The P3P basics

This fall, Microsoft Corp. is expected to release Internet Explorer 6.0, the latest version of its Web browser. IE 6.0 will contain features designed to give users more control over cookies and more information about the privacy practices of the Web sites they visit.

The browser will look for machine-readable privacy policies on sites that use a new standard known as P3P, developed by the World Wide Web Consortium (W3C) through its Platform for Privacy Preferences Project. For the first time, millions of Web site visitors will be looking for P3P statements. Fortunately, it is easy for agencies that already have privacy policies to create a P3P statement. All it takes is an understanding of P3P, knowledge of your privacy practices, and a technical person or team that knows how your site is structured and a little bit about the new Web standards.

Basically, P3P is a set of multiple-choice questions covering the major elements of a Web site's privacy practices. The answers present a picture of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard Extensible Markup Language format, which P3P-enabled Web browsers automatically "read" and compare with the user's privacy preferences.

Think of the security "lock" feature that has been built into most browsers. The lock is engaged when a Web page transmits data, such as credit-card information, through an encrypted server; otherwise, the site is unlocked. This gives consumers an easy way to understand the security features on the site. P3P browser designers are trying to build similar interfaces for privacy.

IBM Corp. and others already have working P3P policy generators. Depending on the size and complexity of a Web site, it should only take a few hours for a Webmaster and a Privacy Act officer to complete the policy.

Here's how to convert a policy in five steps (a more detailed version with helpful links is available from W3C at

    * Review your current policy with its authors to ensure that you understand all the types of data being collected on the site.

    * Decide which policies apply to which pages. Many sites have more than one policy depending on how many data collection techniques are used on various pages. Most agencies probably only need two policies: one that covers all of the forms on a site and one for pages where users do not manually input information.

n Select a P3P policy generator. IBM, Invisible Hand Software LLC and YOU.powered Inc. offer generators.

n Enter the necessary information into the P3P generator.

n Use the generator to create a policy reference file. This file will instruct Web browsers where to look for the P3P policy on any given page. You should then upload the P3P policy files and the policy reference file to your server's root directory.

The W3C site offers a P3P validator that will alert you to errors on a page.

Schwartz is a policy analyst at the Center for Democracy and Technology in Wash.ington, D.C.


  • Comment
    customer experience (garagestock/

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected