P3P, Cookies and IE6.0: A Case Study

This topic is not dear to my heart. Nevertheless, I think it's one of the most important issues facing Webmasters today. It's privacy.

As an Internet user, I'm reasonably concerned with privacy. Of course, I don't want my address sold to unscrupulous spammers, but, like most, I don't always read the privacy policies of the sites I visit.

A Website's users are its lifeblood, especially in the game of Internet marketing and online business. So, it's vitally important that we treat the privacy requirements of our sites with the attention they demand.

Don't worry -- I'm not going to bore you with a thesis here; I'll just give you the quick answers. Read this article, and update your site with the techniques you learn here. Then, if you choose to find out more from the resources I've listed below, you'll be better prepared than most to handle changes in the area of consumer privacy online. At the very least, you will have complied with the rules. And, for some, there will be spinoffs that actually increase your traffic. More on that later, though.

Privacy Compliance -- Who Cares?

Microsoft, as we know, dominates the market with its Internet Explorer browser, so, generally, we all sit up and take notice of anything MS does. With the latest version (IE6.0), MS redefined the way the browser reacts to cookies, based on the new w3c (World Wide Web Consortium) standard for P3P (The Platform for Privacy Preferences Project).

As this article is written by a layman for other laymen and women, I'll deliberately keep this discussion light. If you want to talk tech and get the tools I refer to along the way, visit the links at the end of the article.

Suffice to say that MS IE6.0 has redefined the browser's security settings; it appears that our old 'high' security setting has now become 'medium', which the software is set to use as its default. It's more than that, though. The browser of course allows the user to change these settings and, indeed, to override them, but to the hordes of users out there who are struggling with the basic concept of cookies, this represents nothing less than a new barrier to accessing online content.

Many sites -- even large, highly-trafficked ones -- do not appear to have privacy policies that comply with the new P3P standards. If you use IE, you can tell this when you arrive at those sites, as an 'eyeball' with a red 'minus' sign appears in the status bar of your browser. The first time a user tries to use IE6.0 to access a site that doesn't have a compliant privacy policy, a warning dialogue appears. This is scary stuff to new users -- your users. If they check the box that says 'don't alert me about this again', the magic eye starts to appear instead. Though this is a downgraded alert, it's still unsettling enough to make those who don't know or trust the Internet feel a little more suspicious of a site's contents -- perhaps your site's contents.

You can see where we're headed with this. As marketers on the Internet, our task is to gain the trust of our customers and provide them with a pleasant and valuable experience that leads to a purchase. Hey, business is business, right? And that trust could be quickly eroded by a browser on the alert rampage -- before you even know what's happening.

How many thousands of people may have come to your site already and experienced the dreaded 'minus eyeball' or even a fully blown 'batten down the hatches, this site is nasty!' warning? Don't worry, I'll show you how to fix the problem in just a moment.

It gets worse for owners of many domains that frame URLs, forwarding their visitors to one main server. This is in fact what led me to start investigating the whole P3P issue for myself, and to pen this article on P3P quick-compliance.

The P3P Problem Gets Personal

I recently registered the domain yousmartass.com for a new online venture with my partner Mitch Baldwin. As I already had two large host servers with enough room to swing many cats, I chose to forward the domain yousmartass.com to my already-hosted domain, free-agent-path.info.

I coded all the pages and created a privacy policy from an existing statement that I edited to suit my needs. Many people take this approach, even though you can get a policy made specifically for your site for free -- more on that in a minute.

I decided the best and fastest way to allow access to my site was to use a cookie as the ticket for entry. Users would have a cookie placed on their machine when they entered their contact details as part of the site's software download process. It worked on paper, so I tried it myself.

The redirect from yousmartass.com to the specified folder on free-agent-path.info worked as expected. Once I'd entered my name and email address, my machine was offered a cookie, which was accepted automatically and I was granted access. So … where's the problem?

The problem is that I didn't have invoked on my browser the medium setting that's now the default standard. I found out the hard way that hundreds of visitors were being turned away when my software page didn't see the cookie that was quite obviously never placed. It wasn't placed on the user's machine because the site had no machine-readable privacy policy, and the browser's rule states that if no policy exists, no cookie will be accepted.

But this was no ordinary cookie I was trying to place. Because I'd redirected the initial URL, and the cookies were being placed by this new domain (free-agent-path.info), they were defined as third-party. Tougher laws have been defined for third party cookies, and mine certainly weren't being accepted in the spirit in which they were offered. Death by cookies seemed the order of the day.

The stringent cookie standards are there to stop shady individuals and companies from learning things about you without your consent, as you surf innocently on a host site. It's particularly supposed to protect users from third party sites that host advertisements that suck your personal info. Ever tried switching your settings so that you're prompted each time a cookie is placed through your browser? You can do it in Tools -> Internet Options -> Privacy -> Advanced. Then go somewhere like howstuffworks.com. You can see why we need the privacy thing -- at the very least, so that we aren't constantly swatting at dialogue boxes all day!

I had to figure a way to get the browsers to relax on this third-party cookie issue and start accepting them, otherwise, many of my visitors would be left out in the cold. In fact, they already were! I was, at the time, receiving countless emails from people pleading to get in, some having tried more than 4 times on different occasions.

Your Own P3P Privacy Policy

Let's go back a few steps. What exactly is a privacy policy? It's four things, really.

First, it's a human-readable statement of the information you collect about visitors to your site, and what you intend to do with that information. This should be plainly visible to the user, usually linked to the homepage (typically in the footer) and other key pages of the site.

The second aspect of having a P3P-compliant privacy policy involves hosting a full policy in XML (eXtensible Markup Language), which defines the particulars of your business address, contact details, the location of your human-readable privacy policy, actions to be taken if a user feels their privacy has been breached, and the types of, and options pertaining to, user data that's collected.

The third consideration is the policy reference file. The reference file points to the location of the policy file on your server. Both files are usually located in what is called the well-known location -- a folder you must call w3c, and locate on the top level of your site. Not above the top level, like the cgi-bin, but at the first level inside your html documents folder.

Both of these files are XML documents, but you needn't rush out and buy the Idiot's Guide just yet -- help is at hand. IBM has come to the party with a Java application that runs on your own machine and is supposed to walk you though everything required for you to achieve compliance. Enter your intentions in one end, and out come the goods at the other! All for free.

In reality, though, it's not quite as simple as it sounds. The procedure involves dragging instances of information collection from your site (defined in the left window) across to the right window, which is your active policy. As the instances hit the right window, they're incorporated into the profile. And, as the profile grows, it also generates a written privacy policy.

However, the site owner must go into a menu and click through a number of tabs, inputting specific company and/or individual information in like business address, phone number, email contact, etc. There are a small number of other steps we must take before the process is complete. The combination of the error page's messages, and some general menu snooping, leads us to create the policy reference file without too much work.

The finished files can be saved to their respective folders on your server, as described earlier (privacy_policy.xml and ref_policy.xml are both placed in the w3c folder at www.your_domain/w3c/).

Fourth, and of particular interest to sites that use cookies, is the compact policy, or CP. This is a machine-readable header code that uses an abbreviated form of the full policy. It's actually derived from the full policy when you use the IBM policy generator.

But -- and here's the great news -- the only thing you'll require immediately to guarantee that your visitors will not block your cookies is the compact policy. Let's see how it works.