URGENT -- How do I create a privacy policy with locomotive?


#1

Chaps (and chapettes):

I am under the gun here. A site is meant to be tested today but it
failed the first test. The problem is (or appears to be) that
because we don’t have a privacy policy for our website, the
corporation won’t permit access to the site (none of the images load,
amongst other problems).

I have no idea about privacy policies - how to I make that happen?

bruce


#2

Bruce B. wrote:

Chaps (and chapettes):

I am under the gun here. A site is meant to be tested today but it
failed the first test. The problem is (or appears to be) that because
we don’t have a privacy policy for our website, the corporation won’t
permit access to the site (none of the images load, amongst other
problems).

I have no idea about privacy policies - how to I make that happen?

If you google for “privacy policy” you will find plenty of examples (and
some companies offering support for constructing privacy policies).

Sounds as if you have a previously-unidentified stakeholder. Who is
going to accept or reject the privacy policy, and what are their
criteria?

Finally, what has this got to do with Locomotive?


#3

Talk to the stake holders in your corporation instead of asking
strangers :slight_smile:


#4

Justin:

Thanks for the reply. I would have thought this was a common
problem. Here is the scenario.

I created a site for a corporate client to vote on some internal
matter but the site is hosted by me externally for reasons to boring
to go into.

The company insist on using IE 6

My site won’t load and it turns out (I think) that it is because I
don’t have a privacy policy and IE 6 insists on one. If that is
true, everyone should be having this problem.

Now we don’t want to maintain any data except two votes, but we do
have to keep an ID number for each person who voted to make sure they
don’t vote twice.

So my privacy policy is, in truth, we are going to keep your two
votes linked to your id and do so for about 5 days then throw the
whole lot away. We don’t want your email, your credit card or your
inside leg measurement EVER.

I have another site that does not use cookies and my client can
access that one no problem, so I believe for this and other reasons
that this is a cookie IE 6 thing.

I thought perhaps that locomotive using lighttpd might require me to
put something somewhere but it appears that what I really need to do
(I think) is to just add the compact privacy policy “CN= whatever”
to my headers.

How is that done?

Finally - some late breaking news (from my client, just in while
typing this email) is that having set his IE 6 security level to
accept all cookies from all sites, he still cannot view my site.
Does this change the situation?

bruce


#5

On Mon, Dec 05, 2005, Bruce B. wrote:

Chaps (and chapettes):

I am under the gun here. A site is meant to be tested today but it
failed the first test. The problem is (or appears to be) that
because we don’t have a privacy policy for our website, the
corporation won’t permit access to the site (none of the images load,
amongst other problems).

I have no idea about privacy policies - how to I make that happen?

I’m pretty sure you’re confusing terms here. A privacy policy is a
document that describes how your application is going to use customer
data. It’s only meaningful to people.

It sounds like your issue is technical. If images aren’t loading, it
has absolutely nothing to do with a privacy policy. You need to
investigate why those images aren’t loading. Try to take the URL of one
of them, load it in a browser, and see why it won’t load.

Just for kicks, if the url is http:// and not https://, switch it to
https:// and see if it loads. From the information you’ve given, it
sounds like there might be a chance that there’s a ridiculous firewall
that’s blocking non-https access.

It also might be that said firewall is blocking https access with
self-signed keys, in which case you’ll need to get a key from a
recognized CA.

Let us know what you find out :slight_smile:

Ben


#6

OK. Let’s put my question on hold. For my particular purpose it would
be as effective to simple not put cookies on the client’s computer.
BUT HOW DO I STOP THAT FROM HAPPENING?

I have removed all session variables from my code but rails is still
depositing a cookie. Why? And more importantly, how do I stop it?

bruce


#7

On Mon, Dec 05, 2005, Bruce B. wrote:

I thought perhaps that locomotive using lighttpd might require me to
put something somewhere but it appears that what I really need to do
(I think) is to just add the compact privacy policy “CN= whatever”
to my headers.

I’m now almost certain this is a security certificate thing. CN is the
‘common name’ field of an https certificate, where you define the name
of the company that owns the cert. It sounds like something is
misconfigured, or that you’re using a self-signed cert.

I don’t think locomotive supports https, but I could be wrong. Others
might know better than I do. That could be your entire problem.

Ben


#8

Is this site by any chance SSL enabled?


#9

I have the option of just removing all cookies from this simple app
and would like to do that. How?

Also, I believe it is to do with cookies. I am on mac osx Tiger. I
loaded a copy of MSIE 5.0 for my mac and it would not show me any
graphics. I then dropped my security level in the internet zones
area and voila, graphics. Strangely, even after putting it back up
and deleting my cookie, I cannot prevent the graphics from appearing.

