Pretty Poor Privacy 169
EPIC has just released a harsh criticism of the Pretty Poor Privacy specification from W3C. Although automatic data transfer is not in the P3P spec itself any longer (taken out after polls showed people didn't like it), implementations of P3P will still include automatic data transfer mechanisms - the idea behind P3P is that viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance, and that this data transfer will be effectively hidden from users so it will be "out of sight, out of mind". (For a more in-depth article about P3P and Internet privacy generally, see this paper, written in response to Lessig's support of P3P in his recent book.)
Seems to be a good tool for internet blackmail (Score:2)
What is wrong with companies not knowing who is accessing their site? Public sites should be open to all whether they want to be identified or not. Now companies will be able to deny access to anonymous users on a whim.
This is similar to the arguement a few years ago thet led to the "no purchase necessary" law. This case is similar in that it involves private companies blocking the people from public domain offerings. A web page should be considered a public offering.
A company cannot discriminate against you just because they don't know who you are. The phone company doesn't demand your ID when you put a quarter in a payphone, because it's a public service. Same thing again.
It could be good (Score:2)
Re:What I don't get (Score:1)
I do not know some of the issues in HOW this info gets out of your pc, and onto the net...but doesn't that info have to be on your PC for it to get out?
I never keep that info on my boxen. If/when I order foo online, I immediately go offline, trash all preferences (I am on a Mac) save my bookmarks, trash all history/cookies, etc and re login.
I agree, they have no right to mine for this data. It disgusts me. But my point stands...
I am not saying this is right....only that it is expected behavior in the new corpNet.
Tom
Re:Ha! Extorted Information is Crap (Score:1)
Personalization can only exist if you divulge information. And personalization is worth it. In the land of not-aol, not-yahoo, not-msn, there is just too much information, too many sites. If you dont want an editorial perspective or "programming", you need a mechanism to navigate the anarchy. Slashdot does this wonderfully for me. It filters out all the noise, by collecting ratings (which in some strange paranoid way, can show the interests of individuals and allow them to hunt you down and kill you, since you always bump up articles against MS).
The P3P was created to enforce a value exchange between individuals and sites, to allow for safe personalization. It was created so that there is a mechanism of informed consent before divulging information, so that one clearly knows why they are being asked for their coveted data, and how it will be used.
Without initiatives like the P3P we are left with extortion. And then government intervention. As internet professionals, we either try to create ways to protect our privacy online, or allow the government to attempt to do it for us. And with all the noise of "save the children", I guarantee the government will be more stern that most would like.
We are slowly moving forward on the privacy front (still years behind europe). Remember a few years back, there was no such thing as a privacy policy. Then everyone wrote a bunch of unread legaleze and called it a day. Now people are advocating human readable (short and in plain english) privacy policies, which informed consent principle of the P3P is premised on.
Propose something better, instead of just trashing. And keep in mind that the population is filled with real people not power geeks. There is always the tradeoff between convenience and security/privacy. And most people will go for convenience. This is a first good step for convenient and private. Let's here some alternatives.
Re:This Is Great! (Score:2)
It doesn't matter if they lie about what they will do with the information. If they require it, we don't use their site.
Suppose I set my machine up to let any site know that I'm 30 years old, live in the US, and use Linux exclusively.
Now if any site requires my SSN or address, my browser logs the name of the site, the time, and the fields they requested to a file, adds that site to a list of hostnames for which A Href's shouldn't be considered to be links, and redirects my request to a page that the browser generates displaying the actions it's taken, the reasons for the action, and a list of alternative sites with simular information.
What's wrong with that?
Re:BFD, another @hotmail address I'll give out. (Score:1)
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:The W3C... (Score:1)
Of course, sites that sell things don't have to provide you with any goods if you don't give them that information. If Tom's Hardware (for example) asked for this info, I'd just say no, and if they didn't let me in the hell with that. If a store asks me for info, and I'm actually going to buy something (need to give a real CC#, address anyway), what the hell.
A good implementation would allow you to select which pieces of information you would send to which (types) of sites. If they asked for more, you could selectively give pieces to them, or dey them that information if you found it too private. Again, nobody has forced you do anything...
P3P Is Great Stuff (Score:2)
Unless a P3P server is requiring certificates for everything and actually verifying them as the user connects to each page (read: expensive), there's an opportunity to feed pretty much any information you want to the server.
