Sites Wary of Adopting P3P

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"

Damn

[Anonymous Coward]

It's a shame that Mozilla doesn't yet support this. Sure, it's not a standard yet, but Microsoft had no problem jumping on it and getting it out and in use (in 90% of the browsers out there, no less). Oh well, you get what you pay for, I guess.

Mozilla

[Anonymous Coward]

Mozilla also used to have an implementation of P3P in that the cookie section of preferences had an option to accept or reject cookies based on a sites privacy policy which I assume was derived from the P3P standard, but as of 0.9.9 and current nightlies the preference has been removed because "it didn't work anyway". Whether this "not working" refered to the implentation or the fact that no real sites have P3P policies so it is misleading, I don't know.

The problem with P3P is...

[Dr Kool, PhD]

P3P has absolutely no Application-Server/Scripting support. It's just a
simple XML-File that tells the User what (personal) data the Website
collects, and is Requested with "hard-coded" relative URL's.
Assume a PHP Website with URL-based Session's. A User Request the Homepage
(/index.phtml) - he's anonymous, collected data is anonymous. The (static)
P3P File tells the User that the collected data is anon. Well, now the User
logs-in via a Form-Submit and reloads the Page (/index.phtml). The
information is set in the PHP-Session, the User is shown other
(personalized) Content, but the P3P-File is still the same, telling the
user, that the collected data is still anonymous - this is (or may be) wrong
now.

P3P has no mechanism to handle this case, in P3P you can only set a
different policy for (sub-)folders (differrent URI's). The problem is, that
the GET Request is absolutely the same, it doesn't matter if the user is
logged-in or anonymous (well, it would be a security hole, if someone is
able to find out, if a user is logged-in when (s)he takes a look at the URL,
hm?).

Sure, it's possible to copy all "templates" to another subfolder and link
logged-in users to this one, but why should I do so? The advantage of using
templates (a I define them) is that they just show any content. They don't
care if this content is personalized or not. The content is "prepared" by
the "business logic" - programmed in PHP - and stored in a database. This
way, I'm able to use the same "templates" for logged-in and anonymous
users - well, half the work to do...

Re:this shows the hidden costs of monopolies

[Anonymous Coward]

Uh, where the hell did this troll come from? If you don't want to support p3p, don't. It would be nice if you supported the w3c standards but just like there's nothing forcing you to serve documents in html, there's nothing forcing you to use p3p. By the way, before you get too into IE alternatives, be sure to note that other browsers want to support p3p as well. Mozilla has partial p3p support now, with decent support to be available by 1.0. Full p3p support in Mozilla is scheduled for post-1.0 work (bug 62399).

Join P3PSI

[yerricde]

When will Slashdot become P3P complaint?

You might want to start a P3P Slashdot Initiative. Tell those in charge that you won't subscribe until Slashdot implements P3P, a W3C Proposed Recommendation [w3.org]. You can even call it P3PSI (pronounced PEP-see).

Re:The problem with P3P is...

[Fweeky]

"in P3P you can only set a different policy for (sub-)folders (differrent URI's)"

Uhm, no, you can specify policies for URI's, methods (GET/POST/PUT/DELETE etc) and cookies (including name, value, domain and even content).

For example:

<POLICY-REF about="/P3P/UserPolicy.xml">
<COOKIE-INCLUDE name="loggedin" value="*" domain="*" path="*"/>
</POLICY-REF>

If you really can't describe your case:

1. Generate the headers dynamically based on whether they're logged in or not.
2. Generate the P3P dynamically based on whether they're logged in or not.
3. Just describe the case for logged in users, since your anonymous logging is likely just a subset of that anyway

And, of course, talk to the peeps on the P3P ml [mailto] and see if you can get it fixed in version 2.

I've implemented this, and use it day-to-day.

