Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Sites Wary of Adopting P3P 154

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"
This discussion has been archived. No new comments can be posted.

Sites Wary of Adopting P3P

Comments Filter:
  • I worked on this.. (Score:3, Interesting)

    by Sc00ter ( 99550 ) on Saturday March 16, 2002 @08:11PM (#3175301) Homepage
    At my old job (before getting laid off) at an internet advertising company this was top priority. P3P is actually really cool, and it wasn't all THAT hard to get it implemented. It probably would have been faster for us if we didn't have a sucky developer.


    I wonder if doing it with a module for Apache would be a good idea.. mod_p3p, then it reads your privacy stuff from a config file. That sure would save a lot of time for a lot of people.

    • Maybe not an apache module, but libraries for perl, python, PHP, JSP etc. The less work it is for the actual web developers the more likely our privacy concerns are going to be respected.

    • You said:

      "P3P is actually really cool, and it wasn't
      all THAT hard to get it implemented."

      Yes, implementation may be easy, but would you enlightened us as to the COST of the implementation of P3P ?

      The thing is, do you have to SPECIFY a "privacy rule" just to state that your site "respects" the visitors' privacy ?

      It's kinda like sholving legalise to the throat to the WEB scene.

      I know lawyers are used to the legalise thingy - like "off the record" thing, but for the visitors and those who are operating websites (commercials or otherwise), do we HAVE to state our "privacy rules" before allowing others to surf into our domain ?

      What kind of world will we be living in, if we apply the P3P rule into our real lives ? Will we have to tell ALL THE VISITORS to our offices, home, or even recreation events that we respect their privacy, that there will be no hidden cameras or microphone recording their movement / speech, and there will be no PI (private investigator) tracing where they come from and where they will be going to, and so on ?

      Think of the consequences, will ya, please ?
      • Well.. at the internet advertising company we already had a privacy policy set in place.. How they got to it, I have no idea. As for the sites that ran our ads, they didn't have to do anything, since our p3p code was in our http headers. As far as running it on your own site, I wouldn't know

    • by SuperBug ( 200913 ) on Saturday March 16, 2002 @11:24PM (#3175832) Homepage Journal
      To actually implement P3P, you only need mod_headers when using apache. There is no magic here, it's only a damn header + two XML files, at it's most basic.
      At it's most basic P3P just a header being looked at by a http user agent which has a P3P agent built in. I believe to date it's only I.E. 6.0. Though Mozilla, Opera, Galeon, and Konquerer are sure to follow.
      Many aspects of P3P are positive, but there are parts of the specification which have yet to be properly determined and implemented, in a real-world environment.
      The main parts affected would be any "Third-party" though any "First-party" running a site and issuing cookies of any unacceptable fashion, mainly things which are PII related and cannot be opted out of, will be flagged.
      . In short, be sure you have an opt-out mechanism for your shoppers if you're an e-commerce site.

      Also, any "Third-party" acting as an "Agent" on behalf of any "First-party" which is issuing cookies or collecting data, regardless if PII is involved. The spec for being a "Third-party Agent" has yet to actually be implemented by anyone, though I know some people who will try this soon. Up to this point, the view of "Third-party Agent" is quite desireable to anyone on the 'net who operates in such a manner. It nearly absolves them of "having" to deal with any consumer related issues regarding their data collection because you can point people back to the "First-party's" P3P policy, rather than having to maintain your own.

      The obvious problem here though, is scalability and maintainability. It's tantamount to remote key-managment. You must then manage your "First-party" client's P3P Policies and keep in contact/communication with them to ensure that any changes are propagated to you, should it change, yet you continue to serve an *out of date* P3P Compact Policy in the web server's headers for that client, you very well could be blamed for screwing the data they hired you to collect for them in a very bad way.
      Aside from that, P3P is a very positive thing for consumers and business persons in such a way that it opens a channel of communication which did not exist so much in the foreground, as P3P enables, before. Hope this is useful to anyone trying to understand some of what P3P really is.
  • Damn (Score:1, Informative)

    by Anonymous Coward
    It's a shame that Mozilla doesn't yet support this. Sure, it's not a standard yet, but Microsoft had no problem jumping on it and getting it out and in use (in 90% of the browsers out there, no less). Oh well, you get what you pay for, I guess.
    • Actually, Mozilla now has the backend for P3P in place. It isn't ready for end users yet, but I believe most or all of it will be in place for 1.0. See the Mozilla bug relating to P3P here [mozilla.org].
    • > Microsoft had no problem jumping on it and getting it out and in use
      > (in 90% of the browsers out there, no less).

