P3P, Cookies and IE6.0: A Case StudyBy Nicholas Fehlberg
This topic is not dear to my heart. Nevertheless, I think it’s one of the most important issues facing Webmasters today. It’s privacy.
As an Internet user, I’m reasonably concerned with privacy. Of course, I don’t want my address sold to unscrupulous spammers, but, like most, I don’t always read the privacy policies of the sites I visit.
A Website’s users are its lifeblood, especially in the game of Internet marketing and online business. So, it’s vitally important that we treat the privacy requirements of our sites with the attention they demand.
Don’t worry — I’m not going to bore you with a thesis here; I’ll just give you the quick answers. Read this article, and update your site with the techniques you learn here. Then, if you choose to find out more from the resources I’ve listed below, you’ll be better prepared than most to handle changes in the area of consumer privacy online. At the very least, you will have complied with the rules. And, for some, there will be spinoffs that actually increase your traffic. More on that later, though.
Privacy Compliance — Who Cares?
Microsoft, as we know, dominates the market with its Internet Explorer browser, so, generally, we all sit up and take notice of anything MS does. With the latest version (IE6.0), MS redefined the way the browser reacts to cookies, based on the new w3c (World Wide Web Consortium) standard for P3P (The Platform for Privacy Preferences Project).
As this article is written by a layman for other laymen and women, I’ll deliberately keep this discussion light. If you want to talk tech and get the tools I refer to along the way, visit the links at the end of the article.
Suffice to say that MS IE6.0 has redefined the browser’s security settings; it appears that our old ‘high’ security setting has now become ‘medium’, which the software is set to use as its default. It’s more than that, though. The browser of course allows the user to change these settings and, indeed, to override them, but to the hordes of users out there who are struggling with the basic concept of cookies, this represents nothing less than a new barrier to accessing online content.
You can see where we’re headed with this. As marketers on the Internet, our task is to gain the trust of our customers and provide them with a pleasant and valuable experience that leads to a purchase. Hey, business is business, right? And that trust could be quickly eroded by a browser on the alert rampage — before you even know what’s happening.
How many thousands of people may have come to your site already and experienced the dreaded ‘minus eyeball’ or even a fully blown ‘batten down the hatches, this site is nasty!’ warning? Don’t worry, I’ll show you how to fix the problem in just a moment.
It gets worse for owners of many domains that frame URLs, forwarding their visitors to one main server. This is in fact what led me to start investigating the whole P3P issue for myself, and to pen this article on P3P quick-compliance.
The P3P Problem Gets Personal
I recently registered the domain yousmartass.com for a new online venture with my partner Mitch Baldwin. As I already had two large host servers with enough room to swing many cats, I chose to forward the domain yousmartass.com to my already-hosted domain, free-agent-path.info.
I decided the best and fastest way to allow access to my site was to use a cookie as the ticket for entry. Users would have a cookie placed on their machine when they entered their contact details as part of the site’s software download process. It worked on paper, so I tried it myself.
The redirect from yousmartass.com to the specified folder on free-agent-path.info worked as expected. Once I’d entered my name and email address, my machine was offered a cookie, which was accepted automatically and I was granted access. So … where’s the problem?
But this was no ordinary cookie I was trying to place. Because I’d redirected the initial URL, and the cookies were being placed by this new domain (free-agent-path.info), they were defined as third-party. Tougher laws have been defined for third party cookies, and mine certainly weren’t being accepted in the spirit in which they were offered. Death by cookies seemed the order of the day.
The stringent cookie standards are there to stop shady individuals and companies from learning things about you without your consent, as you surf innocently on a host site. It’s particularly supposed to protect users from third party sites that host advertisements that suck your personal info. Ever tried switching your settings so that you’re prompted each time a cookie is placed through your browser? You can do it in Tools -> Internet Options -> Privacy -> Advanced. Then go somewhere like howstuffworks.com. You can see why we need the privacy thing — at the very least, so that we aren’t constantly swatting at dialogue boxes all day!
I had to figure a way to get the browsers to relax on this third-party cookie issue and start accepting them, otherwise, many of my visitors would be left out in the cold. In fact, they already were! I was, at the time, receiving countless emails from people pleading to get in, some having tried more than 4 times on different occasions.
First, it’s a human-readable statement of the information you collect about visitors to your site, and what you intend to do with that information. This should be plainly visible to the user, usually linked to the homepage (typically in the footer) and other key pages of the site.
The third consideration is the policy reference file. The reference file points to the location of the policy file on your server. Both files are usually located in what is called the well-known location — a folder you must call w3c, and locate on the top level of your site. Not above the top level, like the cgi-bin, but at the first level inside your html documents folder.
Both of these files are XML documents, but you needn’t rush out and buy the Idiot’s Guide just yet — help is at hand. IBM has come to the party with a Java application that runs on your own machine and is supposed to walk you though everything required for you to achieve compliance. Enter your intentions in one end, and out come the goods at the other! All for free.
However, the site owner must go into a menu and click through a number of tabs, inputting specific company and/or individual information in like business address, phone number, email contact, etc. There are a small number of other steps we must take before the process is complete. The combination of the error page’s messages, and some general menu snooping, leads us to create the policy reference file without too much work.
The finished files can be saved to their respective folders on your server, as described earlier (privacy_policy.xml and ref_policy.xml are both placed in the w3c folder at www.your_domain/w3c/).
But — and here’s the great news — the only thing you’ll require immediately to guarantee that your visitors will not block your cookies is the compact policy. Let’s see how it works.
The Compact Policy
Now, we don’t need to go through the details of this, because the good folks at the Privacy Council offer an automated service that creates compact policies. They’ll even email the result to you. Just register with them, select from a series of multiple choice questions about what your site does and doesn’t do, and you’re in business again.
Now, you need to know how to implement the compact policy into your pages. Again, I’ll illustrate this point with the code I used for my own site.
In pure HTML pages, insert this code into the head section of your page:
<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa
OUR IND PHY ONL COM STA"'>
In PHP pages, insert this as the first thing on the page after the setting of the cookie:
<?php header('P3P: CP="IDC DSP COR CURa ADMa OUR IND
PHY ONL COM STA"'); ?>
For other server-side languages, see the link below titled "Header Creation".
Of course, don’t just use the code above as-is. You need to go to the URL given below at the Privacy Council, and generate your own. Don’t worry, it’s straightforward and non-technical.
Firstly, using PHP:
<?php Header('P3P: href="/your_2nd_policy/p3p.xml"
CP="your compact policy"'); ?>
Now, using HTML:
<meta http-equiv="P3P" href="/your_2nd_policy/p3p.xml"
content='CP="your compact policy"'>
If, following these guidelines, you’ve built your own individual files, you can test them with the policy validator provided courtesy of the W3C at http://www.w3.org/P3P/validator.html
Lastly, before you can call yourself an expert, you must be aware that all this P3P stuff still doesn’t specify any sort of evaluation of compliance. A site may well be lying through its teeth about what it does with user data, but, if the policies are in order, the browser is happy. The policy must list a course of action for the user to take in the dispute resolution process, and in most cases, that can be the Direct Marketing Association.
Well, this was the soft introduction to the world of privacy compliance through P3P as defined by the W3C. If you have learned anything it should be that privacy issues can affect your site’s operation and most certainly your user’s attitude towards you and your business. Armed with this new knowledge, you will, I hope, turn away fewer visitors and make more sales. See the links below for more information.
How To Make Your Site Compliant In Six Easy Steps
A Simple Technical Overview
A More Detailed Technical Overview
WWW Consortium Mission
Direct Marketing Association