I predict that Mr. Gates is going to be visiting some pretty racy web sites when P3P gets off the ground.
Also, with a well-done proxy, you can basically use the P3P protocol to implement your own form of nyms (you can't hide your IP address, but that's it). A junkbuster patch for this should be trivial.
I think that P3P can dramatically _increase_ the amount of privacy we have (compared to cookies), while at the same time making all that demographic information sites are collecting completely useless. If enough users routinely feed new random information to a site every time they connect, it could also get pretty expensive to store all that. I imagine they might catch on to that when the number of unique records exceeds the global population, but that'll be a while down the road.
c.
Re:perhaps WORSE than ANI? (Score:1)
But it's not (Score:2)
Well, why worry? (Score:1)
Umm. Pardon me, but... (Score:1)
Couldn't you just forge your data that the browser sends? I'd think that if enough people send a "Like most other 'net users, I prefer to remain anonymous while surfing"-type P3P data, they'd give up soon enough.
Re:perhaps WORSE than ANI? (Score:3)
The problem with this is that there are both legitimate and illegitimate reasons to want that info. Sure it's great that you can automatically give people a bogus address and watch them waste their money junkmailing non-existent addresses. Unfortunately, the on-line retailers are going to be asking for the same information, so that book you just bought from Amazon.com is going to be sent to the same bogus address.
I suppose that there are practical solutions to this problem, but it still is a problem. You could, for instance, have two browsers and only fire up the one with genuine info when you actually wanted to buy something. Or, for that matter, a really smart browser could have the option of deliberately feeding bogus info to sites that you don't like the privacy policies of, rather than simply not letting you access them at all. Actually, that last one seems like a great idea for a free software project ...
This Is Great! (Score:3)
---
seumas.com
Re:Well? (Score:1)
Yes and yes. When you walk into a mall, you're not required to give you name, address, phone number, sex, top 5 most frequently visited websites and race.
--
Re:The W3C... (Score:3)
'Scuse me? Seems like you've got that one bass-ackwards. Check out the ongoing debate between the US and the EU over genetically modified foods, or Coca-Cola's actions [cokespotlight.org] at the upcoming Olympic Games in Sydney.
Re:Let's put the actual links in, please (Score:2)
http://www.kcoyle.net/p3p.html [kcoyle.net]
Re:Seems to be a good tool for internet blackmail (Score:1)
What is wrong with companies not knowing who is accessing their site? Public sites should be open to all whether they want to be identified or not. Now companies will be able to deny access to anonymous users on a whim.
Isn't that why god created logins and registration required. All P3P does is obfuscate that they are collecting information.
Conscience is the inner voice which warns us that someone may be looking.
Lessig likes it? Then I don't. (Score:1)
Too bad... (Score:1)
privacy?! (Score:1)
cad-fu: kicking CAD back into shape [cadfu.com]
Not Quite... (Score:1)
Could it be the.. (Score:1)
Re:"Most"? (Score:1)
And most of them do not have wives or "girlfriends" of the type alleged.
Re:BFD, another @hotmail address I'll give out. (Score:1)
Re:What I don't get (Score:1)
I do many things not the norm, but f#cking in public is not one of them. Guess my kinks run in a differnet direction. Reading Playboy in public should be allowed, just so you do not shove it in anyone else's face. Again, I wouldn't (out of common courtesy).
Lots of people pay with cash, and and the clerk a smart shopper card. Also, many people use credit cards. Yes, you can stay out of the digital shopping system. ut you end up in analog (tapes) anyway. NOT anonymous.
Home is private, your PC, private, your yard, private. Sidewalk, public, internet, public, roads, public.
Yes there is overlap and grey area between your PC and the net. Yes, the info on your PC gets transmitted (often against your desire) and without your knowledge. I am not saying it is right I was trying to state that you (for better or worse) have less privacy in the meat world that we (currently) have in the net. So, your orig point that because we have privacy in the meat world, therefore, we claim it in the net as a right is faulty.
We do not have privacy in the meatworld, therefore, we can expect to lose more and more privacy in the net.
And, I will let you know anything you want about me. I have nothing to hide. I read pron. I flirt with chix even though I am engaged. I drink. I did drugs. yada yada yada. who fucking cares.
Tom
Misidentify yourself (Score:1)
Your title is incorrect.. (Score:1)
Happy to help.
