P3P Platform for Privacy Preferences
Download
Report
Transcript P3P Platform for Privacy Preferences
Real World Implementation
Experience
February 4, 2002
Common Difficulties in correctly writing and maintaining
Compact and Cookie Policies
DoubleClick
Jules Polonetsky, Chief Privacy Officer
Brooks Dobbs, Manager of Privacy Technology
Topics
1. Accurately Declaring a Compact and
Cookie Policy
• Impact of unique cookies
• Concerns with cookie scope
2. Changing a Compact Policy during the
life of a cookie
What must be covered by a cookie policy
P3P specification 2.3.2.7
A cookie policy MUST cover any data (within the scope of
P3P) that is stored in that cookie or linked via that cookie.
The troubles presented here are:
•Cookies with compact policies are replayed not just to the host that set them but
often to other hosts on the domain
•Unique cookies become foreign keys that link disparate data sources including
multiple server log files and offline databases
•There is often no concrete difference between data that could be linked and data that
is linked. If A=B and B=C, you can claim that you don’t know A=C but the data is
linked.
Two ways a cookie manages data:
stored and linked
If a site wants to store my age in a cookie it can do it one of
two ways (first lets assume it somehow gets me to give up my
age).
1. Stored: age=33
2. Linked*: guid=abc123 then have abc123 be a foreign key to a
data structure such that the relationship abc123=33
stored and linked continued…
*
Typically, a linked cookie uses its foreign key relationship to match a
unique id to more than one data point. This is best illustrated through a
data table. This table, in an actual implementation, could be an online
user registration database connected to the web server.
User Table
guid
abc123
abc456
(none)
(none)
authname
bdobbs
jsmith
(none)
(none)
lname
Dobbs
Smith
Mary
Gates
fname
Brooks
Joe
Lamb
Bill
title age email
crmkey
Mr.
33 [email protected] crm777123
Dr.
44 [email protected] crm321456
Ms. 18 [email protected]
crm444222
Mr.
50 [email protected] crm327666
Question: “How does
the cookie link this
information to anything
else?”
Answer: “Web server
log files”
What a typical web server log file looks like
8 sample lines of a typical server log file
Time
Remote User IP
Method Protocol
29/Jan/2002:10:29:32 -0500 208.172.33.126 GET
HTTP/1.1
Request
/index.html
29/Jan/2002:10:29:37 -0501 29/Jan/2002:10:31:32 -0502 bdobbs
192.47.127.11
193.22.44.122
GET
GET
HTTP/1.1
HTTP/1.1
http://www.msn.com
/weather.html
guid=0987651; acct=345611
http://search.yahoo.com/bin/search?p=datin
/health/baldness/malepattern.html
guid=abc123; lang=eng
g+service
29/Jan/2002:10:31:44 -0503 jsmith
98.22.144.21
GET
HTTP/1.1
/account.php?acct=12345
29/Jan/2002:10:31:55 -0504
29/Jan/2002:10:33:12 -0505
29/Jan/2002:10:33:26 -0506
29/Jan/2002:10:33:33 -0507
98.22.144.33
147.88.66.12
96.102.111.33
204.16.44.16
GET
GET
GET
GET
HTTP/1.1
HTTP/1.1
HTTP/1.1
HTTP/1.1
/index.html
/sports/latest.html
/weather/map.html
/login.html
-
Refer
http://maps.yahoo.com/py/maps.py?BFCat
=&Pyt=Tmap&newFL=Use+Address+Below&
addr=119+Winsor+Way&csz=M acon%2C+GA
&Country=us&Get%A0M ap=Get+M ap
http://www.amazon.com/exec/obidos/ASIN/
B00000DAGD/ref=cm_bg_d_5/0028734861-6912867
--http://www.cnn.com/sports/
-----
Cookie
guid=1234567; lang=eng
guid=abc456; lang=eng
guid=dce234
guid=9988771
guid=cde333
Bottom line – what is linked to a
cookie?
Well lets look at one instance, guid=abc123
1.
All the info in the user table (age, email, name)
2.
All the info linked via another table in the CRM database (perhaps
mailing address, credit card #, prior purchase info)
3.
That the cookie was interested in dating services on the last site it was
on
4.
That the cookie was interested in male pattern baldness while
browsing within a site
5.
What if guid is replayed to 3rd party say maps.domain.com they get the
cookie too and could potentially tie data to it??? You need to know
and declare this.
Typical linkages
user registration DB
thru cookie
shop.domain.com
Log Files
http://www.domain.com
www.domain.com
Log Files
Authentication
Table
unique cookie
guid=abc123
http://shop.domain.com
P3P Compliant
but internally controlled
Domain level
cookies
replayed to:
•P3P compliant hosts within the domain
•Non P3P compliant hosts within the domain
•Hosts on the domain hosted by 3rd parties
http://www.domain.com
date time
2001-11-01 10:22:07
ip
24.98.175.132
method
GET
uri
/crossdressing.html
status
200
bytes
415
User-Agent
Mozilla/4.0
Cookie
GUID=xyz123
Refer
www.etrade.com/?acct=24343777
http://ad.domain.com
date time
2001-11-01 10:22:07
ip
24.98.175.132
method
GET
uri
/getad/sz=468;sec=sports
status
200
bytes
415
User-Agent
Mozilla/4.0
Cookie GUID=xyz; LUID=cde456
Refer
www.politics.com/communism
?