      Really? IE6 supports it; are 90% of internet users using IE6? I think not.

      Something like (very roughly), 65% use IE (all versions), 20% use AOL (w. embedded IE, various versions), 10% use Netscape/Mozilla (all versions), 5% others.

      So 85% use an IE-based browser. What fraction of those are *IE6*-based? Half? My guess would be that less than 30% of current users (total, all browsers) run IE6.

      People should remember that the majority of users *don't upgrade* their web browser regularly. Lots of IE's market share is still version 4; and I would guess that 6 is still not as popular as 5.x.
  • It would be nice to have this customisable to a list of websites, on one website you could have TEXT ONLY, on others the IMAGES ON etc...
  • by oGMo ( 379 ) on Saturday March 16, 2002 @08:18PM (#3175322)

    Am I the only one who saw the headline and wondered whether P3P was some new file distribution fad? ;-) I can see it now. P3P: Share music with two friends at once!

    OK, sue me, it's been a long day...

  • Mozilla (Score:1, Informative)

    by Anonymous Coward
    Mozilla also used to have an implementation of P3P in that the cookie section of preferences had an option to accept or reject cookies based on a sites privacy policy which I assume was derived from the P3P standard, but as of 0.9.9 and current nightlies the preference has been removed because "it didn't work anyway". Whether this "not working" refered to the implentation or the fact that no real sites have P3P policies so it is misleading, I don't know.
  • The thing that I wonder about is HOW people ensure that these privacy claims are followed through with. I trust that, for most sites, the want to protect privacy and the drive to do so is there, but despite eTrust and despite (eventually) P3P, I'm still getting lots and lots of junk mail even though I recently changed e-mail addresses. These standardized privacy ratings are great, since they provide a common scale from which to view the results, don't get me wrong here. But I just think that there should be a better way of, if not ENFORCING privacy, at least downgrading site's ratings if they don't keep true to their word. (It's also possible it's the ads on the site collecting the data, not the site itself)

    I guess what the whole internet needs is a /. type moderation system.

  • by Bonker ( 243350 ) on Saturday March 16, 2002 @08:25PM (#3175347)
    I have to say that this is a way of trying to shut out non-commercial sites from the web. For example, my site [furinkan.net] is a privately run anime fansite with nothing for sale and no adds. Despite this, it gets flagged for not having a compliant privacy policy.

    Now, I suppose that I could make a privacy policy for my site, but why should I have to bother when I'm obviously not in any kind of business, let alone selling personal information?

    The web should be for *everyone*, not just businesses with large advertising budgets. Shutting out sites who don't have privacy policies posted is FUD tactics against little guys, plain and simple.
    • I don't get any kind of warning in IE6.

      • > I don't get any kind of warning in IE6.

        You'll get a little icon in the status bar you can click on if it blocks something based on your settings; look at View -> Privacy Report otherwise.

        Yahoo [yahoo.com] is a good example to try it out on, since it seems to specify just about everything.
    • But are you collecting any information such as email addresses? Even if your current intent is innocuous (email updates), what happens two years down the road when money is getting tight and someone offers to buy that list? Of course P3P isn't going to stop that, but it helps promote privacy as being important in the public's conscience...This is definitely a step up, and not a step down, and shouldn't be poopooed as a tactic against the little guy. It's a tactic for the little guy.
    • well your site runs fine and even if it doesn't have a compliant privacy policy it'll still run fine.

      If however you use cookies on your website, then IE will put a little (not even visible) warning about the fact that you don't have a privacy policy.
    • That would be because you're trying to issue cookies, or have third-party cookies getting issued for some reason. Either that or you are using "unsatisfactory" cookies.

      Either way, ONLY IN THE MEDIUM or MEDIUM-HIGH PRIVACY SETTINGS, should you NOT be flagging IE 6.0 if all you do is issue "first-party" cookies.
    • Look, in 1996 a friend of mine and I sat down and produced a multi-thousand-page hand-coded web site that won basically every web award there was at the time.

      We are both self-taught at both web programming and visual design.

