By Bill Pitzer
recently, most policies went unnoticed except by the
most diligent Web surfers. Privacy policies have led
to a firestorm of debate recently because some
companies have been accused of breaching their
document that site builders must ensure is adequately
spelled out, but unfortunately, one that most sites
are ill-equipped to maintain.
Help is on the way in the form of the W3C
specification named P3P, which stands for the Platform
for Privacy Preferences Project. This is an automated
way for Web sites to post privacy policies. With P3P,
different user agents, such as browsers and proxy
servers, can automatically interpret the privacy
policy of each site you visit. The user agent
determines whether this is a site to which visitors
would be comfortable transferring data.
IBM alphaWorks' P3P Policy Editor 1.4 is not only a
visual tool for creating the P3P version of your
simultaneously work on the HTML version that should be
posted on your site. The tool is currently under
development pending finalization of the P3P
specification and is written in Java. I easily
installed it on my system running the Java 1.2.2
Runtime Environment. However, Java 1.3.0 users should
note that a few issues have been discovered running in
this environment. If you'd like to follow the
development of P3P, you can find more information at
|P3P Policy Editor 1.4
cost: free download
Quick entry to P3P. Drag-and-drop makes manipulating policies easy.
The HTML security policy that's created may need some tweaking.
When you start up the P3P Policy Editor, you have
several choices about how to begin your session. You
can start with a completely blank policy, or use
templates. The templatessix in this releasecover
some common privacy policies that a site is likely to
implement. They provide templates for typical online
some form or another. For example, using the template
for an online shopping experience clearly defined
fields that would be required for such a sitephysical
contact information, demographics information, and
actual purchase information. P3P Policy Editor does a
great job of defining the initial tags and
most of the other elements, and arranges all the tags
nicely by indenting them appropriately.
An Intuitive Interface
The interface creates policies with its intuitive
drag-and-drop method. All data elements that are on
the left side of the screen can be dragged to the
group tree on the right. Tabs at the bottom
of the screen let you easily switch from different
views of the same data. Initially, all policy elements
are displayed in a spreadsheet for a quick overview.
Clicking on the HTML Policy tab reveals the HTML
document that has been created from your current
policy definition. If you add a new data element to
the policy, the HTML dynamically changes to reflect
the addition. When you click on the XML policy tab, it
shows you which XML has been generated from your
definition in the interface. It creates nicely
formatted XML without requiring you to write a single
line of code. If you click on the Compact Policy tab,
you can preview a summarized version of the current
policy, designed to help user agents quickly examine a
policy. Lastly, the Errors tab indicates any errors
found in the current policy. This tab turns red if an
error is present. For instance, in my example for this
article I didn't define a dispute policy, so I was
greeted by the red error text and a stern warning
Figure 1 shows the data elements and group sections in the upper portion and the generated XML in
the bottom section of the screen.
Although it's easy to do in the interface, if you need
to modify your XML by hand, be sure to run it through
the P3P validator provided at
Some Tweaking Required
The HTML copy of your policy is slick, but it's not
intended to be the version displayed on your site.
Using a standard HTML editor, you should use this copy
as a model. Unfortunately, changes to the HTML
document won't be viewable in the Policy Editor.
Although it requires some fine-tuning, this document
gives you a head start on developing a human readable
version of your policy.
The P3P Editor, if nothing else, is a great way to
learn about the P3P specification. Written in Java,
its portability makes it an attractive choice for
organizations running a variety of platforms. Be aware
that while the tool can get you up and running
adequately plan beforehand. While this application
isn't quite ready for prime time, it's a great way to
learn P3P as you consider implementing these types of
privacy policies on your Web site.
Bill is a manager in the advanced Web technologies
group of divine/Whittman-Hart's Cincinnati, OH office.
Email him at firstname.lastname@example.org.