1 / 32

U.S. Department of Commerce Web Advisory Group osec.doc/webresources/

Privacy Provisions of the E-Government Act of 2002 Section 208. U.S. Department of Commerce Web Advisory Group http://www.osec.doc.gov/webresources/. Privacy Policy Requirement Changes The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy"

michel
Télécharger la présentation

U.S. Department of Commerce Web Advisory Group osec.doc/webresources/

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Provisions of the E-Government Act of 2002 Section 208 U.S. Department of Commerce Web Advisory Group http://www.osec.doc.gov/webresources/

  2. Privacy Policy Requirement Changes • The "Privacy Statement" or "Privacy Notice" must now be renamed "Privacy Policy" • The privacy policy statements of all Commerce Web sites must notify Web site visitors of their rights under the Privacy Act. This requirement applies regardless of whether the Web site uses or collects any Privacy Act information, or indeed, any information at all. • The privacy policy statement must inform users how to grant consent to use of voluntarily-provided information. • When an agency Web site requests that a user provide voluntary information, it must explicitly inform the user that providing the information is voluntary.

  3. The privacy policy statement must include, in clear language, information about management, operation, and technical controls ensuring the security and confidentiality of personally identifiable records, and, in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems • The policy on use of persistent cookies is extended to include any persistent tracking technology. Therefore, prior to use of any such technology, approval must be obtained from the Secretary of Commerce in the same fashion as for persistent cookies. • Both a “human readable” Privacy Policy and agency use of machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences.

  4. Isn’t the Text Version Enough? Isn’t the Text Version Enough? • Most users do not see the text privacy policy until after they have visited one or more of the site’s pages. • Text privacy policies are sometimes difficult for users to locate, too lengthy for users to read, difficult to understand, and can change without notice.

  5. Machine-Readable Policy Machine-Readable Policy • The Platform for Privacy Preferences Project (P3P) is the standard for machine-readable Privacy Policy. • P3P enables web sites to translate their privacy practices into a standardized format (Extensible Markup Language - XML) that can be retrieved automatically and easily interpreted by a user's browser.

  6. Who is collecting data? What data is collected? For what purpose will data be used? Is there an ability to opt-in or opt-out of some data uses? Who are the data recipients (anyone beyond the data collector)? To what information does the data collector provide access? What is the data retention policy? How will disputes about the policy be resolved? Where is the human-readable Privacy Policy? What Does P3P Address? What Does P3P Address?

  7. What P3P Does Not Address What P3P Does Not Address • P3P does not set minimum standards for privacy; nor can it monitor compliance with stated policy. • Certain types of “cookies” can be blocked based on type of cookie but not based on content of information in them. • Implementation varies among browsers. • None go beyond cookies at this time.

  8. The Machine Readable Privacy Policy - XML The Machine Readable Privacy Policy (XML Format) • An XML format for expressing a privacy policy • Using a standard P3P base data schema • The policy reference file includes the following statements: • The URL where a P3P policy is found • The URLs or regions of URL-space included or excluded by this policy • The cookies that are or are not covered by this policy • The period of time for which these claims are considered to be valid

  9. Location of the machine readable file The location of the machine readable policy file can be indicated using one of the following: : At the server level: • may be located in a predefined "well-known" location (well known to the browser), • http://www.agency.gov/w3c/p3p.xml • through an HTTP header At the web page level • a document may indicate a policy reference file through an HTML link tag or XHTML link tag

  10. Machine Readable Policy Tools Machine Readable Policy Tools Free editor tools • HiSoftware P3P Builder • www.hisoftware.com/access/valueaddp3p.html • IBM alphaWorks P3P Policy Editor • www.alphaworks.ibm.com/tech/p3peditor Validator Tool • www.w3.org/P3P/validator.html

  11. How Does P3P Work? How Does P3P Work?

  12. How Users Are Notified How Users Are Notified Web Browser Alerts Web visitors who want to take advantage of P3P enabled sites have to set their personal privacy preferences in their web browser.

  13. Browser Support Browser Support Browser implementation of P3P is concerned with the issue of cookies When the browser encounters a cookie from a web page that either does not have a compact P3P policy, or that has a P3P policy that does not match the user’s privacy preferences, the user is alerted via icons. • Browsers supporting Compact P3P Policy: • Netscape 7 • Mozilla • Internet Explorer 6 • AT&T Privacy Bird (Plug-in for Internet Explorer)

  14. Cookies Cookies • Cookies are information stored by a server on a visitor’s computer during their first visit to the site and used on subsequent visits to the site. • This may be information obtained without asking (e.g., viewing habits), or information provided by the user (name, preferences). • The server records this information in a text file and stores this file on the visitor's hard drive. • What do your cookies say about you? Search your computer for the cookie files – You might be surprised.

