Sites Wary of Adopting P3P

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"

Profiles for browsers

[ZaneMcAuley]

It would be nice to have this customisable to a list of websites, on one website you could have TEXT ONLY, on others the IMAGES ON etc...

Privacy Protection...? Probably...

[KeatonMill]

The thing that I wonder about is HOW people ensure that these privacy claims are followed through with. I trust that, for most sites, the want to protect privacy and the drive to do so is there, but despite eTrust and despite (eventually) P3P, I'm still getting lots and lots of junk mail even though I recently changed e-mail addresses. These standardized privacy ratings are great, since they provide a common scale from which to view the results, don't get me wrong here. But I just think that there should be a better way of, if not ENFORCING privacy, at least downgrading site's ratings if they don't keep true to their word. (It's also possible it's the ads on the site collecting the data, not the site itself)

I guess what the whole internet needs is a /. type moderation system.

Mixed thoughts..

[steppin_razor_LA]

I haven't read the full specifications -- so take anything I write with a grain of salt. I've spent years building web applications, authored a popular anti-spam package, and have done some work building an advertising filtering & privacy enhancement proxy server-based package.

It seems to me that a better approach would be something like this (call it Personal Information Widget):

User puts all of their personal information into some form of a "wallet" (yes - I know there are technologies similar to this) -- the information resides on their computer not in a passport on a third party server.

When a user goes to a site and wishes to sign up for registration, to purchase something, etc -- there should be a mechanism where that site is able to formulate a list of the fields that it wants + requires for registration. The site will send this (i.e. XML) to the Personal Information Widget.

The PIW will pop a window on the user's screen showing them what information the site wants + requires. The other can then choose to "deny" "allow all" "allow required" or "custom".

If they deny -- end of transaction.
Allow all -- give the site everything it wants
Allow required - give the site only required fields
Custom - chose to give the site information different than in your profile.

This sort of approach would solve one of the major problems of building registration-based sites -- the pain in the ass factor of getting people to type in their information for the Xth time -- without doing anything sneaky about privacy.

In an ideal world, I would be able to choose to allow cookies that are required for a web application to funciton, but deny cookies used to track my viewing habits (especially across multiple sites). I don't think that a "protocol" can really solve this problem though.

Once a site uses cookies, they inherently have the ability to track you -- whether or not that is there intent -- this protocol doesn't really protect your privacy.

I'm not really opposed to cookies -- as a web developer, it is painful for me to imagine coding without them! That said, I don't like the idea of someone tracking my usage habits across multiple sites and then potentially correlating that back w/ registration information to me.

I tend to disallow third party cookies. I know that this breaks a number of 1x1 pixel tracking tools -- but this same sort of technology could be ran off the web servers of the clients or if it was really necessary to outsource it -- you could use DNS (i.e. tracking.yourcompany.com points to webtrendslive.com ) to limit the tracking cookies to a single domain.

You can disallow third party cookies and protect your privacy that way w/o this extra layer of technology added.

I am a priori (guess I'm being closed minded) opposed to anything that facilitates that automatic transfer of information. I just can't wait to see someone find an exploit....

A question...

[Anonymous Coward]

I don't know anything about P3P, and reading the website for the standard didn't help me answer this question.

So I'll ask Slashdot people:

What's to keep a site from lying or misrepresenting its usage policies?

And if the answer is nothing, then what the hell use is P3P? It seems that it doesn't affect me at all: I'll still refuse to send cookies to certain site, not keep cookies stored, and encrypt things.

You don't need my home address

[Skapare]

You don't need my home address, unless I am asking you to send something to my home address. You have no valid need or purpose for that information.

The real problem here is not the complexity of protocols to match privacy policies with privacy preferences, but instead is the fact that so many businesses are just too fucking nosy!. Now I know that those people in suits in the fancy shmancy corporate offices do tend to be idiots most of the time, but this spying on people has got to be stopped. What is wrong with those people that makes them so fucking sick that they need to be spying on everyone so much?

I find it interesting to note that quite a number of the dot-coms that went into business to spy on people were the ones that failed. But that's only a marginal level of significance. Many others, like doubleclick (which I block at my proxy server), still exist, and need to be taken out by any legal means (I'm doing my part by cutting out their level of hits, even when that means slashdot won't get the ad revenues).

Re:Am I the only one who has a problem with this?

[cpeterso]

I DEFY any 1337 haxor to get that by ownxoring my machine - I have to scan it.

Well, the scanner causes software to send a network message. This message could possibly be sniffed, replayed, decrypted, or forged. Or the web site could SAVE your scanned proof of credit card to implelement a feature such as Amazon's One-Click. Oops, their database was hacked.

Of course, you could send the scanner message over an encrypted channel, but that is no different than just using SSL to type in your credit card number..

Ebay is already making the P3P usability zero

[aepervius]

http://www.cnn.com/2002/TECH/internet/03/16/privac y.labels.ap/index.html IF you read at the middle of the article Ebay is putting into its privacy policy that : quote "Online auctioneer eBay, which has yet to commit, is revising its privacy policy to say its written form takes precedent even if P3P or other statements say otherwise. " Whatever P3P says, privacy policy has still the last word. So in summary : p3p is *USELESS*.