Sites Wary of Adopting P3P

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"

I worked on this..

[Sc00ter]

At my old job (before getting laid off) at an internet advertising company this was top priority. P3P is actually really cool, and it wasn't all THAT hard to get it implemented. It probably would have been faster for us if we didn't have a sucky developer.

I wonder if doing it with a module for Apache would be a good idea.. mod_p3p, then it reads your privacy stuff from a config file. That sure would save a lot of time for a lot of people.

Why bother for private sites?

[Bonker]

I have to say that this is a way of trying to shut out non-commercial sites from the web. For example, my site [furinkan.net] is a privately run anime fansite with nothing for sale and no adds. Despite this, it gets flagged for not having a compliant privacy policy.

Now, I suppose that I could make a privacy policy for my site, but why should I have to bother when I'm obviously not in any kind of business, let alone selling personal information?

The web should be for *everyone*, not just businesses with large advertising budgets. Shutting out sites who don't have privacy policies posted is FUD tactics against little guys, plain and simple.

What about Slashdot?

[los furtive]

I'm sure it's members would like to know what they have to say about it. How far up the priority list is this one CmdrTaco? And what does Katz have to say about it?

Simple solutions

[david.johns]

One of the criticisms of this is that it doesn't have any enforcement behind it.

There's nothing to stop the industry, or me, or all of us who run websites, from just saying, "Sure, we respect virtually everything about your privacy!" and then selling the hell out of your information.

So, for those of us for whom it would be a pain - we have two easy choices. We can a) ignore people who bother to use it 'cuz it sucks or b) adopt the most private P3P policies possible, and then don't worry about them.

The real problem this will have on the developer end is having the P3P options mean something. If there's no reason (legislation, for instance) for big business to respect their own P3P policies, why should I pretend that mine have anything to do with reality?

Am I the only one who has a problem with this?

[wowbagger]

OK, let me see if I correctly understand P3P.

1. I give my browser all sorts of information about me, some of which I don't want distributed widely
2. I then trust the remote web site to correctly identify what they are asking for, and that they will use the data in the way the P3P data says it will be used.

So, if I trust the web site to correctly implement their privacy policy, why don't I trust them with my data?

If I don't trust them with my data, why do I trust them to correctly implement a privacy policy?

In fact, this is one of the few real uses for a Cue-Cat I can think of- have your credit card numbers et. al. printed out on a barcode chart next to your computer. You see the pretty shiny thing you want on the web site, they want your credit card number, you scan the paper. I DEFY any 1337 haxor to get that by ownxoring my machine - I have to scan it.

The only cookie solution

[jmd!]

The only reliable cookie solution is already here. No changes are required server-side, and you just need a competent browser like Mozilla client side.

First, disable third-party cookies. Then, weekly, or whenever you're bored, go in to cookie manager, check 'do not reaccept deleted cookies', and delete all the cookies for the sites where you do not need them (login info, valuable preferences, etc). Eventually, you'll end up with a block list that rejects all the bogus cookies of the sites you visit, and you never had to bother with dialogs per cookie, or sites not working because of cookie prefs.