AD DB
LUID
Creative
Advertiser
Frequency
Clicks
etc
Internally controlled
but not P3P
http://intra.domain.com
date time
2001-12-01 10:22:07
ip
24.98.175.132
remote user
bsmith
method
GET
uri
/phonelist?search=mvip
status
200
bytes
555
User-Agent
Mozilla/4.0
Cookie
GUID=xyz123; lang=eng
Refer
Externally controlled
but not P3P
http://mail.domain.com
date time
2001-11-01 8:10:07
ip
24.98.175.132
method
GET
uri
/[email protected]
status
200
bytes
128
User-Agent
Mozilla/4.0
Cookie
GUID=xyz123
Refer
www.yahoo.com
HR DB
Login
name
address
phone
income
ssn
health cond
etc
Common Example
ad.domain.com
sets: id=<unique>
scope: .somecompany.net
B.
www.domain.com
sets: defLang=<lang>
scope: www.somecompany.net
intra.domain.com
(requires user login)
C.
G
R ET
CO EM /ind
O OTE ex.
KI _ ht
E: U m
id SE l
=1 R
23 =
45 bdo
ab bb
c
s
GET /ad/sec=sports;sz=468x60...
COOKIE: id=abc123
A.
l
3;
tm 12
.h bc
ex =a
d
d
/in E: i
ET KI
G OO
C
NG
=E
ng
La
f
de
SH
LI
sets: NO COOKIE
USER AGENT
A. www.domain.com sets a cookie to use for language preference but receives cookies set by
itself and by ad.domain.com
B. ad.domain.com sets a cookie at the domain level. Though the cookie is intended for use by
only hosts ad.domain.com, the cookie is infact sent to ALL hosts that match the pattern
*.domain.com. Therefore the cookie needs to declare all possible information tied to it by any
hosts that receive it.
C. intra.domain.com is password protected site that requires user authentication. It does not set
a cookie but receives the cookie set by ad.domain.com. If this server logged both the user login
and the cookie set by ad.somecompany.net, then the policy of no PII being attached to a cookie
set by ad.domain.com would be violated.
Recommendations:
Be aware of the nature data that is collected in log files. What is
passed in refer? What is passed in query_string?
Keep very close track of unique cookies, particularly domain level.
Examine all server’s in the domain’s default settings to be sure that
they do not log or set cookies.
Examine where cookies can become (intentionally or otherwise)
foreign keys to off line data. Is a cookie stored with a user login?
Examine policies of 3rd parties that run servers for you on your
domain.
Pay close attention to internal servers particularly intranets or even
test boxes.
Pay close attention to any client facing boxes that require
authentication of collect unique information
Don’t rely strictly on an editor to generate CPs – editors don’t take
into account sharing data across hosts
Upgrading a Compact Policy
The Challenges
1.
2.
3.
A Compact Policy needs to be honored for the lifetime (expiry) of the
cookie
The cookie is sent with a request for a URI prior to checking to see if
there is a new policy in effect
Often a cookie with a discreet CP is replayed to many hosts all with:
•
Multiple cookie policies pointed to through separate PRFs
•
The policies all potentially have different expiries – but still need to
collectively support the CP of the cookie replayed to all the hosts
covered by the separate policies
Step 1: Plan ahead
an ounce of prevention is worth several pounds of cure
When a cookie is sent to a server from a browser it passes the cookies name and
the cookies value in a request header as:
Cookie: guid=abc123
Conspicuously absent are the expiry of the cookie (does it have 1 day or 10
years left to live) and the compact policy under which the cookie was set (if I
have changed my policy can I use this cookie or not?)
You can work around this by carefully naming your cookies. For instance, all
cookies set under “compact policy 1” could be of the form guid_cp1=abc123 set
to expire on the hard date of 1/31/2010.
Upgrading Compact Policy
Setting the initial cookie
GET http://www.domain.com
(no cookie)
www.domain.com
200
Set Cookie: guid_cp1=abc123 ... expires=Thu,
31 Jan 2010 15:25:21
CP="CURa ADMa DEVa PSAo PSDo OUR
BUS UNI PUR INT DEM STA PRE COM NAV
OTC NOI DSP COR"
GET http://www.domain.com/sports
Cookie: guid_cp1=abc123
www.domain.com
200
Upgrading Compact Policy
upgrading policy
GET http://www.domain.com/news
Cookie: guid_cp1=abc123
www.domain.com
200
Set Cooke: guid_cp1=null ... expires Wed, 30
Jan 2002 12:00:00
Set Cooke: guid_cp2=abc123 ... expires Thu, 31
Jan 2010 12:00:00
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR
BUS ONL UNI PUR INT DEM STA PRE COM
NAV OTC NOI DSP COR"
CP accepted
CP not accepted
GET http://www.domain.com/weather
GET http://www.domain.com/weather
Cookie: guid_cp2=abc123
www.domain.com
200
Set Cooke: guid_cp2=abc123 ... expires Thu, 31
Jan 2010 12:00:00
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR
BUS ONL UNI PUR INT DEM STA PRE COM
NAV OTC NOI DSP COR"
www.domain.com
200
Recommendations:
PLAN AHEAD
Carefully consider the expiration date of cookies in anticipation of
possible future changes
Carefully examine your proposed CP – balance extensibility and
accuracy
Make sure that a cookie with a CP will be replayed to hosts who’s
cookie policies are mutually supportable
Establish a cookie / CP naming convention
Build your upgrade mechanism before you need it. Make sure this
includes the ability to throw out data from non-supported cookies
For questions, assistance or
consulting services contact:
Brooks Dobbs
Coordinating DoubleClick /
Privacy Council P3P
Consulting Services
[email protected]
404.836.0525