Rails - Dec 2005 - URGENT -- How do I create a privacy policy with locomotive?

Chaps (and chapettes):

I am under the gun here.  A site is meant to be tested today but it  
failed the first test.  The problem is (or appears to be) that  
because we don''t have a privacy policy for our website, the  
corporation won''t permit access to the site (none of the images load,  
amongst other problems).

I have no idea about privacy policies - how to I make that happen?

bruce

You have to write one..... A privacy policy is just a bunch of text
stating what you will do (and will not do) with user information that
you collect or currently posess.

Usually you can just go copy one from an existing web site and modify it
to meet your needs.

Or you can roll your own with these tools:

http://www.p3pwiz.com/

http://www.the-dma.org/privacy/creating.shtml

http://www.oecd.org/document/39/0,2340,en_2649_34255_28863271_1_1_1_1,00
.html

Good luck!

-Brian

-----Original Message-----
From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
[mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On
Behalf Of Bruce Balmer
Sent: Monday, December 05, 2005 10:07 AM
To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
Subject: [Rails] URGENT -- How do I create a privacy policy with
locomotive?


Chaps (and chapettes):

I am under the gun here.  A site is meant to be tested today but it  
failed the first test.  The problem is (or appears to be) that  
because we don''t have a privacy policy for our website, the  
corporation won''t permit access to the site (none of the images load,  
amongst other problems).

I have no idea about privacy policies - how to I make that happen?

bruce


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Bruce Balmer wrote:
> Chaps (and chapettes):
> 
> I am under the gun here.  A site is meant to be tested today but it  
> failed the first test.  The problem is (or appears to be) that  because 
> we don''t have a privacy policy for our website, the  corporation
won''t
> permit access to the site (none of the images load,  amongst other 
> problems).
> 
> I have no idea about privacy policies - how to I make that happen?
If you google for "privacy policy" you will find plenty of examples
(and
  some companies offering support for constructing privacy policies).

Sounds as if you have a previously-unidentified stakeholder. Who is 
going to accept or reject the privacy policy, and what are their criteria?

Finally, what has this got to do with Locomotive?
> 
> bruce
> 
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
>

Justin:

Thanks for the reply.  I would have thought this was a common  
problem.  Here is the scenario.

I created a site for a corporate client to vote on some internal  
matter but the site is hosted by me externally for reasons to boring  
to go into.

The company insist on using IE 6

My site won''t load and it turns out (I think) that it is because I  
don''t have a privacy policy and IE 6 insists on one.  If that is  
true, everyone should be having this problem.

Now we don''t want to maintain any data except two votes, but we do  
have to keep an ID number for each person who voted to make sure they  
don''t vote twice.

So my privacy policy is, in truth, we are going to keep your two  
votes linked to your id and do so for about 5 days then throw the  
whole lot away.  We don''t want your email, your credit card or your  
inside leg measurement EVER.

I have another site that does not use cookies and my client can  
access that one no problem, so I believe for this and other reasons  
that this is a cookie IE 6 thing.

I thought perhaps that locomotive using lighttpd might require me to  
put something somewhere but it appears that what I really need to do  
(I think) is to just add the compact privacy policy   "CN= whatever"  
to my headers.

How is that done?

Finally - some late breaking news (from my client, just in while  
typing this email) is that having set his IE 6 security level to  
accept all cookies from all sites, he still cannot view my site.   
Does this change the situation?

bruce







On 5-Dec-05, at 10:16 AM, Justin Forder wrote:
> Bruce Balmer wrote:
>
>> Chaps (and chapettes):
>> I am under the gun here.  A site is meant to be tested today but  
>> it  failed the first test.  The problem is (or appears to be)  
>> that  because we don''t have a privacy policy for our website,
the
>> corporation won''t permit access to the site (none of the
images
>> load,  amongst other problems).
>> I have no idea about privacy policies - how to I make that happen?
>
> If you google for "privacy policy" you will find plenty of
examples
> (and  some companies offering support for constructing privacy  
> policies).
>
> Sounds as if you have a previously-unidentified stakeholder. Who is  
> going to accept or reject the privacy policy, and what are their  
> criteria?
>
> Finally, what has this got to do with Locomotive?
>
>> bruce
>> _______________________________________________
>> Rails mailing list
>> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Talk to the stake holders in your corporation instead of asking strangers :)

On 12/5/05, Bruce Balmer <brucebalmer-ee4meeAH724@public.gmane.org>
wrote:
> Chaps (and chapettes):
>
> I am under the gun here.  A site is meant to be tested today but it
> failed the first test.  The problem is (or appears to be) that
> because we don''t have a privacy policy for our website, the
> corporation won''t permit access to the site (none of the images
load,
> amongst other problems).
>
> I have no idea about privacy policies - how to I make that happen?
>
> bruce
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On Mon, Dec 05, 2005, Bruce Balmer wrote:
> Chaps (and chapettes):
> 
> I am under the gun here.  A site is meant to be tested today but it  
> failed the first test.  The problem is (or appears to be) that  
> because we don''t have a privacy policy for our website, the  
> corporation won''t permit access to the site (none of the images
load,
> amongst other problems).
> 
> I have no idea about privacy policies - how to I make that happen?
I''m pretty sure you''re confusing terms here.  A privacy policy
is a
document that describes how your application is going to use customer
data.  It''s only meaningful to people.

It sounds like your issue is technical.  If images aren''t loading, it
has absolutely nothing to do with a privacy policy.  You need to
investigate why those images aren''t loading.  Try to take the URL of
one
of them, load it in a browser, and see why it won''t load.

Just for kicks, if the url is http:// and not https://, switch it to
https:// and see if it loads.  From the information you''ve given, it
sounds like there might be a chance that there''s a ridiculous firewall
that''s blocking non-https access.

It also might be that said firewall is blocking https access with
self-signed keys, in which case you''ll need to get a key from a
recognized CA.

Let us know what you find out :)

Ben

On Mon, Dec 05, 2005, Bruce Balmer wrote:
> I thought perhaps that locomotive using lighttpd might require me to  
> put something somewhere but it appears that what I really need to do  
> (I think) is to just add the compact privacy policy   "CN=
whatever"
> to my headers.
I''m now almost certain this is a security certificate thing.  CN is the
''common name'' field of an https certificate, where you define
the name
of the company that owns the cert.  It sounds like something is
misconfigured, or that you''re using a self-signed cert.

I don''t think locomotive supports https, but I could be wrong.  Others
might know better than I do.  That could be your entire problem.

Ben

Is this site by any chance SSL enabled?

On 12/5/05, Bruce Balmer <brucebalmer-ee4meeAH724@public.gmane.org>
wrote:
> Justin:
>
> Thanks for the reply.  I would have thought this was a common
> problem.  Here is the scenario.
>
> I created a site for a corporate client to vote on some internal
> matter but the site is hosted by me externally for reasons to boring
> to go into.
>
> The company insist on using IE 6
>
> My site won''t load and it turns out (I think) that it is because I
> don''t have a privacy policy and IE 6 insists on one.  If that is
> true, everyone should be having this problem.
>
> Now we don''t want to maintain any data except two votes, but we do
> have to keep an ID number for each person who voted to make sure they
> don''t vote twice.
>
> So my privacy policy is, in truth, we are going to keep your two
> votes linked to your id and do so for about 5 days then throw the
> whole lot away.  We don''t want your email, your credit card or
your
> inside leg measurement EVER.
>
> I have another site that does not use cookies and my client can
> access that one no problem, so I believe for this and other reasons
> that this is a cookie IE 6 thing.
>
> I thought perhaps that locomotive using lighttpd might require me to
> put something somewhere but it appears that what I really need to do
> (I think) is to just add the compact privacy policy   "CN=
whatever"
> to my headers.
>
> How is that done?
>
> Finally - some late breaking news (from my client, just in while
> typing this email) is that having set his IE 6 security level to
> accept all cookies from all sites, he still cannot view my site.
> Does this change the situation?
>
> bruce
>
>
>
>
>
>
>
> On 5-Dec-05, at 10:16 AM, Justin Forder wrote:
>
> > Bruce Balmer wrote:
> >
> >> Chaps (and chapettes):
> >> I am under the gun here.  A site is meant to be tested today but
> >> it  failed the first test.  The problem is (or appears to be)
> >> that  because we don''t have a privacy policy for our
website, the
> >> corporation won''t permit access to the site (none of the
images
> >> load,  amongst other problems).
> >> I have no idea about privacy policies - how to I make that happen?
> >
> > If you google for "privacy policy" you will find plenty of
examples
> > (and  some companies offering support for constructing privacy
> > policies).
> >
> > Sounds as if you have a previously-unidentified stakeholder. Who is
> > going to accept or reject the privacy policy, and what are their
> > criteria?
> >
> > Finally, what has this got to do with Locomotive?
> >
> >> bruce
> >> _______________________________________________
> >> Rails mailing list
> >> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> >> http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

OK. Let''s put my question on hold. For my particular purpose it would  
be as effective to simple not put cookies on the client''s computer.  
BUT HOW DO I STOP THAT FROM HAPPENING?

I have removed all session variables from my code but rails is still  
depositing a cookie.  Why? And more importantly, how do I stop it?

bruce






On 5-Dec-05, at 11:57 AM, Cuong Tran wrote:
>   Is this site by any chance SSL enabled?
>
> On 12/5/05, Bruce Balmer <brucebalmer-ee4meeAH724@public.gmane.org>
wrote:
>> Justin:
>>
>> Thanks for the reply.  I would have thought this was a common
>> problem.  Here is the scenario.
>>
>> I created a site for a corporate client to vote on some internal
>> matter but the site is hosted by me externally for reasons to boring
>> to go into.
>>
>> The company insist on using IE 6
>>
>> My site won''t load and it turns out (I think) that it is
because I
>> don''t have a privacy policy and IE 6 insists on one.  If that
is
>> true, everyone should be having this problem.
>>
>> Now we don''t want to maintain any data except two votes, but
we do
>> have to keep an ID number for each person who voted to make sure they
>> don''t vote twice.
>>
>> So my privacy policy is, in truth, we are going to keep your two
>> votes linked to your id and do so for about 5 days then throw the
>> whole lot away.  We don''t want your email, your credit card or
your
>> inside leg measurement EVER.
>>
>> I have another site that does not use cookies and my client can
>> access that one no problem, so I believe for this and other reasons
>> that this is a cookie IE 6 thing.
>>
>> I thought perhaps that locomotive using lighttpd might require me to
>> put something somewhere but it appears that what I really need to do
>> (I think) is to just add the compact privacy policy   "CN=
whatever"
>> to my headers.
>>
>> How is that done?
>>
>> Finally - some late breaking news (from my client, just in while
>> typing this email) is that having set his IE 6 security level to
>> accept all cookies from all sites, he still cannot view my site.
>> Does this change the situation?
>>
>> bruce
>>
>>
>>
>>
>>
>>
>>
>> On 5-Dec-05, at 10:16 AM, Justin Forder wrote:
>>
>>> Bruce Balmer wrote:
>>>
>>>> Chaps (and chapettes):
>>>> I am under the gun here.  A site is meant to be tested today
but
>>>> it  failed the first test.  The problem is (or appears to be)
>>>> that  because we don''t have a privacy policy for our
website, the
>>>> corporation won''t permit access to the site (none of
the images
>>>> load,  amongst other problems).
>>>> I have no idea about privacy policies - how to I make that
happen?
>>>
>>> If you google for "privacy policy" you will find plenty
of examples
>>> (and  some companies offering support for constructing privacy
>>> policies).
>>>
>>> Sounds as if you have a previously-unidentified stakeholder. Who is
>>> going to accept or reject the privacy policy, and what are their
>>> criteria?
>>>
>>> Finally, what has this got to do with Locomotive?
>>>
>>>> bruce
>>>> _______________________________________________
>>>> Rails mailing list
>>>> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>>>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>>
>>> _______________________________________________
>>> Rails mailing list
>>> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>> _______________________________________________
>> Rails mailing list
>> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

I have the option of just removing all cookies from this simple app  
and would like to do that.  How?

Also, I believe it is to do with cookies. I am on mac osx Tiger.  I  
loaded a copy of MSIE 5.0 for my mac and it would not show me any  
graphics.  I then dropped my security level in the internet zones  
area and voila, graphics.  Strangely, even after putting it back up  
and deleting my cookie, I cannot prevent the graphics from appearing.

So it looks like a cookies thing even if it ought to be a graphics  
thing.  Anyone seen this happen before?

bruce

PS. MS documentation suggests that IE 6.0 will not accept any cookies  
without a privacy policy. Is that true?

I think he may be referring to a ''compact privacy policy''.

I found this with a quick Google search:

http://www.sitepoint.com/article/p3p-cookies-ie6/2

Also, it looks like you can generate a policy here:

http://p3p.privacycouncil.com/public/publicCPGen.jsp

However, at the time of posting that site seems to be unavailable.

Ben

Ben:

Thanks a bunch. This could be the thing I need. Meantime, I have  
found out how to disable sending cookies but AMAZINGLY (or not) my  
site is still not working. So perhaps it was cookies +something  
else.  Site is super-simple.  Only a little javascript.

I''m going to let everyone know the solution when I find it because  
this is bound to happen to other people.

Bruce


On 5-Dec-05, at 12:55 PM, Ben Myles wrote:
> I think he may be referring to a ''compact privacy
policy''.
>
> I found this with a quick Google search:
>
> http://www.sitepoint.com/article/p3p-cookies-ie6/2
>
> Also, it looks like you can generate a policy here:
>
> http://p3p.privacycouncil.com/public/publicCPGen.jsp
>
> However, at the time of posting that site seems to be unavailable.
>
> Ben
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Ben Myles wrote:
> I think he may be referring to a ''compact privacy
policy''.
> 
> I found this with a quick Google search:
> 
> http://www.sitepoint.com/article/p3p-cookies-ie6/2
(worth going back to Page 1 and reading the whole article)

This is fascinating - does it really apply to session cookies?
If so, why aren''t all Rails (and most J2EE, and many other) sites 
suffering from it?
> Also, it looks like you can generate a policy here:
> 
> http://p3p.privacycouncil.com/public/publicCPGen.jsp
> 
> However, at the time of posting that site seems to be unavailable.
Here''s a page with more resources:

   http://www.w3.org/P3P/usep3p.html

Microsoft''s explanation of IE6 settings is here:

   http://support.microsoft.com/kb/q283185/

and there''s a practical article here:

   http://www.duxcw.com/faq/webmastr/privhttp.htm

with associated human-readable privacy statement here:

   http://www.duxcw.com/_include/privincl.htm

Bruce - sorry I doubted your assumption that this was a technical thing.

Reduce this kind of risk in future by doing end-to-end testing of a 
representative slice of your application, on the intended technology 
(i.e., in this case, from Rails at the external host through to IE6 in 
the end user environment), as early as possible in a project.

For now, agree with your customer that this is an aspect that needs 
fixing, but also agree a work-around that allows testing of 
functionality to continue - even if this means using a server on the 
internal network.

I suspect that the images aspect is something different, but I''m not
sure.

Sorry I don''t have much time to look into this (I was away from work
ill
today, and have some catching up to do)... but I''ll google some more
and
flag anything that looks useful.

regards

   Justin

Bruce Balmer wrote:
> Also, I believe it is to do with cookies. I am on mac osx Tiger.  I  
> loaded a copy of MSIE 5.0 for my mac and it would not show me any  
> graphics.  I then dropped my security level in the internet zones  area 
> and voila, graphics.  Strangely, even after putting it back up  and 
> deleting my cookie, I cannot prevent the graphics from appearing.
Perhaps it was just reusing graphics that were already in your browser 
cache?

regards

   Justin

On Mon, Dec 05, 2005 at 12:12:46PM -0700, Bruce Balmer
wrote:
> OK. Let''s put my question on hold. For my particular purpose it
would
> be as effective to simple not put cookies on the client''s
computer.
> BUT HOW DO I STOP THAT FROM HAPPENING?
> 
> I have removed all session variables from my code but rails is still  
> depositing a cookie.  Why? And more importantly, how do I stop it?
Removing the use of session variables is not sufficient to prevent rails
from attempting to set a _session_id cookie. Read the "Easier session
management" section of
http://documentation.rubyonrails.com/release_notes/rc2.html

Unfortunately if the instructions there don''t work you may be running
into this
bug: http://dev.rubyonrails.org/ticket/2914

Just a quick thank you to all the people who offered assistance.

It turns out that my question was the result of a strange  
coincidence, a false conclusion and some less than honest MS docs.

I posted my final conclusions and success to the mailing list in case  
it might help anyone else avoid the 12+ hours of misery I just  
experienced chasing my tale.

In brief - textmate will let you generate a version 1.0 xhmtl  
document. If you do that, something about the header code will  
prevent (or not allow) MSIE in displaying images.  I don''t understand  
what or why, but the fix is simple. Watch out for that particular  
header text.

If someone were kind enough to tell me how to post that info to the  
texmate boys (what is the right forum, format?  I''d be happy to do  
that and make an already great product better.

bruce








On 7-Dec-05, at 1:00 AM, Matt Rohrer wrote:
> On Mon, Dec 05, 2005 at 12:12:46PM -0700, Bruce Balmer wrote:
>> OK. Let''s put my question on hold. For my particular purpose
it would
>> be as effective to simple not put cookies on the client''s
computer.
>> BUT HOW DO I STOP THAT FROM HAPPENING?
>>
>> I have removed all session variables from my code but rails is still
>> depositing a cookie.  Why? And more importantly, how do I stop it?
>
> Removing the use of session variables is not sufficient to prevent  
> rails
> from attempting to set a _session_id cookie. Read the "Easier session
> management" section of http://documentation.rubyonrails.com/ 
> release_notes/rc2.html
>
> Unfortunately if the instructions there don''t work you may be  
> running into this
> bug: http://dev.rubyonrails.org/ticket/2914
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

On 12/7/05, Bruce Balmer <brucebalmer@mac.com>
wrote:
> If someone were kind enough to tell me how to post that info to the
> texmate boys (what is the right forum, format?  I'd be happy to do
> that and make an already great product better.
The list:

http://lists.macromates.com/mailman/listinfo/textmate

Also see this page on how to report TextMate bugs:

http://macromates.com/wiki/pmwiki?n=Main.BugReporting

--
Chris Boone

http://hypsometry.com/  :  website edification
http://uvlist.org/  :  free classifieds for the Upper Valley

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails