Is W3C's P3P Good Privacy? 118
nileshch asks: "A very important development in recent times with regards to website users' privacy has happened with the W3C introducing the Platform for Privacy Preferences(P3P). P3P allows websites to create and maintain XML-based privacy policies for the entire website or sub sections of the site. These machine readable policies document what information is collected from users and how it is going to be used. Today, a few browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P (Mozilla here, IE here) . Although that support seems only skin-deep. I also find very few big sites adopting P3P seriously. Isn't it like the classic chicken-and-egg situation? Websites wait for full P3P support on browsers, browsers go slow on development because there isn't much feature demand happening on this front. Do you have P3P policies for your website? If not, what stops you from creating one? We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"
Why? (Score:5, Insightful)
Why? It's simple. Users don't care. Geeks do, but geeks don't make up a large percentage of the general population. The general population of Web users aren't nearly as paranoid.
Re:Why? (Score:3, Insightful)
A lot of people don't understand the tracking that goes on. They still see the internet as everyone being anonymous, just because they don't understand the technology.
Re:Why? (Score:5, Insightful)
I suppose I see the Internet as being inherently non-anonymous (a sufficiently interested party could be tapping my cable modem, either by court order or surreptitiously) because I do understand the technology, so the fact that it's not anonymous isn't an issue I feel it's really fruitful to worry about. I'd far rather get worked up about things I have a nonzero probability of actually changing, or at least that do me harm. Mind you, my definition of "harm" includes things like sending me spam, but I see little evidence that web site information sharing will ever be responsible for more than a fraction of a percent of the mountains of spam that already hit my filters.
In the instances when I really do want to resist observation by a third party, e.g. working from home which means I'm dealing with my company's trade secrets, I take care to encrypt everything I send. Even then, though, a sufficiently interested corporate spy or government agent could break into my house and install keyboard-monitoring software without my knowledge, or could be watching my monitor using a spy cam from the neighbor's roof. At some point you either have to go completely off the deep end with privacy paranoia or conclude that as an individual there's a point beyond which it's impossible to keep secrets from the world. From there it's a matter of figuring out where you think it's reasonable for that point to be, and it's on that score that well-informed people can disagree.
Sun's Scott McNealy summed it up pretty well, I think ("You have zero privacy anyway. Get over it.") Obviously I'm in the minority here on Slashdot, but I think he's pretty much right.
Re:Why? (Score:3, Interesting)
Let them sell off my information. Let them spam me, let these sites *gasp* make money to survive. There is no such thing as a free lunch. I've told the users which I support that same statement over and over again when they download all those seemingly free programs like hotbar and bonzai buddy. And yet I can't get it through my thick skull that even though I pay to access the internet, my responsiblity doesn't stop there. If I am to continue to use these sites, should they not get paid?
Remeber, information is free, but you have to pay the tarriffs and transportation costs.
Re:Why? (Score:1)
I use cookies on my sites to help the users' experience. There's no other way to do it. If they don't want to accept cookies, that's fine. But they're losing out. It doesn't effect me as a web site owner either way.
Re:Why? (Score:1)
I don't know what you're trying to do but about the only problem with a user not accepting cookies is that they have to "login" to the site on each visit. You can track a user on a site by query-string/form.
I'm only pointing this out as many sites don't work without cookies and I feel this is a poor state of affairs, mostly 'cos its due to lazy site building that depends on the session management features of the web server.
I'd urge any slightly clue'd-up web developer who cares, to try build sites that operate without cookies. The reason is that, okay, it is slightly more hassle to build the first one, but once you've got the hang of building stateless applications, you get the benefit of vastly improved scalability! This is a good thing.
So thats nice.
Re:Why? (Score:2)
And actually, the reason that I decided to go with cookies instead of the querystring/form method is because Netscape 4.7 had a very tough time with querystrings. There was a length limit, and it munged up lots of special characters, so extra formatting was required on every single page, and if your querystring got to be a certain length, it simply didn't work.
Re:Why? (Score:1)
Elegant it ain't. I think the querystring should really just be used for resource identification and *something else* used to maintain transient state information, but we're stuck with what we got!
introduce the potential for many, many more bugs in a web app.
How so?
Obviously you do have to organise you app such that you know that you've validated every bit of UA supplied information, but then thats a given in anycase. I guess if you've had agro from NS4.x then that'd be enough to put anyone off!