So it looks like a cookies thing even if it ought to be a graphics
thing. Anyone seen this happen before?

bruce

PS. MS documentation suggests that IE 6.0 will not accept any cookies
without a privacy policy. Is that true?


#10

I think he may be referring to a ‘compact privacy policy’.

I found this with a quick Google search:

http://www.sitepoint.com/article/p3p-cookies-ie6/2

Also, it looks like you can generate a policy here:

http://p3p.privacycouncil.com/public/publicCPGen.jsp

However, at the time of posting that site seems to be unavailable.

Ben


#11

Ben:

Thanks a bunch. This could be the thing I need. Meantime, I have
found out how to disable sending cookies but AMAZINGLY (or not) my
site is still not working. So perhaps it was cookies +something
else. Site is super-simple. Only a little javascript.

I’m going to let everyone know the solution when I find it because
this is bound to happen to other people.

Bruce


#12

Ben M. wrote:

I think he may be referring to a ‘compact privacy policy’.

I found this with a quick Google search:

http://www.sitepoint.com/article/p3p-cookies-ie6/2

(worth going back to Page 1 and reading the whole article)

This is fascinating - does it really apply to session cookies?
If so, why aren’t all Rails (and most J2EE, and many other) sites
suffering from it?

Also, it looks like you can generate a policy here:

http://p3p.privacycouncil.com/public/publicCPGen.jsp

However, at the time of posting that site seems to be unavailable.

Here’s a page with more resources:

http://www.w3.org/P3P/usep3p.html

Microsoft’s explanation of IE6 settings is here:

http://support.microsoft.com/kb/q283185/

and there’s a practical article here:

http://www.duxcw.com/faq/webmastr/privhttp.htm

with associated human-readable privacy statement here:

http://www.duxcw.com/_include/privincl.htm

Bruce - sorry I doubted your assumption that this was a technical thing.

Reduce this kind of risk in future by doing end-to-end testing of a
representative slice of your application, on the intended technology
(i.e., in this case, from Rails at the external host through to IE6 in
the end user environment), as early as possible in a project.

For now, agree with your customer that this is an aspect that needs
fixing, but also agree a work-around that allows testing of
functionality to continue - even if this means using a server on the
internal network.

I suspect that the images aspect is something different, but I’m not
sure.

Sorry I don’t have much time to look into this (I was away from work ill
today, and have some catching up to do)… but I’ll google some more and
flag anything that looks useful.

regards

Justin


#13

On Mon, Dec 05, 2005 at 12:12:46PM -0700, Bruce B. wrote:

OK. Let’s put my question on hold. For my particular purpose it would
be as effective to simple not put cookies on the client’s computer.
BUT HOW DO I STOP THAT FROM HAPPENING?

I have removed all session variables from my code but rails is still
depositing a cookie. Why? And more importantly, how do I stop it?

Removing the use of session variables is not sufficient to prevent rails
from attempting to set a _session_id cookie. Read the “Easier session
management” section of
http://documentation.rubyonrails.com/release_notes/rc2.html

Unfortunately if the instructions there don’t work you may be running
into this
bug: http://dev.rubyonrails.org/ticket/2914


#14

Bruce B. wrote:

Also, I believe it is to do with cookies. I am on mac osx Tiger. I
loaded a copy of MSIE 5.0 for my mac and it would not show me any
graphics. I then dropped my security level in the internet zones area
and voila, graphics. Strangely, even after putting it back up and
deleting my cookie, I cannot prevent the graphics from appearing.

Perhaps it was just reusing graphics that were already in your browser
cache?

regards

Justin


#15

Just a quick thank you to all the people who offered assistance.

It turns out that my question was the result of a strange
coincidence, a false conclusion and some less than honest MS docs.

I posted my final conclusions and success to the mailing list in case
it might help anyone else avoid the 12+ hours of misery I just
experienced chasing my tale.

In brief - textmate will let you generate a version 1.0 xhmtl
document. If you do that, something about the header code will
prevent (or not allow) MSIE in displaying images. I don’t understand
what or why, but the fix is simple. Watch out for that particular
header text.

If someone were kind enough to tell me how to post that info to the
texmate boys (what is the right forum, format? I’d be happy to do
that and make an already great product better.

bruce


#16

On 12/7/05, Bruce B. removed_email_address@domain.invalid wrote:

If someone were kind enough to tell me how to post that info to the
texmate boys (what is the right forum, format? I’d be happy to do
that and make an already great product better.

The list:

http://lists.macromates.com/mailman/listinfo/textmate

Also see this page on how to report TextMate bugs:

http://macromates.com/wiki/pmwiki?n=Main.BugReporting


Chris B.

http://hypsometry.com/ : website edification
http://uvlist.org/ : free classifieds for the Upper Valley