Friday, October 19, 2007

A minimal P3P Compact policy - a suggestion by Microsoft

pencil icon, that"s clickable to start editing the post

Back in July I had a look at P3P compact policy, and in the post An analysis of a P3P compact policy example I resolved the example NOI DSP COR NID PSAo OUR IND. The other day I by coincidence came by an entry in the Microsoft Knowledge base Session variables are lost if you use FRAMESET in Internet Explorer 6 [HTML] (In danish: Sessionsvariabler går tabt ved brug af FRAMESET i Internet Explorer 6). This article suggest the minimal policy CAO PSA OUR to declare that no malicious actions are performed with the data of the user..

Doing a further search I found quite many articles and postings with plenty of positive comments that left me with the feeling that this is used as a technical fix to overcome problems with ex. using third-party content in Iframes. It's not that I think IE6+ is done right and FF 2.0 is done wrong, but that using the P3P compact policy without understanding the semantics, for sure wasn't what Microsoft had in mind when they choose to implement IE 6+ to demand P3P Compact policies (for third parties) and for certain not what the P3P working group had in mind!.

To turn around the problem I'll make my guess at what the policy CAO PSA OUR means and thereby give myself and other web administrators the possibility to check whether that fits our websites.

CAO (<contact-and-other/>)
Identified Contact Information and Other Identified Data: access is given to identified online and physical contact information as well as to certain other identified data.
PSA (<pseudo-analysis/>)
Pseudonymous Analysis: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.
OUR (<ours/>)
Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)

My best shot at the meaning of this is:

My website do collect some PII for my own use, your can probably check for yourself online what's stored about you. My website may use profiling mapped by pseudonymous identifier.

An 2002 posting on Oreillynet P3P in IE6 : Frustrating Failure has a comment with an even more minimal policy and also a comment from one of the authors of the P3P specification.