Show them why this sucks (Score:1)
Internet Privacy (Score:2)
Automatic Data Transfer (Score:2)
Re:Jeez, pretty poor privacy? (Score:1)
And when $BIG_EVIL_COMPANY notices that you won't give your info away easily, they'll give you a page saying "you'll have to set the $FOOBAR in your $MENU to $PLEASE_REAM_ME in order to gain access to the $OFFERINGS".
Next!
Re:666 (Score:1)
Let's put the actual links in, please (Score:5)
Re:Automatic Data Transfer (Score:1)
Re:That's how it is supposed to work... (Score:2)
At some point, consumer advocacy is on the consumers' own shoulders. We already have sites that won't let you in without a cookie. I just go elsewhere. It's not like there aren't millions of other sites to visit. Consumers need to learn to say "no" to sites with bad privacy policies, excessive ads, etc.
--
So where is it? (Score:2)
BTW, you are doing your readers (and therefore yourselves) a great disservice by confusing them with this "Pretty Poor Privacy" pseudo-joke. I'd never heard of it until just now and I was totally baffled why I should be surprised that a spec that was called "poor privacy" would have privacy problems.
--
Re:Seems to be a good tool for internet blackmail (Score:1)
What is wrong with companies not knowing who is accessing thier site?
Sorry I misread what you were saying.
Conscience is the inner voice which warns us that someone may be looking.
Who is responsible? (Score:2)
Are upcoming specifications that the W3C are going to release public?
Is there a period for public review of upcoming technologies? I would think problems like this, and the flaws pointed out in the article, would have to be addressed. It really sounds from the press release that unless you're a corporation in on the development, your input doesn't count. Should the W3C's drafts have to undergo public review? Or do they already, and I'm missing a step...
Not enough for Windoze (Score:3)
Giving one site false info does not make you anonymous...you must maintain a no exceptions policy of disinformation at all times! :-)
Re:What I don't get (Score:1)
First: I do not f#ck, sh*t, piss, eat online. Since none of these "poor privacy" services force you to, it does not amount to the equivalency of watching someone do these things in the meat world.
Second: If you shop in the meat world, you do not ahve ANY privacy. Between Credit cards, smart shopper cards and cameras, you have less privacy offline than online.
Third: Some things are Public activities. Others are Private activities. The Internet is a Public space. The rules governing the public sphere apply here. Rights to pirvacy only apply to the Private sphere (ie the home...if you own it).
Watch out for where your analogies lead.
Tom
Re:Seems to be a good tool for internet blackmail (Score:1)
Not that bad? (Score:1)
These people own their content, they have no obligation to give it to you in exchange for nothing. If you don't want it, don't give them your info. (There should be some restrictions, though, such as that they can't sell the info, or something like that). A good P3P implementation would allow you to choose witch info to send, or edit an instance of your info for that site. I don't think users would really want to have this happen without their knowledge, though.
Its not like you have any privacy anyway. Most of this info could be gotten by tracking down your IP address anyway, if they really wanted. Besides, you can just fill out the info with bogus data anyway
Re:BFD, another @hotmail address I'll give out. (Score:1)
I'm well aware of potential consequences (I read privacy policies), and I still fill them out. Here's why: they are providing content to you, and although they may even say that it is provided free of charge, it is not free. In return, they are asking for your information. The personal information is a form of payment, and it is often worth money to them. If you give false information, that is the same as buying something with counterfeit bills.
Re:Well? (Score:1)
When my 6'7" friend stayed in Hong Kong for a while, tailors would chase him down the street demanding they be allowed to make a suit for him.
Okay, I'm not sure what that has to do with the subject, but I'm sure it's related somehow....?
Re:666 (Score:1)
Wow. That Antichrist guy is really hip to technical trends.
Wonder how he feels about monopolies.
--
Re:Ha! Extorted Information is Crap (Score:1)
So. Which group claimed the largest average penis size?
--
Re:Does anyone posting on this know ANYTHING about (Score:2)
Or, when faced with a huge list of "age/sex/favecolor/modelofcar/SSN/creditcardnumber " choices, the end user will click on "Send All" to save time.
Stupid user? Yes -- but how many folks turned cookies back on (and then used another technology to block them) after clicking on "NO" 500 times per page?
This technology is designed to facilitate data collection. You can bet your ass that the user interface will be designed to make any negotiation other than "send all data" extremely cumbersome.
> You are _optionally_ *INFORMED* of each piece of information the site wants from you, and what they're going to do with it.
