P3P: The Platform for Privacy Preferences
My introduction to P3P was purely out of need. I maintain a website where we were using Google Analytics to count our users but we noticed that a disproportionate number of Firefox users were being reported. Further inspection revealed that visits from over half of our Internet Explorer users were not being recorded.
This web site appeared within an iframe on a different domain than the frame parent, and we noticed that the Google Analytics cookies were not being set in the default Internet Explorer environment with a medium privacy setting. A privacy icon also appeared in Internet Explorer's status bar, indicating that site cookies have been blocked.
Why does this cross-domain cookie issue only manifest itself in Internet Explorer 6 and Internet Explorer 7?
It turns out that Firefox and Internet Explorer have different definitions for "third-party" cookies. In IE, a cookie is considered to be "third-party" if the cookie's domain differs from the domain shown in the address bar (even if the domain of the cookie is the same as the domain of the page that is setting the cookie.) In Firefox, a cookie is considered to be "third-party" if the domain of the cookie is different than the domain of the page that is setting the cookie, (regardless of the address that appears in the location bar.)
Here is a summary of what you need to do in order to allow third-party cookies to be set in IE:
- Create a human-readable privacy policy for your web site (i.e. in HTML)
- Translate the human-language privacy policy into an XML document using IBM's P3P Policy Editor (considered to be the best free tool available.)
- IBM's P3P Policy Editor will also generate a P3P compact policy for you.
- Emit a compact policy and a reference to the full privacy policy in the HTTP header of your web page
- Place your policy reference XML file (p3p.xml) and policy XML file (policy.xml) in the well-known location set forth by the P3P standard (/w3c/p3p.xml and /w3c/policy.xml)
- If your privacy policy is satisfactory, your web page will be permitted to set cookies. This MSDN article contains a table of things that will make your privacy policy unsatisfactory.
Although the P3P standard specifies that only the XML policy files in the well-known location and human-readable privacy policy are necessary and sufficient, IE6 doesn't work that way. IE6 only honours the compact policy (and ignores every other implementation method.) IE7 behaves as expected.
Now that we've discussed the solution, we can go on to explain why P3P was created. P3P Toolbox has a lengthy discussion about the need for P3P. The main idea behind P3P is that it is burdensome and unreasonable for the average web user to hunt down the privacy policy for every site that they directly interact with, let alone the sites that they unknowingly interact with (like those displayed in iframes.) Regular people just don't do this. P3P was created to standardize the discovery of privacy policies from site to site.
P3P does not enforce that site owners adhere to their own privacy policies, it merely automates the interpretation of the legalese in which most privacy policies are written. The enforcement of privacy laws is left to the judicial system.