P3P Webmaster Workshop

Adopting P3P for Congressional Web Sites

The Congressional Internet Caucus Advisory Committee is pleased to present this CD-ROM guide to implementing P3P on your Web site. The Congressional Internet Caucus Advisory Committee is a diverse group of public interest, non profit and industry groups working to educate the Congress and the public about important Internet-related policy issues.

A How-To Guide

by Shane Ham, Progressive Policy Institute
and Ari Schwartz, Center for Democracy and Technology

What is P3P?

Privacy is one of the most important policy issues facing the growth of the Web. While policy makers can try to address some of the issues, some concerns may only be able to be addressed by technologies. P3P is a standard that is trying to help address some of these concerns.

In simple terms, P3P is a language that helps sites allow a privacy policy to be "read" by a Web browser. Each individual can then tell the browser what it expects out of a privacy policy and then the browser can make decisions for the user accordingly. Some browsers are letting individuals make better decisions about cookies, some will warn a user that a page is using information in a way that they might not like, others may block pages all together.

Technically speaking, P3P is a specification for machine-readable privacy policies that uses XML, much as HTML is a specification for web pages. A P3P compliant web site transmits it's privacy policy to visitors with browsers or other software that automatically interprets the policy and compares it to the user's preferences, warning the user if the web site has a disagreeable practice. P3P was developed by the World Wide Web Consortium (W3C), who also developed HTML and other Internet standards. For more information, visit their official P3P FAQ.

Why should Congressional web sites be P3P compliant?

P3P is a powerful tool for helping Internet users to make informed privacy decisions, but it also presents a classic "chicken or egg" issue. Web site operators will not go through the effort of adopting P3P if Internet users are not using P3P software. On the other hand, if no web sites are P3P compliant, Internet users will either ignore privacy warnings or disable the P3P function altogether. Adding to the "chicken or egg" dilemma is the fact that the companies that make browsers and other P3P-enabled software will not release more powerful versions of their P3P tools if neither Internet users nor web sites are using P3P policies.

While some mainstream commercial sites, are beginning to use P3P, strong leadership is needed to get the rest moving. That's where Members of Congress come in. By adopting P3P policies on their own web sites, Members send a signal to both commercial and government web site operators that P3P is here to stay, and that it is an important part of the debate on Internet privacy. Adopting P3P at this early stage may seem like a symbolic gesture, but it is an important and influential gesture that will help to accelerate the widespread acceptance of this empowering privacy innovation. Adopting P3P also gives your Member an easy and active way to prove that he or she cares about privacy.

How do we make our site compliant?

The good news is that Congressional web sites all have relatively simple information practices, so creating a P3P policy is a snap. The bad news is that Members of Congress do not exercise control over their domains (house.gov and senate.gov) so the implementation process is somewhat complex. Below is a step-by-step guide to making your Congressional web site P3P compliant. Click here to see how P3P works on a Congressional web site.

  1. If you have not already done so, create a written privacy policy for your web site. The policy should list the information that you collect from visitors to your site and how it will be used. It should also explain which data is collected by the servers, even though your office does not control the servers. If you choose to use the sample P3P policy below, your written policy should also explain that visitors can contact your office to correct their data, such as a misspelled name or incorrect address. For examples of written privacy policies, see the web sites of Rep. Adam Smith or Sen. Patrick Leahy.
     
  2. Generate a P3P policy. You can do this in one of two ways:
     
    • Use policy generating software (IBM and Microsoft both have policy generators) to create XML code. This will enable you to control every aspect of the policy.
       
    • Use the Sample House or Sample Senate policies and fill in the blanks for your office. This is the quickest and easiest method, but if you do so you are accepting the "standard" privacy policy that has been created for Congressional sites. This policy "overdeclares" to make sure it fits all Congressional sites, so the sample policy may say that your site collects information that it does not (i.e., business contact information).
       
  3. Once you have generated the policy, save it as an XML file with a recognizable name (i.e., smithpolicy.xml). This file will be uploaded to your main directory. If you like, you can compare your P3P policy file to policies that are already up and running in the House and Senate.
     
  4. If you are creating a file for a Senate web site, you should use all of your URLs in the "www.senate.gov/~name" form rather than the "name.senate.gov" form. (Links from the official Senate home page use the /~name format.) If you mix and match these formats, your policy may not work.
     
  5. Generate a reference file. Because Members do not control their root domains, the standard path for a P3P policy (domain.com/w3c/p3p.xml) cannot be used. Therefore a reference file must be posted to point users to the policy. To generate a reference file, simply copy the text of the sample reference file, and fill in the URL of your P3P policy. (For a working example of a reference file, click here. For a working example of a policy file, click here.) Save this file with a recognizable name (i.e., smithref.xml).
     
  6. Upload both the policy file and the reference file to your main directory.
     
  7. Paste the link tag below between the <head> and </head> tag on each page of your web site. This is the part that takes some effort, but it is necessary to make your site compliant. For testing purposes, you may want to paste the tag on your index (home) page first and make sure everything works before pasting it in every other page. The link tag should look like this:

    <link rel="P3Pv1" href="reference_file_URL">

    where reference_file_URL is the location of your reference file. For example:

    <link rel="P3Pv1" href="http://www.house.gov/adamsmith/adamsmithref.xml">

  8. Validate your page. Use the W3C P3P Validator to check if your site is P3P compliant. Do not worry that your site fails the first two steps, as long as you pass steps 3 through 5 you will be compliant. (The first two steps are for web sites that control the domain, which does not apply to Congressional sites.) If you are experiencing problems, call Shane Ham at 202-608-1284 for further assistance.
     
  9. Once you are compliant, either call Shane Ham (202-608-1284) or send an e-mail (sham@dlcppi.org). He will review your site and submit it to the list of compliant sites.
 P3P
 

Sample House P3P Policy

Sample Senate P3P Policy