And without enforceability, that's about as valuable as a TrustE seal of approval. Wow, the marketing guys told me via P3P that they wouldn't resell my data! They'd never lie, would they?
Bottom line: Privacy is a right, not a preference.
Re:Who is responsible? (Score:1)
Re:That's how it is supposed to work... (Score:1)
At some point, consumer advocacy is on the consumers' own shoulders.
I totally agree. That is kind of the subtext of what I was saying. The thing is that a lot of people see technology, especially computers, which often do things "automagically" (with the emphasis on the magic part for most people, according to AC Clarke) as allowing them not to think, or doing things for them. So a lot of people are going to look at P3P and say, "hey my computer can ensure my privacy now," or something, rather than "Wow this gives me the ability to control my privacy decisions."
I guess what I am saying is that this is not a "plug and play" thing as far as effort goes. P3P could be a valuable tool for consumer advocacy, but only if people see it as that, not the technological magic that some people might get tricked (or duped) into thinking it is.
Consider The Source (Score:1)
those who have profits at stake take the time
and trouble to serve on the commitee.
Is it any wonder that these groups come up
with "solutions" that serve their needs rather
than yours?
Given that "opt out" seems to be tolerated
rather than punished in the US, we can expect
no better. Europe seems to have a much better
grasp on the subject of privacy as an absolute,
rather than a relative thing.
Once one allows even a tiny amount of relativism
into the mix, one can expect to have no privacy
at all.
Re:What I don't get (Score:1)
If you just walk into a store a "window shop", do they automatically get your name, address, phone-number, credit card number, social security number, etc?
Then why the hell do you think that sites online have the right to do this. If I want to look at something out in the real world I am not required to give anyone any personal piece of information they want. With this, you could easily be a victim of identity theft (some moron in middle America builds a site to grab my info and uses it to purchase a thousand dollars worth of stuff, am I responsible?). This is the question with something like P3P.
What "BigBrain" thought of this idea? (Score:1)
I've never been one to cry out "down with the man", but this is starting to turn my stomach...
You Do sell your information (Score:4)
Every single instance of a club that saves you a nominal amount of money does so in order for them to better market their products to YOU. You save some money so you will spend much more later.
ever use a Credit Card? Yep, they track purchasesd, too.
Buy with a check and they use a check scanner? same thing.
Free email service? you have to provide your info.
Free Registration on any site? Yep, same thing... You are getting "valuable" content just for giving up your information. It may not be cash, but you are selling it anyway.
Re:Too bad... (Score:1)
Seeling our data again, and keeping it, is hardly 'fair use' now is it?
Hey, it has to work or both ways, or not at all.
No 'legal diodes'... though there are a few things that need rectification.
Re:Seems to be a good tool for internet blackmail (Score:1)
A login is different
Sort of... I think that's more of a semantic debate. Does Slashdot have a login or registration?
Either way I agree with you, I thought you were argueing for P3P at first.
Conscience is the inner voice which warns us that someone may be looking.
Re:Not enough for Windoze (Score:1)
Re:Well? (Score:2)
So now Rob knows that there is a guy whose nick is cannes, who (supposedly) buys porno every once in a while, and has a fake email address of fuzz_face_05@hotmail.com. He also knows at least one valid email address tied to that nick. But that's about it. The hotmail account (probably real) has very little to no attachment to some real person.
Rob doesn't know where you live. He doesn't know what your specific tastes in porn are, or what other products you buy. He doesn't know your phone number, your credit card, or your bank account numbers. He has no idea what your income is, whether you are married, have kids, and if so, how many. But if P3P is implemented, he could find out all of that with little difficulty.
The danger of that is that then Rob can do some very mean things. If Rob was a perspective employer, he could not hire you because he has issues with pron. As a bank, he could deny you a loan, or give you a worse interest rate. He could even pretend to be you, getting credit cards in your name, or use your name as a cover for criminal acts, since this information is the way you validate your identity to the rest of the world.
Each individual bit of information is worthless. All of it together has a lot more worth, and is a lot more dangerous to give away.
Re:Ha! Extorted Information is Crap (Score:1)
Re:What I don't get (Score:1)
Generate random personal data at intervals (Score:1)
Knowledge is a weapon... (Score:1)
i have n amount of email accounts, and my yahoo address is just one of them. i do check it, but i prefer that the general public not have access to my main account. Not even businesses.
information IS quite powerful. perhaps i could wallop someone with it...