      At present we're doing a different site. It gets half a million hits a day. We're doing a redesign now, intended to increase traffic by making the site more attractive. It hasn't had a facelift in 6 or 7 years. The site sells nothing and has no paid ads.

      There's no reason why a "personal" web site can't be done just as professionally and using just as good technology as any commercial site out there. If a site author can't be bothered to learn how to code a site correctly or design it well, I have no problem with avoiding the site.

      Now that it looks like P3P may actually catch on, I'll learn how it works and implement it.
  • What about Slashdot? (Score:4, Interesting)

    by los furtive ( 232491 ) <ChrisLamothe&gmail,com> on Saturday March 16, 2002 @08:25PM (#3175348) Homepage
    I'm sure it's members would like to know what they have to say about it. How far up the priority list is this one CmdrTaco? And what does Katz have to say about it?
  • Conceptually, the biggest problem with P3P is that it presupposes that the browser is already in control of sensitive and confidential information. This jibes perfectly with the vision behind schemes like Passport and product activation.

    Practically, the system is a nightmare to configure. If this thing ever gets widespread adoption I am sure we will see a surge of privacy consultants and third party privacy management tools.

    • Is our privacy important enough to justify further complicating the web?

      That's going to be answered by different people, of course, but that's what it boils down to.
  • Mixed thoughts.. (Score:4, Insightful)

    by steppin_razor_LA ( 236684 ) on Saturday March 16, 2002 @08:30PM (#3175368) Journal
    I haven't read the full specifications -- so take anything I write with a grain of salt. I've spent years building web applications, authored a popular anti-spam package, and have done some work building an advertising filtering & privacy enhancement proxy server-based package.

    It seems to me that a better approach would be something like this (call it Personal Information Widget):

    User puts all of their personal information into some form of a "wallet" (yes - I know there are technologies similar to this) -- the information resides on their computer not in a passport on a third party server.

    When a user goes to a site and wishes to sign up for registration, to purchase something, etc -- there should be a mechanism where that site is able to formulate a list of the fields that it wants + requires for registration. The site will send this (i.e. XML) to the Personal Information Widget.

    The PIW will pop a window on the user's screen showing them what information the site wants + requires. The other can then choose to "deny" "allow all" "allow required" or "custom".

    If they deny -- end of transaction.
    Allow all -- give the site everything it wants
    Allow required - give the site only required fields
    Custom - chose to give the site information different than in your profile.

    This sort of approach would solve one of the major problems of building registration-based sites -- the pain in the ass factor of getting people to type in their information for the Xth time -- without doing anything sneaky about privacy.

    In an ideal world, I would be able to choose to allow cookies that are required for a web application to funciton, but deny cookies used to track my viewing habits (especially across multiple sites). I don't think that a "protocol" can really solve this problem though.

    Once a site uses cookies, they inherently have the ability to track you -- whether or not that is there intent -- this protocol doesn't really protect your privacy.

    I'm not really opposed to cookies -- as a web developer, it is painful for me to imagine coding without them! That said, I don't like the idea of someone tracking my usage habits across multiple sites and then potentially correlating that back w/ registration information to me.

    I tend to disallow third party cookies. I know that this breaks a number of 1x1 pixel tracking tools -- but this same sort of technology could be ran off the web servers of the clients or if it was really necessary to outsource it -- you could use DNS (i.e. tracking.yourcompany.com points to webtrendslive.com ) to limit the tracking cookies to a single domain.

    You can disallow third party cookies and protect your privacy that way w/o this extra layer of technology added.

    I am a priori (guess I'm being closed minded) opposed to anything that facilitates that automatic transfer of information. I just can't wait to see someone find an exploit....

    • When a user goes to a site and wishes to sign up for registration, to purchase something, etc -- there should be a mechanism where that site is able to formulate a list of the fields that it wants + requires for registration. The site will send this (i.e. XML) to the Personal Information Widget.

      Hmmm sounds like W3C XForms [w3.org] would be a great way to tag individual 'fields' [w3.org] with the type of personal information requested...
      • I'm glad that thought is being given to a standard that defines a standard for a personal information object -- I'm just not sure that I agree with what the plans are to use that information.
    • I don't like it.

      Suppose someone crafts a javascipt or java overlay that covers up the top part of the window where it asks what you want to send.

      It could appear to only want your name or email or something simple, and be in fact requesting all your info.

      There have been exploits similar to this, to trick people into setting something as their homepage in IE. It basically says, "Hi, welcome to my site" and there is an OK button. When you click it, it resets your homepage to some spammy site. The way it worked was that it overlaid the "do you want to set your homepage to this" with another window that said the innocous message.

      It's just too easy to social engineer "one click personal information" IMHO.

      • I'm not proposing a HTML based interface that would pop up for the user when making these decisions. This would be Windows/XWindows/Mac based GUI application -- probably built into the browser. I think that it would be difficult to code a java applet or some other HTML that would pop up and obfuscate a portion of another window. For one thing, you need to know exactly where the "PIW" is sitting on the user's screen -- which by itself is probably not possible. Then you would need to be able to render out an interface that would obfuscate just a portion of the message.
  • They make a technology incredibly hard to use, so only people trained by Microsoft can use it.

    • Nice troll.. Microsoft didn't invent this p3p thing.. perhaps you missed "W3C's Platform for Privacy Preferences" in the article.. It's a standard, Microsoft was just the first to implement the client side of it.

      • Whether it is a w3c standard has nothing to do with whether MS invented it (They didn't if the working documents are to be believed).

        For example, I know that XPath was invented by MS (the guy who invented it mentioned it at an MSDN roadshow I went to)... it's also a w3c standard.

        AFAIK Any w3c member can propose a standard, and if they have enough clout/money it will be adopted.

  • P3P has absolutely no Application-Server/Scripting support. It's just a
    simple XML-File that tells the User what (personal) data the Website
    collects, and is Requested with "hard-coded" relative URL's.
    Assume a PHP Website with URL-based Session's. A User Request the Homepage
    (/index.phtml) - he's anonymous, collected data is anonymous. The (static)
    P3P File tells the User that the collected data is anon. Well, now the User
    logs-in via a Form-Submit and reloads the Page (/index.phtml). The
    information is set in the PHP-Session, the User is shown other
    (personalized) Content, but the P3P-File is still the same, telling the
    user, that the collected data is still anonymous - this is (or may be) wrong
    now.

    P3P has no mechanism to handle this case, in P3P you can only set a
    different policy for (sub-)folders (differrent URI's). The problem is, that
    the GET Request is absolutely the same, it doesn't matter if the user is
    logged-in or anonymous (well, it would be a security hole, if someone is
    able to find out, if a user is logged-in when (s)he takes a look at the URL,
    hm?).

    Sure, it's possible to copy all "templates" to another subfolder and link
    logged-in users to this one, but why should I do so? The advantage of using
    templates (a I define them) is that they just show any content. They don't
    care if this content is personalized or not. The content is "prepared" by
    the "business logic" - programmed in PHP - and stored in a database. This
    way, I'm able to use the same "templates" for logged-in and anonymous
    users - well, half the work to do...
    • Sure, it's possible to copy all "templates" to another subfolder and link logged-in users to this one, but why should I do so? ... I'm able to use the same "templates" for logged-in and anonymous users - well, half the work to do

      Then simply have the templates in / and the templates in /members/ include the same PHP code.

    • by Fweeky ( 41046 ) on Saturday March 16, 2002 @10:08PM (#3175656) Homepage

      "in P3P you can only set a different policy for (sub-)folders (differrent URI's)"

      Uhm, no, you can specify policies for URI's, methods (GET/POST/PUT/DELETE etc) and cookies (including name, value, domain and even content).

      For example:

      <POLICY-REF about="/P3P/UserPolicy.xml">
      <COOKIE-INCLUDE name="loggedin" value="*" domain="*" path="*"/>
      </POLICY-REF>

      If you really can't describe your case:

      1. Generate the headers dynamically based on whether they're logged in or not.
      2. Generate the P3P dynamically based on whether they're logged in or not.
      3. Just describe the case for logged in users, since your anonymous logging is likely just a subset of that anyway

      And, of course, talk to the peeps on the P3P ml [mailto] and see if you can get it fixed in version 2.

    • "P3P has absolutely no Application-Server/Scripting support.... The problem is, that the GET Request is absolutely the same, it doesn't matter if the user is logged-in or anonymous."

