''
+At the moment, we aren't sure whether P3P is the best solution.
-''P3P is among the specifications we are considering for support in the future. There have been some issues with how well P3P will protect privacy, and for that reason we have decided to wait until these are resolved.''
+P3P is among the specifications we are considering for support in the future. There have been some issues with how well P3P will protect privacy, and for that reason we have decided to wait until these are resolved.
 </blockquote>
@@ Line 92: / Line 145: @@
 P3P user agents are not the only option available for Internet users that want to ensure their [[Internet privacy|privacy]]. Several of the main alternatives to P3P include using web browsers' [[privacy mode]], [[Anonymous remailer|anonymous e-mailers]] and [[Anonymizer|anonymous proxy servers]].
-The main alternative to P3P may not be these technologies, but instead stronger laws to regulate what kind of information from Internet users can be collected and retained by websites. For example, in Europe the [[Data Protection Directive]] provides individuals with a certain set of principles about how personal information is collected and the person's rights to protecting their personal data.<ref>http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm</ref> The act allows individuals to control the type of information that is being collected from them. Various principles are included within the act, such the rule that individual has the right to retrieve the data collected about them at any time under certain conditions. Moreover, the individual's personal information cannot be kept longer than necessary, and personal information cannot be released to others unless the individual gives their consent.
+The main alternative to P3P may not be these technologies, but instead stronger laws to regulate what kind of information from Internet users can be collected and retained by websites. For example, in Europe, the [[General Data Protection Regulation]] provides individuals with a certain set of principles about how personal information is collected and the person's rights to protecting their personal data.<ref>{{Cite web|url=https://ec.europa.eu/info/law/law-topic/data-protection_en|title = Data protection}}</ref> The act allows individuals to control the type of information that is being collected from them. Various principles are included within the act, such as the rule that individual has the right to retrieve the data collected about them at any time under certain conditions. Moreover, the individual's personal information cannot be kept longer than necessary, and not be used for purposes other than those agreed upon to begin with.
-Currently, the United States has no federal law protecting the privacy of personal information shared online. However, there are some sectoral laws at the federal and state level that offer some protection for certain types of information collected about individuals.<ref name="cpglaw">http://www.consumerprivacyguide.org/law/</ref> For example, the [[Fair Credit Reporting Act]] (FCRA) of 1970 makes it legal for consumer reporting agencies to disclose personal information only under three specified circumstances: credit, employment or insurance evaluation; government grant or license; or a “legitimate business need” that involves the consumer. A list of other sectoral privacy laws in the United States can be viewed at the Consumer Privacy Guide's website.<ref name="cpglaw" />
+Currently, the United States has no federal law protecting the privacy of personal information shared online. However, there are some sectoral laws at the federal and state level that offer some protection for certain types of information collected about individuals.<ref name="cpglaw">{{cite web |url=http://www.consumerprivacyguide.org/law/ |title=ConsumerPrivacyGuide.org &#124; Law Protection |access-date=2008-03-08 |url-status=dead |archive-url=https://web.archive.org/web/20020206070232/http://www.consumerprivacyguide.org/law/ |archive-date=2002-02-06 }}</ref> For example, the [[Fair Credit Reporting Act]] (FCRA) of 1970 makes it legal for consumer reporting agencies to disclose personal information only under three specified circumstances: credit, employment or insurance evaluation; government grant or license; or a “legitimate business need” that involves the consumer. A list of other sectoral privacy laws in the United States can be viewed at the Consumer Privacy Guide's website.<ref name="cpglaw" />
 ==The future of P3P==
@@ Line 107: / Line 160: @@
 * [[Identity management]]
 * [[Privacy policy]]
-* [[Do Not Track]]
+* [[Do Not Track]], a no longer official HTTP header that had a similar purpose to P3P.
 ==References==
@@ Line 117: / Line 170: @@
 **[http://www.w3.org/TR/P3P11/ W3C P3P 1.1 Specification], published as a Note in 2006
 *[https://web.archive.org/web/20081011192932/http://msdn2.microsoft.com/en-us/library/ms537343.aspx P3P in Internet Explorer 6] ([https://web.archive.org/web/20140330033325/http://msdn.microsoft.com/en-us/library/ms537343.aspx Archived version from March 2014])
-*[http://www.cdt.org/privacy/pet/p3pprivacy.shtml Center for Democracy and Technology: P3P Privacy]
+*[https://web.archive.org/web/20071217115144/http://www.cdt.org/privacy/pet/p3pprivacy.shtml Center for Democracy and Technology: P3P Privacy]
-*[https://www.facebook.com/help/?page=219494461411349 Facebook's statement on P3P]
+*[https://www.facebook.com/help/?page=219494461411349 Facebook's statement on P3P] {{Webarchive|url=https://web.archive.org/web/20220608050830/https://www.facebook.com/help/?page=219494461411349 |date=2022-06-08 }}
 *[https://support.google.com/accounts/bin/answer.py?hl=en&answer=151657 Google's statement on P3P]
@@ Line 124: / Line 177: @@
 {{DEFAULTSORT:P3p}}
-[[Category:World Wide Web]]
+[[Category:Web technology]]
 [[Category:World Wide Web Consortium standards]]