[SuperBug]

To actually implement P3P, you only need mod_headers when using apache. There is no magic here, it's only a damn header + two XML files, at it's most basic.
At it's most basic P3P just a header being looked at by a http user agent which has a P3P agent built in. I believe to date it's only I.E. 6.0. Though Mozilla, Opera, Galeon, and Konquerer are sure to follow.
Many aspects of P3P are positive, but there are parts of the specification which have yet to be properly determined and implemented, in a real-world environment.
The main parts affected would be any "Third-party" though any "First-party" running a site and issuing cookies of any unacceptable fashion, mainly things which are PII related and cannot be opted out of, will be flagged.
. In short, be sure you have an opt-out mechanism for your shoppers if you're an e-commerce site.

Also, any "Third-party" acting as an "Agent" on behalf of any "First-party" which is issuing cookies or collecting data, regardless if PII is involved. The spec for being a "Third-party Agent" has yet to actually be implemented by anyone, though I know some people who will try this soon. Up to this point, the view of "Third-party Agent" is quite desireable to anyone on the 'net who operates in such a manner. It nearly absolves them of "having" to deal with any consumer related issues regarding their data collection because you can point people back to the "First-party's" P3P policy, rather than having to maintain your own.

The obvious problem here though, is scalability and maintainability. It's tantamount to remote key-managment. You must then manage your "First-party" client's P3P Policies and keep in contact/communication with them to ensure that any changes are propagated to you, should it change, yet you continue to serve an *out of date* P3P Compact Policy in the web server's headers for that client, you very well could be blamed for screwing the data they hired you to collect for them in a very bad way.
Aside from that, P3P is a very positive thing for consumers and business persons in such a way that it opens a channel of communication which did not exist so much in the foreground, as P3P enables, before. Hope this is useful to anyone trying to understand some of what P3P really is.

Re:Simple solutions

[steve_l]

there is already someone with a new token called 'everything else here is untrue' or words to that effect, so you can have all the statements about how well you adhere to privacy rules, which the browser believes, followed by this disclaimer, which IE ignores.

result, it thinks you respect privacy, you get to do what you want *and* your P3P privacy statement is actually honest.

what the US needs is the EU data protection act.

Re:Am I the only one who has a problem with this?

[Monkeyman334]

You still have to trust the site to be honest in its privacy policy, but with P3P you can't obscure it, make it in legaleese, or have it be misinterpreted. P3P makes it so all *trusted* companies, C|Net, CNN, MSNBC, give you a standardized, automated, and consistent way of getting someone a privacy policy. Just because it is a trusted company does not mean they aren't selling your information. It might say in the privacy policy "Yes, we sell your personal information." But when was the last time you read the privacy policy for a site? P3P makes it automated so anyone and everyone can check the policy for every site they visit. (My site has the XML piece in there already, btw, still don't have the cookie part, probably never will)

Making a p3p profile isn't that hard ...

[Johnny00]

... if you've already got a privacy policy for your site.

P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...!

How is this so difficult?

I converted my companies privacy policy (quite detailed) to the needed p3p files using the tool IBM has available [ibm.com] in under 2 hours with no prior experience.

The concept isn't that hard to understand, am I missing something that would make this so hard or time consuming to do?

OECD Privacy Policy Generator

[rtos]

What is the OECD Privacy Policy Generator [oecd.org]? It's a freely available tool to help you put together a working privacy policy for your website. Here is the site description:

"It provides guidance on conducting an internal review of existing personal data practices and on developing a privacy policy statement. It gives links to private sector organisations with expertise in developing a privacy policy. It offers links to governmental agencies, non-governmental organisations and private bodies that give information on applicable regulations.

The Generator makes use of a questionnaire to learn about your personal data practices. A Help Section provides explanatory notes and practical guidance. Warning flags appear where appropriate. Your answers are then fed into a pre-formatted draft policy statement. You must assess this statement: is it an accurate reflection of your personal data practices and policy?"

I'm not sure if it fits with the P3P standard, but I thought some site admins might find it to be useful.

PS. OECD = Organization for Economic Co-Operation and Development [oecd.org]. According to their site they are "an international organisation helping governments tackle the economic, social and governance challenges of a globalised economy."