      WRONG! You can do something like:

      <link rel="P3Pv1" href="...">

      See http://www.w3.org/TR/P3P/ [w3.org] section 2.2.3, The HTML link Tag.

  • A question... (Score:1, Insightful)

    by Anonymous Coward
    I don't know anything about P3P, and reading the website for the standard didn't help me answer this question.

    So I'll ask Slashdot people:

    What's to keep a site from lying or misrepresenting its usage policies?

    And if the answer is nothing, then what the hell use is P3P? It seems that it doesn't affect me at all: I'll still refuse to send cookies to certain site, not keep cookies stored, and encrypt things.
  • whether MS's browser monopoly is legal or not, this shows the hidden costs of monopolies in general. A lot of webpage serving is done on *nix boxes running apache -- machines that could surf the websites they're serving, because IE isn't available on that platform -- and because MS's monopoly of browsers (even fucking slashdot shows most readers use IE,) this puts MS in a powerful position to dictate what they consider important and proper. This isn't even about money, although I'm sure it'll cost a lot of money to pay to get various sites to comply, this is about effort and choices. As a webmaster, I don't want someone else dictating when I have to change my site's design, and I certainly don't want someone telling me that I have to do something. This is probably just the contrarian in me, and for all I know, p3p is the wave of the future and The One True Way and I'm a fool for not having done it already, but hey, it's my website and I'd like to fucking make decisions all on my own, thanks anyway, MS.

    Support alternate browsers (like opera and mozilla,) if you're a Windows user.
    • by Anonymous Coward
      Uh, where the hell did this troll come from? If you don't want to support p3p, don't. It would be nice if you supported the w3c standards but just like there's nothing forcing you to serve documents in html, there's nothing forcing you to use p3p. By the way, before you get too into IE alternatives, be sure to note that other browsers want to support p3p as well. Mozilla has partial p3p support now, with decent support to be available by 1.0. Full p3p support in Mozilla is scheduled for post-1.0 work (bug 62399).
  • l337 sp34k (Score:5, Funny)

    by metalhed77 ( 250273 ) <andrewvcNO@SPAMgmail.com> on Saturday March 16, 2002 @08:54PM (#3175452) Homepage
    can we be l337 and call this new P3P technology 'Pep'
  • Simple solutions (Score:2, Interesting)

    by david.johns ( 466417 )
    One of the criticisms of this is that it doesn't have any enforcement behind it.

    There's nothing to stop the industry, or me, or all of us who run websites, from just saying, "Sure, we respect virtually everything about your privacy!" and then selling the hell out of your information.

    So, for those of us for whom it would be a pain - we have two easy choices. We can a) ignore people who bother to use it 'cuz it sucks or b) adopt the most private P3P policies possible, and then don't worry about them.

    The real problem this will have on the developer end is having the P3P options mean something. If there's no reason (legislation, for instance) for big business to respect their own P3P policies, why should I pretend that mine have anything to do with reality?
    • Re:Simple solutions (Score:2, Informative)

      by steve_l ( 109732 )
      there is already someone with a new token called 'everything else here is untrue' or words to that effect, so you can have all the statements about how well you adhere to privacy rules, which the browser believes, followed by this disclaimer, which IE ignores.

      result, it thinks you respect privacy, you get to do what you want *and* your P3P privacy statement is actually honest.

      what the US needs is the EU data protection act.
  • When will Slashdot become P3P complaint?
  • by wowbagger ( 69688 ) on Saturday March 16, 2002 @09:13PM (#3175509) Homepage Journal
    OK, let me see if I correctly understand P3P.

    1. I give my browser all sorts of information about me, some of which I don't want distributed widely
    2. I then trust the remote web site to correctly identify what they are asking for, and that they will use the data in the way the P3P data says it will be used.


    So, if I trust the web site to correctly implement their privacy policy, why don't I trust them with my data?

    If I don't trust them with my data, why do I trust them to correctly implement a privacy policy?

    In fact, this is one of the few real uses for a Cue-Cat I can think of- have your credit card numbers et. al. printed out on a barcode chart next to your computer. You see the pretty shiny thing you want on the web site, they want your credit card number, you scan the paper. I DEFY any 1337 haxor to get that by ownxoring my machine - I have to scan it.
    • OK, let me see if I correctly understand P3P.