  15. Example of Cookies Example of Cookies # Netscape HTTP Cookie File # http://www.netscape.com/newsref/std/cookie_spec.html # This is a generated file! Do not edit. home.frontiernet.net FALSE / FALSE 1089259125 regionid 1 home.frontiernet.net FALSE / FALSE 1089259125 stateabb WV home.frontiernet.net FALSE / FALSE 1089259125 npa 304 home.frontiernet.net FALSE / FALSE 1089259125 city Charles+Town .mp3.com TRUE / FALSE 1293839999 RMID 8c5a18333f09c160 .2o7.net TRUE / FALSE 1234755376 s_vi_bzbx7Bmfehkf [CS]v4|3F09DC8800001DFF-A000A4A00000001|4032DDB1[CE] .2o7.net TRUE / FALSE 1234755376 s_vi_nvnwhg [CS]v4|3F09DC8800001DFF-A000A4A00000001|4032DDB1[CE] .2o7.net TRUE / FALSE 1220907114 s_vi_cx7Bczccdfx60x7Fl [CS]v3|3F09DC8800001DFF-A000A4A00000001|3F5F8EC2|3F09DC88|3F5F8EC3|3F5F8EFE|2|4|0|0||ltx0AGKIx04cEPASEx5Dx1Ex04lKIAx04EJx40x04lKIAx04kBBMGA|ltx0AGKIx04cEPASEx5Dx1Ex04lKIAx04EJx40x04lKIAx04kBBMGA||||[CE] .2o7.net TRUE / FALSE 1220907114 s_sv_cx7Bczccdfx60x7Fl [CS]v2|3F5F8EFE|[CE] .2o7.net TRUE / FALSE 1234755376 s_vi_cx7Bczxxfifx60x7Fl [CS]v4|3F09DC9B00003CC3-A000A4F00000001|4032DDB1[CE] www.tigerdirect.com FALSE / FALSE 1089172972 MyEmail myname%40domain%2Enet .bizrate.com TRUE / FALSE 1373027937 br 105766790547740314 .bizrate.com TRUE / FALSE 1373027937 eval 105766790547766748 .bizrate.com TRUE / FALSE 1373027937 survey 23939_2003_Jul_8 These cookies contain personal information such as the city and state (Charles Town WV), area code (304), and even e-mail address (myname%40domain%2Enet or myname@domain.net)

  16. Location of Cookie Files Location of Cookie Files • In Internet Explorer cookie files are in the “cookies” folder: • C:\Documents and Settings\user\Cookies How to Delete Cookies From Internet Explorer - Microsoft Knowledge Base http://support.microsoft.com/default.aspx?scid=kb;EN-US;278835 • In Netscape cookies are stored in a file named “cookie.txt”

  17. How Cookies and Browsers Interact How Cookies and Browsers Interact • By default, browsers allow the use of cookies. • You can change your privacy settings so that your browser • Will ask you before placing a cookies on your computer, or • Will prevent the browser from accepting any cookies, or • Will handle First- and Third- Party cookies differently • You can specify how you want to handle cookies from individual web sites or all web sites

  18. Persistent Cookie Persistent Cookie • stored on your computer • remains there when you close your browser • can be read by the web site that created it when you visit that site again.

  19. Temporary or Session Cookie Temporary or Session Cookie • stored on your computer • retained only for your current browsing session • deleted from your computer when you close your web browser.

  20. Unsatisfactory Cookie Unsatisfactory Cookie • might allow access to personally identifiable information • information could be used for a secondary purpose without your consent.

  21. First-Party Cookie First-Party Cookie • either originates on or is sent to the web site you are currently viewing • commonly used to store information such as your preferences, for use when you re-visit the site

  22. Third-Party Cookie Third-Party Cookie • either originates on or is sent to a web site different from the one you are currently viewing • commonly used to track your web page use for advertising or other marketing purposes • Example: site xyz.com uses content from site 123.com. Site 123.com uses a cookies to track web page views and use by visitors to xyz.com

  23. Setting Netscape 7 Preferences Setting Netscape 7 Preferences

  24. Netscape 7 Notification Netscape 7 Notification A warning appears when the browser encounters a cookie that either does not have a compact P3P policy or has a P3P policy that does not match the browser preferences

  25. Setting Mozilla Preferences Setting Mozilla Preferences

  26. Setting IE 6 Preferences Setting IE 6 Preferences

  27. IE6 Notification IE6 Notification A warning appears when the browser encounters a cookie that either does not have a compact P3P policy or has a P3P policy that does not match the browser preferences

  28. IE 6 Privacy Reports IE 6 Privacy Reports

  29. AT&T Privacy Bird AT&T Privacy BirdA free plug-in for Internet Explorer 6 Audible Notifications: Green Bird Yellow Bird Red Bird

  30. To Assist DOC Web Developers To Assist DOC Web Developers • Web Advisory Group will post guidance on the WAG site to help webmasters meet the December 2004 deadline (http://www.osec.doc.gov/webresources/) • Links to various tools we have tested • Examples • “How to" information • Reference materials (W3C)

  31. Reference Materials • W3C Platform for Privacy Preferences (P3P) Project • http://www.w3.org/P3P/ • W3C P3P - 1.0 Specifications • http://www.w3.org/TR/P3P/ • W3C References for P3P Implementations • http://www.w3.org/P3P/implementations • P3P Toolbox • http://www.p3ptoolbox.org/

  32. Ron Jones National Weather Service Office of the CIO (301) 713-1381 x130 Ronald.C.Jones@noaa.gov

More Related