I've heard this before... (Score:2)
- People have always been screwed this way, or...
- Someone is screwing you in a similar way right now.
Suggesting that we should put up with further invasions of privacy because other invasions already exist is like saying that we ought not to mind being mugged because people have always been mugged, or that there's no point in outlawing muggings because there's always shoplifting.Yes, there are other Bad Things in the world. And we should fix them, too. What we should not do is sit around in online discussions trying to score the most points for hipper-than-thou cynicality by ignoring the evil that men do. Dammit.
Freedom to Deny and Freedom to Lie (Score:1)
It's just a matter of personal preference. (Score:1)
This debate can't be solved by arguing opinions and speculation. I don't think it can really be resolved. All that is left is for this system to be implemented and let everyone decide what is best for themselves.
Re:Does anyone posting on this know ANYTHING about (Score:1)
Offtopic I know, but it annoys the hell out of me when I use it.
Re:What I don't get (Score:1)
Re:P3P vs. PGP (Score:1)
But you may be right that the acronym is actually supposed to include the word "Project", in which case I withdraw my comment.
--
Beware: rant ahead (Score:2)
the idea behind P3P is that viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance,...
Exactly where in the specification does it state this as the goal of the protocol? Oh, I see, you made it up. Does Michael actually understand the difference between the intention of something, and the possibility of abuse of something? Apparently not.
And by the way, do you think that a site actually has no right to demand personal information before it's accessed? Uh -- yes they do. They can do any damn thing they want. You have a choice -- either provide the information, or don't visit the site. It's called freedom -- on both sides.
Oh I see -- you know what's best for everyone else. You will decide they should not have a convienant capability to pass their personal information automatically. People are too stupid to make that decision for themselves, so they need protection from Michael.
And the "pretty poor privacy" thing is unprofessional. At least give the proper name of the specification, and if you want to make your little joke, then make it. But putting it in the article's title is just disrespectful and immature.
I wish Slashdot would get someone that has a little more class and maturity to do these sort of articles.
--
I agree (Score:1)
perhaps WORSE than ANI? (Score:1)
This sounds a wee bit worse. I dunno about you, but I sure as hell don't fill in any real info(whenever possible) to any service, website, or software package.
What's not to stop some bogus company from starting a website, implementing this protocol, and gathering up thousands, if not millions of address to send junk mail and spam to?
Okay, I'll fill out my address
Reggie Stration
4321 Blastoff Drive
Legoland, USA
90210
Expect a lot of bogus info.
No Enforcement (Score:1)
Is it too much to ask for the priciples of Transparency (I get to see any information that is collected about me) and Fairness (my permission is required for any other use of my information) to be implemented here in the US? Most likely. The big commercial interests would rather have all our information served to them on a silver platter so we can be more easily and accurately targetted for consumption. We would probably be outraged if we knew just how much the marketers know about us. Then we might not buy their products! Can't have that can we?
Re:No Enforcement (Score:1)
Why should you have control over this information after you give it up? I thought information wanted to be free, etc.. etc...
I'm glad this was moderated down (Score:1)
George Orwell... (Score:1)
Re:Beware: rant ahead (Score:1)
Re:Not enough for Windoze (Score:1)
One solution is to maintain 2 (or more) identities and just hope no one ever makes it from A to B, tricky though, I'd imagine that there are some people who know who I am just from my nick here, and info on various sites from way back when that could be used to trace me...
I'd agree in general though, maybe it is time for a new nick and a bit more care in maintaining it.
Re:Automatic Data Transfer (Score:3)
Re:What I don't get (Score:1)
Re:Beware: rant ahead (Score:1)
This shouldn't surprise you, this is the typical liberal viewpoint... they are the enlightened, everyone else is a sheep, unless you disagree with their point of view, in which case you are "intolerent" or an astroturfer or such.
For people who are so concerned about freedom, people who oppose P3P are pretty damn set on making sure that no one has the freedom to use P3P.
Re:Seems to be a good tool for internet blackmail (Score:1)
I'm still confused as to what the difference would be (reg requires more than just username/password maybe), but either way P3P is much worse in my opinion. I'll give fatbrain my real name and address, but I don't feel like giving it out to the nytimes just to read their paper. As is, registration (I'm assuming you mean it like above) is pretty easy to get around just lie. However when I've got forms popping up, or just autofilling and submitting it becomes much more of a pain in the ass.
This all seems to me like the NSA got ahold of Microsoft Wallet
Conscience is the inner voice which warns us that someone may be looking.
Re:So where is it? (Score:1)
(It's been like this everywhere I go today...NetSol "forgot" to double check before switching the administrative contact and DNS info for my ISP. Gotta love when that happens.)
The straight deal on P3P (Score:2)
People are trying to make P3P out to be more than it actually is or tries to be. All it is is some XML code people can use to automate (very useful) privacy negotiations. Say you don't want to do business with sites that hand out your e-mail address to marketers. Bingo! P3P will make sure you're warned before clicking 'Submit'. Say you don't have a problem with a site that gives out your zip code for aggregate, non personally identifiable data. Bingo! P3P will make sure you can do business with those sites. P3P itself does not facilitate data transfer, automatic or manual, in any way shape or form.
A side effect of standardizing privacy policies is that they are machine readable and therefore can be scanned automatically by a user agent.
The only problem with P3P is that it doesn't provide a way to make sure companies are actually following their policies, but nowhere does any spec even say they are trying to do that, so why lambaste them for it?
And lastly, P3P is a WORK IN PROGRESS. It is by no means finalized.
P3P's official website is here [w3.org].
And no, I don't work for the W3C, but I've been researching P3P for awhile now and feel this story post was unfairly presented.
-ryry
Re:Does anyone posting on this know ANYTHING about (Score:3)
This is not really a privacy tool, but an anti-privacy tool. Please read the article at EPIC. I did read the entire piece, and could not agree more.
For this to even nominally become a tool which enhances privacy rather than degrades it, a lot of trust is required.
*You have to trust each web site you visit to really acquire only the information you want to let out and further trust that you will be notified that your personal information is being transferred or logged when it happens. P3P makes it much easier for web sites to acquire all kinds of information without your knowledge and to transmit that information by installing helpers in web browsers and even operating systems to do that.
*You have to trust the browser to be honest about doing the same. Get real. AOL-Netscape and Microsoft already have numerous built-in trojans which are difficult for users to remove or even know about. Working in conjunction with Active X, VB Script, Java Script, cookies and trojan horses hidden in the Widows registry, the browser can completely expose your local computer to a web site. It already does in some cases. This is truly 1984 - a nightmare. If an individual did what these companies do, he would be sentenced to years of imprisonment and forbidden to ever use the internet again when released. This is computer crime on such a large scale as to make the actions of every script kiddie and cracker inconsequential. If the lie is big enough, and is repeated with conviction, many people will believe it. A well known technique.
*As stated in the article, users will be overwhelmed with having to make choices about privacy levels at each web site and will tend to set the global setting to the lowest possible privacy level for all sites to avoid irritating popups. And, even if they set their desired level of privacy to the higest possible level, there is no guarantee that the browser and the web site will respect that setting, or that web site will not be able to change these setting without the user's knowledge. As described above, helper applications imbedded into a browser or an OS, or run by an ISP without a user's knowledge, will greatly facilitate the ease of silent transfers.
*Microsoft and other application service providers will increasingly be able to alter, without the users knowledge, information which is on a remote computer if their software is used. For example, in "updating software" all your setting can be changed to the default (the lowest possible privacy setting of course). Rememember, you do not own the software which operates your computer if you use Windows, Mac and some other proprietary systems. You only have a license to use that software. Increasingly such licenses will be time-limited and subject to cancellation on mere suspicion of internet "piracy" and so forth or even for having another OS also installed on the same machine, which can be interpreted as a breach of the license contract (installing "non-standard" software which might interfere with proper functioning of licensed, proprietary products).
Finally, consider the source of support for this new "standard". Corporations like MS, AOL and Real have been prosecuted or sued time and time again for violations of privacy and will continue abusing their customers unless the penalties become prohibitive or unless customers boycott them.
Even if it is remotely possible for this P3P protocol and "standard" to enhance privacy, your post which implies that those of use who do have concerns are completely off base rings false. Such concerns are well justified by past "untrustworty" behavior by the major corporations behind this standard for abuse. And yes, I do trust the people at EPIC and Junkbusers a lot more than I trust Bill Gates and Steve Chase.
No, it's not bass-ackwards (Score:2)
The WTO is being used by corporations of multiple nations to gut environmental laws of multiple nations. It isn't just US corporations vs Europe.
The WTO has already demanded that the US repeal a law mandating that tuna be caught in a way that doesn't kill dolphins, under threat of sanctions -- and the US complied. Result: more dead dolphins.
Now, there are some possible good uses for the WTO rules: why haven't people sued the RIAA yet? Surely the region codes in DVDs are a trade violation!
They got to the government (Score:3)
ZDNet story [zdnet.com]
Re:666 (Score:2)
Hmm. I run commercial sites.. and we aren't planning on 'requiring' this kind of information.. I wonder who they've been talking to..
What Junkbusters had to say: p3p equiv. in music (Score:2)
http://www.junkbusters.com/h t/en/standards.html#supply [junkbusters.com]
To see the absurdity of the current state of American privacy and P3P's part in it, imagine switching the interest concerned from privacy to copyright, a very similar right concerning the restriction of dataflows. Suppose that in response to the music industry's alarm about unauthorized distribution of songs over the Internet, a consumer group proposed a technology called the "Platform for Piracy Promises". Each consumer would configure his own "piracy policy" in his browser, stating the circumstances under which he promises to copy, modify, transmit or broadcast certain different kinds of recordings, such as poetry, country music, and heavy metal containing profane lyrics. A rich language will be developed to express information about the various uses, owners and types of content. When the consumer visits the site of a recording company to download MP3 tracks, his browser would automatically "negotiate" with the company's server to determine whether the consumer's piracy policy "matches" recording company's "preferences" for use of its property.
If the music industry is suing like mad to fight piracy, perhaps the "identity industry" (i.e. consumers) might want to do the same to fight privacy invasion!
sulli
What I don't get (Score:2)
Bad link (Score:2)
By the way, it's not actually a criticism of the system itself (its implementation), but of whether or not it fufills its goal (which they think it doesn't).
Jeez, pretty poor privacy? (Score:2)
The P3P standard is being developed to let users decide how much of the data their computer will give up about them.
It has nothing to do with PGP, even though it begins and ends with P. btw, so does PHP and PCP. I don't think anyone is confusing those with PGP either. It is not an encryption technology, but a policy technology.
It would send out a PICS-like code to a user, and it would match to user preferences to check for violations of personal security rules.
This would let people collect a certificate that states "this site (will|will not) (sell|share) you information. Information is kept for (foo) months." If visitorse have a problem in the future that they think is a result of visiting this site, or accuse the site of violating their stated terms, they have evidence by which to prove it.
There really aren't many implementations available yet, aside from some of you usual startup-of-one-purpose companies.
This is a consumer protection measure intended to keep governments (particularly the pesky US) from passing yet more laws that don't work.
This was reported on NPR [npr.org] yesterday. Some folks form junkbusters commented on it saying it was a good idea to take back personal information, but more needs to be done to ensure enforcement, or the whole system would fail.
I needn't remind anyone that using junkbuster with cookie protection is usually enough for most privacy addicts.
Re:What I don't get (Score:2)
Right. Nother bad analogy.
First: I do not f#ck, sh*t, piss, eat online. Since none of these "poor privacy" services force you to, it does not amount to the equivalency of watching someone do these things in the meat world.
So you don't ingauge in anything considered against the norm? What if a adult wishes to look at adult material, (ie p0rn)? Do you sit around in public places reading playboy and penthouse? Some people might get creepied out by that, but it is a public place so it should be allowed?
Second: If you shop in the meat world, you do not ahve ANY privacy. Between Credit cards, smart shopper cards and cameras, you have less privacy offline than online.
Cash, all cash. I buy a bag of chips and give them a $5 bill, they give me change I walk out. The don't know my name, address, or anything about me. They know I am a white male in my early 20s, that could fit anyone.
Third: Some things are Public activities. Others are Private activities. The Internet is a Public space. The rules governing the public sphere apply here. Rights to pirvacy only apply to the Private sphere (ie the home...if you own it).
See the point above. Also, if you are in your own home, it is considered private, but if you use the internet out of your home, it is considered public? If I am watching tv at home, is that considered "private space", why should the Internet or a computer be any differant?
I did play the CB high school Quake3 death match, but I wouldn't want to tell my boss about it. I downloaded it and played it at home "private space", but some how in your weird world, this information should be avaiable to anyone that wants it?
Watch out for where your analogies lead.
Uh, you mean to my orignal point?
Tom
Hi Tom. What is your Social Security Number? My name is Jack^H^H^H^H Jerry btw, nice to meet you.
Does anyone posting on this know ANYTHING about it (Score:5)
Okay, with P3P, you are supposed to be able to:
1) Define different things about yourself, such as your age, sex, address, favourite colour, waist size, whatever.
2) Set rules for how each of those piece of information are shared, or even IF they're shared (though there's not much point in defining them if you're never gonna share 'em. So don't define them if you don't want to!)
3) Okay, so you've got your Internet app configured with the information and the rules on how and when and to whom you'll share.
Scenario:
You go to an online retailer (e-tailer, ugh.). This place sells clothes, woohoo! When you hit the site, your internet app does a check - it checks how you set up your P3P settings in that app - do you get notified of where your P3P rules clash, does it autonegotiate sending _some_ of your info based on what the site says it will do with it, or will it pop up a thing that lets you 'dicker' with the site about what you will and won't share? Okay, so if the site says it'll use the info it's requesting for non-personally identifiable marketing purposes (age, sex, favourite colour, nothing that can identify YOU), then hopefully you've set your P3P rules to allow that to happen automagically. The site then has all those nice customized features to match your age, sex, and favourite colour. Nice.
Okay, say what the site wanted wasn't allowed by your P3P rules. Okay, if the internet app has been coded nicely (that's an assumption), then it might pop up something saying, "Site X wants such and such information, but promises it won't be shared with anyone under any circumstances." It's then up to you to say yea or nay, HOPEFULLY to each individual item of information. HOPEFULLY you'll be able to say, check next to each item you're willing to allow. Then the internet app goes back to the site with the additional items you're willing to share. If the site says okie dokie, then you're fine. Or else some features of the site may be disabled. Or perhaps the price of the item is higher (lower price for people willing to share more info? A better way to 'pay' people for sharing information.). Or maybe you don't get access at all, but that brings us to the friggin' POINT of P3P:
You are _optionally_ *INFORMED* of each piece of information the site wants from you, and what they're going to do with it. You don't get that information at many sites now, and you certainly don't negotiate anything. Either you share it, or you don't. This will _NOT_ give out information you don't want given out. Anyone who thinks that knows nothing about P3P. This is about giving INFORMED CONTROL over your information. You don't have to give out anything you don't want to, or you can selectively give out INDIVIDUAL things (there's no "all or nothing" aspect here!!!), to sites, based on what they say they'll do with the info.
P3P _IS_ a good thing. It's GREAT for privacy. It's good for children and other living things. It also stays crunchy in milk, and has a good beat that I can dance to. I give it a 42, Dick.
Pseudonyms -- true anonymity on the net. (Score:3)
99% of the websites I visit and do business with know me by an IP address and maybe the name Remus Shepherd. The other 1% are those that require real information and whom I've decided to give that information to. But most advertisers and databases out there know me as Remus, with no connection to my real name. They can't get a credit history on Remus Shepherd. Mailing address? None known. Bombard Remus Shepherd with 'targetted' ads all you like -- they're easy for my mailfilter to trash, while the few trusted sites that know my real name are allowed through.
The net may evolve into a communication medium where people have screen names and True Names (thanks again, Vernor Vinge). I think it's a simple and effective response to commercial invasion of privacy.
Dear marketers, (Score:2)
Love, Don
--
Link (Score:2)
It's just a data-gathering tool. (Score:3)
The main function of this "privacy protocol" is to streamline the gathering of personal information, and to make it as "painless" as possible for the user.
Our privacy is supposed to be "enhanced" by a protocol which standardizes all these aspects of personal information, and facilitates their transfer, possibly without the user initiating even noticing the transfer, to any web site that happens to implement the protocol. The name for this protocol sounds like it comes straight out of 1984.
Ha! Extorted Information is Crap (Score:5)
The point being, if you try to compel people to give you information, that information becomes useless. The more you attempt to compel them, the more useless it gets. Sort of like a Hiesenberg's principle for info.
Some of these folks who want to set up huge databases from user info will find that the extra money generated won't pay for the boxes and bandwidth the infrastructure will require.
666 (Score:4)
viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance
Next I'll have to have my IPV6 address tatooed on my forehead to do business in the brick and mortar world.
P3P vs. PGP (Score:5)
The World Wide Web Consortium is abbreviated W3C, and this makes sense. P3P would make sense if there were another P, but there isn't.
IANAL, but is this grounds for a lawsuit by whoever owns PGP trademark?
--