      1. I give my browser all sorts of information about me, some of which I don't want distributed widely


      No, you don't understand it at all. P3P is a way for a site to tell you and your browser, in a standard way, what the site's privacy policy is. No informtion goes from you to the site.

    • In fact, this is one of the few real uses for a Cue-Cat I can think of- have your credit card numbers et. al. printed out on a barcode chart next to your computer. You see the pretty shiny thing you want on the web site, they want your credit card number, you scan the paper.

      Holy Toledo! This is big.

    • uhhh, i could own your box, then compromise your scanning software to copy the number somewhere which i could access later.

      ..... reminds me of programmers relying on hardware locks because "noone can copy a hardware device easily!!" .. they're right, but someone can certainly compromise the software which checks for the hardware.
      • You missed the point. The point is, that with the method I described, you are no more able to get my card number than you would be were I to type it in from the keyboard.

        What you CANNOT do is get a worm on my machine, and read (the registry|my home directory) to get my credit card number - you would have to comprimise my machine, and keep it comprimised until such time as I made an online purchase. You couldn't do a quick "smash and grab" - crack my machine, get the data, and who cares if I find the worm fifteen minutes later.

        And my point re: P3P stands - the site's XML says "We won't sell your information, we won't trade it, we'll keep it to ourselves. Honest!". Until they decide to change their minds, and sell out to the highest bidder.

        Face it: once you give information to somebody, you no longer control to whom they give that information, therefor if you want to control who has your information, don't give it out.
    • I DEFY any 1337 haxor to get that by ownxoring my machine - I have to scan it.

      Well, the scanner causes software to send a network message. This message could possibly be sniffed, replayed, decrypted, or forged. Or the web site could SAVE your scanned proof of credit card to implelement a feature such as Amazon's One-Click. Oops, their database was hacked.

      Of course, you could send the scanner message over an encrypted channel, but that is no different than just using SSL to type in your credit card number..
    • You still have to trust the site to be honest in its privacy policy, but with P3P you can't obscure it, make it in legaleese, or have it be misinterpreted. P3P makes it so all *trusted* companies, C|Net, CNN, MSNBC, give you a standardized, automated, and consistent way of getting someone a privacy policy. Just because it is a trusted company does not mean they aren't selling your information. It might say in the privacy policy "Yes, we sell your personal information." But when was the last time you read the privacy policy for a site? P3P makes it automated so anyone and everyone can check the policy for every site they visit. (My site has the XML piece in there already, btw, still don't have the cookie part, probably never will)
    • Couple of my friends work at this place... maybe this would be a better solution.

      Check it out: SWIFTBOARD [swiftboard.com]

      -Berj
    • At the end of the day your credit card number is still transmitted across the internet. Hello?
  • So users get more configuration options - this is going to be a mess.
  • by jmd! ( 111669 )
    The only reliable cookie solution is already here. No changes are required server-side, and you just need a competent browser like Mozilla client side.

    First, disable third-party cookies. Then, weekly, or whenever you're bored, go in to cookie manager, check 'do not reaccept deleted cookies', and delete all the cookies for the sites where you do not need them (login info, valuable preferences, etc). Eventually, you'll end up with a block list that rejects all the bogus cookies of the sites you visit, and you never had to bother with dialogs per cookie, or sites not working because of cookie prefs.
  • I find it ironic that W3C's website isn't fully compliant:

    http://validator.w3.org/p3p/20020128/p3p.pl?uri= ht tp%3A%2F%2Fwww.w3.org

    But, at least they're trying. ;)
    • Um, actually, their site is of course compliant. You have a %20 in your URI. http://validator.w3.org/p3p/20020128/p3p.pl?uri=ht tp%3A%2F%2Fwww.w3.org

      Should be http://validator.w3.org/p3p/20020128/p3p.pl?uri=ht tp%3A%2F%2Fwww.w3.org

  • I'm so sick of being bombarded with third-party persistent cookies. Damn right I want to maintain my privacy. Ok, so if their privacy statement fully notifies me they're going to put a thousand cookies on my machine its alright? Uh, no.
    • if you use mozilla, turn off cookie persistence.

      if you use IE, save the following xml file and then import it as a custom privacy setting. It makes all internet zone site cookies into session cookies; sites you like can be moved into trusted sites, whose security options you can ramp up into a secure level:

      -----------

      it is not real XML; you cant include comments in the file. wierd
      • here it is without tags being dropped as invalid

        <?xml version="1.0" encoding="UTF-8"?>
        <MSIEPrivacy>
        <MSIEPrivacySet tings formatVersion="6">
        <p3pCookiePolicy zone="internet">
        <firstParty noPolicyDefault="forceSession"
        noRuleDefault="forceSession"
        alwaysAllowSession="yes"/>
        <thirdParty noPolicyDefault="forceSession"
        noRuleDefault="forceSession"
        alwaysAllowSession="yes"/>
        </p3pCookiePolicy>
        </MSIEPrivacySettings>
        </MSIE Privacy>
      • The problem with turning off cookie persistance in Mozilla is that there's no way to exempt certain cookies that you DON'T want deleted.

        This is easilly accomplished in Communicator by write protecting the cookies.txt, but Mozilla stores them differently.

  • You don't need my home address, unless I am asking you to send something to my home address. You have no valid need or purpose for that information.

    The real problem here is not the complexity of protocols to match privacy policies with privacy preferences, but instead is the fact that so many businesses are just too fucking nosy!. Now I know that those people in suits in the fancy shmancy corporate offices do tend to be idiots most of the time, but this spying on people has got to be stopped. What is wrong with those people that makes them so fucking sick that they need to be spying on everyone so much?

    I find it interesting to note that quite a number of the dot-coms that went into business to spy on people were the ones that failed. But that's only a marginal level of significance. Many others, like doubleclick (which I block at my proxy server), still exist, and need to be taken out by any legal means (I'm doing my part by cutting out their level of hits, even when that means slashdot won't get the ad revenues).

    • What is wrong with those people that makes them so fucking sick that they need to be spying on everyone so much?

      I don't think it's some form of voyeurism. They get taught in business school that this kind of information has monetary value. You know, being able to target ads at people more specifically. I have always wondered about the value of this kind of information, but that's not the point. They sell this info to other people who attended the same business school, and who also think it has value. So, it actually has value (the value of anything is what a fool is willing to pay for it).

      Upside of all of it is that you can more or less control what information you give out. You choose what you type in. I get about 3 or 4 free magazines every month. Part of the deal is that I fill out some lengthy questionaire every 3 months. Stuff about what my company is doing, and whether I recommend or authorize purchases, and to which amount. Obviously, these magazines use this info to convince their advertisers that they are targeting the right people. Most of the time I just guess the answers...

      Anyway, the true danger is in 'spyware'. If I did not agree to some software agent collecting info about my clickin' habits, it should be fsckin' illegal. I have disabled several software spies already.
  • Having worked recently on adding P3P support to a proxy application, I feel I have a solid understanding about P3P. Some of the higher moderated sites have complained about the little guys getting hurt, and the big commercial sites not getting hurt.

    P3P is about ensuring that users can match their preferences to the policies that a web site has. If the web site shares the data without a users explicit permission then a user can indicate with their user-agent that their identifying information shouldn't be allowed. The current protocol is fairly basic, not allowing for negotiation, and so it is trivial to implement.

    The next point to make is about lying about the privacy policies. A statement about privacy with out a company following up with a way to ensure the policy is adhered to makes the policy a throw away statement. It is trivial to say to a browser that a site does nothing with the data, and still will. This is where third party verification with remedies becomes appropriate.

    As you can see, there is no distinction between a big site or a little site. As long as the policies conflict with what the users want, the sites will be blocked.

  • ..we use a P3P header on our site is so that IE6 will accept our 'third party' cookie if our site is opened in frames by clicking on a link to it while reading a message in hotmail (for example).

    ~mark
    --
    www.workzoo.com [workzoo.com]
    • I've run into the very same problem just yesterday, actually. My solution was the same as yours (to add a P3P header), but somehow I feel that IE's behavior in this case is rather buggy.

      I understand why it can be considered a privacy issue when DoubleClick sets a cookie which is sent back to them every time you visit a site which use DoubleClick for banner ads, but instead of completely blocking "third party" cookies which doesn't have P3P headers, wouldn't it be more correct to accept them but rather restrict them to the same site?

      For example, if I visit site A, which uses DoubleClick, and DoubleClick sets a cookie, and I then visit site B, which also uses DoubleClick, I do not want the cookie which DoubleClick set when I was viewing site A to be sent to DoubleClick again. However, I do not see a problem with DoubleClick being able to set the cookie when I visit site A if the cookie is only sent to DoubleClick when I view site A.

      What I'm trying to say is this: If your site didn't send the P3P header, shouldn't IE6 still accept your cookie when your site is opened in frames, but just restrict it so it will only be sent to your server when your site is being viewed through that frameset, in other words NOT send it if I go directly to your site or view it inside a frameset at some other site? Is this a bug in IE?
  • Since I can live without persistent cookies, I have a simple trick I've been using for a few years, and that is simply to link my Mozilla/Netscape/Whatever cookies file to /dev/null.

    (or in the bad ol' days when I ran a Windows box, I used to emulate this by just creating an empty directory of the same name - this didn't work, of course, with IE, as the latter [as far as I remember] had a different way of filing cookies).

    OK, you still have to close the browser to completely clear the cookies, but I found an immediate drop in the amount of spam I was getting.

  • by rtos ( 179649 ) on Sunday March 17, 2002 @10:57AM (#3176821) Homepage
    What is the OECD Privacy Policy Generator [oecd.org]? It's a freely available tool to help you put together a working privacy policy for your website. Here is the site description:
    "It provides guidance on conducting an internal review of existing personal data practices and on developing a privacy policy statement. It gives links to private sector organisations with expertise in developing a privacy policy. It offers links to governmental agencies, non-governmental organisations and private bodies that give information on applicable regulations.

    The Generator makes use of a questionnaire to learn about your personal data practices. A Help Section provides explanatory notes and practical guidance. Warning flags appear where appropriate. Your answers are then fed into a pre-formatted draft policy statement. You must assess this statement: is it an accurate reflection of your personal data practices and policy?"

    I'm not sure if it fits with the P3P standard, but I thought some site admins might find it to be useful.

    PS. OECD = Organization for Economic Co-Operation and Development [oecd.org]. According to their site they are "an international organisation helping governments tackle the economic, social and governance challenges of a globalised economy."

  • Spend any length of time on the P3P mailing list and you'll notice that most questions revolve around using 3rd party cookies. This is where iE6 spends most of it's time rejecting cookies.
    By default IE6 is set to reject cookies from 3rd party sites which includes many ad serving companies. Deciding how to set up your P3P to fit with this can be problematic.

    First off, you must decide who does what and how. Is the ad serving company acting as an agent for you? If so, then the should be able to be covered by your own P3P policy. IIRC the relates to the ad company only if they are there to serve banners and that's it.
    Not ad company does that. They gather every little morsel they can. Which means they have to serve their own P3P policy as well as you serving your own.

    Now doubleclick have got it right. They server a P3P header for their ads s everyone is happy. Where I used to work, the ad serving company wanted to do all sorts of whacky crap which basically involved us having to jump through hoops for them. This was a big outfit and they obviously didn't get it.

    IMHO many sites don't need P3P just yet because the functionality offered in the draft just isn't in the user agents yet. When they are then I think people will start to use it but it does depend on the honor system somewhat. Some companies do offer 'auditing' though to get round this.

    Work with your ad serving company if their cookies etc are being blocked. Often it's up to them to do the P3P stuff but make sure you do your research as well so they don't snow you.

    It's not hard to create one. A good read of the implmentation guide will go a long way, plus the IBM P3P editor is great. You can grab it from here [ibm.com]
  • But I was just getting the hang of P2P, now I need to get a new computer for P3P ?
  • This is a joke. If you want P3P you add this to your apache.conf

    <Location />
    Header append P3P "policyref=\"/w3c/p3p.xml\"
    Header append P3P "CP=\"IDC DSP COR CURa ADMa DEVa CUSa PSAa IVAa CONo OUR IND UNI STA\""
    </Location />

    Then create a directory w3c off of your document root, create a file named p3p.xml

    and then write something like this

    <?xml version="1.0" ?>
    <META xmlns="http://www.w3.org/2000/12/P3Pv1">
    <POLICY-REFERENCES>
    <POLICY-REF about="http://Your URL/policy.xml">
    <INCLUDE>/*</INCLUDE>
    </POLICY-REF>
    </POLICY-REFERENCES>
    </META>

    So how difficult is that? Oh what's that? you don't use apache? That's your fault.

You are always doing something marginal when the boss drops by your desk.

Working...