All that said, re-thinking about my points on "vastly improved" scalability, I was talking out of my arse, since using the querystring forces you to dynamically generate each page! I'll try to remember to think before I post in future!!
Re:Why? (Score:1)
Like, if you're writing, say, a basic shopping cart, then the items ordered need to be in the querystring every single page, even if the customer is say, reading the privacy policy. Also, it's all gone if the user, say, types in a different web page on your site manually.
The other way of using it is for holding a GUID from a DB, but then, you're looking at a lot more DB hits.
With sessions, as long as your webserver cleans 'em up, and you have enough memory in the webserver, it's a pretty good performance option, plus, you don't have to deal with the headache of rebuilding the querystring every page.... Or shit, I just thought of that... if you're doing a form submit, then you have to dynamically make a hidden field for everything in the querystring and submit the form normally. Ugh. Nasty.
Not really (Score:2)
Really, why should I have to store gigs of data so that people can chose what background color or what kind of porn they want to see when they visit my site?
Re:Why? (Score:2)
Someone profiting by violating privacy, dosent care about privacy. Yep thats pretty much the problem with things right now
Re:Why? (Score:2)
And it's not that I don't care about privacy. I close the bathroom door same as anyone else. I just don't have an expectation of perfect privacy in certain contexts, and Web surfing is one of them.
"Information wants to be free" is a double-edged sword -- every one of us is an information source as well as a consumer.
David Brin's "The Transparent Society" [amazon.com] has a good treatment of the issues, and I agree with most of what he has to say. Unless we put a stop to the development of information technology, the trend will be toward easier and more frequent gathering and wide dispersal of information, be it music, your surfing habits, the campaign donors of your favorite congressman, or next week's weather forecast. With the arguable exception of cryptography, just about every segment of the computer industry is devoted to increasing information flow. I believe that's a trend that ultimately results in far more good than harm. Which isn't to say there's no harm, but I don't think it's ever been possible to pick and choose the side effects of technological advancement.
Where the slippery slope goes (Score:2)
The slippery slope will lead to profiling agencies, much like credit reporting agencies, who sell your profile to employers, landlords, lawyers, law enforcement, and anyone else who wants to make a decision about you.
they just don't care. I'm a geek who understands the tracking that goes on (I've written Web tracking software in the past) and for the most part, I don't care.
This is one reason the Electronic Privacy Information Center argues that P3P is not a privacy enhancing technology [epic.org]. Websites will eventually demand that you reveal everything, or they won't let you access the site. If people don't care, they will comply. The end result will be like cookies (only with your name, age, address, and other personal data attached). Handing your full identity over to every site you visit will simply become the de facto standard.
Re:Where the slippery slope goes (Score:2)
It will lead to that?
I agree it might lead to that, though even then I'd remain skeptical of the negative impact; the implicit assumption is that any of those people will give a damn what I'm doing on the web. Some might, but then some landlords and employers already care about things they have no business caring about, so this is hardly a new threat. There are already laws on the books saying they can't refuse to hire me or rent me a room based on irrelevant information.
More fundamentally, though, are you saying we should forbid people from exchanging information that could have harmful uses? To me that's the slippery slope; that way lies draconian DRM technology and the laws to back it up ("you might pirate our movies") not to mention simple censorship.
If people are free to exchange information at will -- which is something I believe in -- there are consequences that cut both ways, and to me, at least, it's next to impossible to retain the good consequences while eliminating the bad ones.
But we do agree, at least, that P3P isn't all it's cracked up to be. I think for a lot of site maintainers it's no more than "that thing I had to go read up on to get IE6 users to stop complaining that my site was forgetting their login names between visits."
Re:Why? (Score:2, Insightful)
You should see how superstitious the people I know are when it comes to computers. I can't count the number of times someone has donned a panic-stricken look on their face when I told them something was wrong with their computer, the network or servers. They don't understand that it's my job to FIX the problem. Instead they panic, thinking the sky is falling.
You have to be soooo careful when you talk about computer problems with some people.
Re:Why? (Score:4, Insightful)
<rant>
It really bugs me when people start bagging on P3P and saying how crappy it is. Why don't you do something about it? Right now P3P is the best privacy standard out there. Until someone comes up with something better, lets use it!
</rant>
Re:Why? (Score:1)
Re:Why Cookies? (Score:2)
This can also apply to home users, or businesses, or anywhere else a NAT is set up. Uh-oh.
Throw some cookies in there and now suddenly each users request becomes uniquely identifiable, and although not entirely secure, it certainly is much more difficult than "accedentally."
Re:Why Cookies? (Score:3, Informative)
Re:Why Cookies? (Score:2)
Implemented simply with a GET request which has some kind of ID number in it. Essentially, though, Cookies are just a more sort of hidden way to do this.
Whenever I see one of those absurdly long URLs with all kinds of session info in it, I wonder why the developers couldn't just use a little JavaScript and an <INPUT TYPE=HIDDEN VALUE="whatever">. When you click on a link, instead of using the HREF, use an onClick="go('thisLink.html')", where the go() function will set the appropriate hidden form values and use a form.submit(). The server will parse all nessesary info, including session info, from the POST request, and redirect or dynamically generate as nessesary. Of course, if the user takes action on an <INPUT TYPE=SUBMIT>, this becomes quite trivial.
Of course, that's a lot of trouble for the same functionality you get from cookies, and in some situations (depending on implementation) could be a little too trusting of the end user as well... I never understood why people where bothered by cookies in the first place.
Re:Why Cookies? (Score:2)
You can also use SSL key (Score:2)
Re:Why? (Score:1)
P3P: CP="IE You suck ass and so do your users!"
or something similarly content-free, then you are not really using P3P, you are only working around a misfeature in IE.
Personally I find it annoying that IE has started to demand a P3P header just to work normally.
Who do the W3C think they are? (Score:4, Funny)
P3P is required (Score:1, Interesting)
-GReg
Re:P3P is required (Score:5, Informative)
3. You should also have a compact policy associated with the cookie itself. This is done by sending the compact policy string of text along with the HTTP header when setting the cookie. The format of this text will vary depending on which web server software package you are using on your site. See Deployment Guide Section 3.1 "Using HTTP Headers" and Deployment Guide Appendix A for a discussion of various implementations.
The appendix is HERE [p3ptoolbox.org].
And now you understand (Score:2)
Re:P3P is required (Score:1)
A nice one is IBM's P3P Policy Editor [ibm.com].
Re:P3P is required (Score:1, Informative)
P3P (Score:3, Informative)
I think that if it puts spammers, pr0n peddlers and other crooks on the ropes, I'm all for it.
If this really mattered to most of us (Score:2, Interesting)
Re:If this really mattered to most of us (Score:1)
Huh? I use my credit card (online and otherwise), AND I also happen to care whether or not corporations are illegally (illegal in my country anyway) selling my personal information to third parties. I don't understand what you're trying to say. That using your credit card is somehow proof that you don't mind your personal information also being sold? I don't see how the two correlate.
Re:If this really mattered to most of us (Score:1)
Re:If this really mattered to most of us (Score:1)
Do they sell your info? Most do. They know what, where and when you buy
No, thats paranoid. MOST of the places I've used my CC with, have NOT sold my personal information to anyone. And if they have, they sure haven't given me any reason to suspect that they have - I have only ever received ONE piece of junk (snail) mail that I did not know (for sure, but I have a strong suspicion, and it has nothing to do with my CC) how the company got my info. My main email address I have so far also managed to keep clean of junk (e)mail, just by being careful who I give it to, and creating 'special' email accounts for some places. For example, I use a special email address for Amazon, which has never received anything other than the occasional Amazon newletter.
I mainly use my credit card for (a) ordering books (mostly from Amazon, but also from one South African online bookstore), (b) Paying my website host, and (c) a few miscellaneous retail/food purchases, i.e. restaurants, or occasionally buying clothes.
Whats SPECTRE?
Maybe in the US "Most sell your info", because the law is more corporation-friendly there, but in South Africa it is illegal for a company to sell your personal information without your EXPLICIT, SIGNED (clicking "I agree" does NOT count) and KNOWLEDGABLE consent. That is, they must be able to prove that you reasonably *knew* you were signing over to them the rights to sell your personal info to others. A few places do take chances, because it is usually difficult to find out *who* sold your personal info, but by and large most places are fairly well-behaved around here in this regard. My bank which issued my CC has a strong privacy policy (even though I can say nothing else good about them).
So no, I'm not "just paranoid" about "evil organizations".
Well, yes! (Score:1)
P3P is useless as the untrustworthy sites will simply lie about what they do with the info, so it buys us nothing.
IE+P3P+Hotmail is an annoying combo, because if you send people a link in mail to a hotmail account M$ think they need trap people in a frameset, neatly displaying "we ownz y00" and keeping people from bookmarking the site they are visting, however the most annoying effect is that it is impossible to get a cookie set in the framed site (so logging in just doesn't work on most sites), without a compact P3P header.
Luckyly you can just add some garbage P3P header:
P3P: CP="CAO ADM OUR IND PHY ONL PUR NAV DEM STA"
and IE will allow the framed site to work normally, it did take a lot of angry users to find that particular IE+hotmail-misfeature.
In closing: death to IE and hotmail, may they both be taken behind the barn and shot through the head ASAP!
The deal with cookies (Score:4, Insightful)
Re:The deal with cookies (Score:1)
Site A has an ad banner from Banner company X, which serves a cookie.
Site B also has an ad banner, and company X now knows when you were on site A, and site B.
Say both are dealing with tools, then company X will be in a perfect position to start profiling you. You have never given them this info consentually, but still they have information on you.
Re:The deal with cookies (Score:1)
Re:The deal with cookies (Score:2)
Apache logs aren't viable because companies would have to sift through and parse their huge apache logs in tandem. If they use different log formats or different web servers (some people do use IIS you know, this becomes even harder.
Two flawed ideas doesn't equal an infinite amount of ways.
Re:The deal with cookies (Score:1)
Re:The deal with cookies (Score:1)
While in some cases, an IP address might be sufficient to tie one person from one site to another, it can neither be trusted to be persistent nor unique. Users may be re-assigned a new dynamically-allocated IP address from one hour to the next, and multiple users may share a single HTTP proxy (or NAT system). How many AOL users share a common set of HTTP proxies?
Re:The deal with cookies (Score:2, Insightful)
Then deny cookies from third parties. Even IE can do that.
You can even use IE's P3P support to check their privacy policy and allow them to set cookies if you agree to it.
Cookies are fine. Cookies are the only sensible method of tracking state across the web, be that simple user logins to web applications. The alternative is just as easily leaked URL-encoded session information, and you can't reject that automatically.
good privacy... (Score:2, Insightful)
New version? (Score:1, Funny)
Well, Slashdot's not using it... (Score:2, Insightful)
Re:Well, Slashdot's not using it... (Score:1)
Slashdot doesn't use well standardised XHTML/CSS, either. Nor does Slash, the code back-end, use many good programming principles that any Slashdot editor and most users would advocate - or at least so I've been told. Nor do a great many Slashdotters use an open-source OS (remember that poll about operating systems a while ago, some people still have the more shocking parts of the results in their sig)
Ergo, saying "Slashdot is not using it" is not saying much at all...
Useless idea (Score:3, Insightful)
It is a solution looking for a problem
We have it, but... (Score:2)
Many (15%?) people set their "cookie security" to "high". This makes cookies fail on all non-P3P websites, causing all kinds of application misbehaviors. So we either have an inconvenient/hard-to-follow set of instructions about enabling cookies, or we set up P3P on the server side. In our case, we never share or cross-market our client data with anyone, so P3P is administratively simple as well.
On the other hand, I don't see what stops the sleazier companies from simply lying about privacy via P3P. After all, these are some of the same people who sell everything you do to Doubleclick and quietly switch your privcacy preferences to "yes, spam me" (hint: 4-letter auction site; starts with "E"). What's another lie when there is direct marketing revenue at stake?
Re:We have it, but... (Score:2, Insightful)
On the other hand, I don't see what stops the sleazier companies from simply lying about privacy via P3P
This seems to me to be THE major flaw in this idea. The sort of companies who want to gather your personal information and sell it to third parties without your consent are, in most cases, PRECISELY those companies who are are not going to tell they are doing it. If they were at all ethical (*), they wouldn't gather and sell your info to begin with.
(*) Apart from unethical, in many countries other than the US, it is also outright illegal to do so.
Re:We have it, but... (Score:1)
I would view it no differently from a company posting a readable privacy policy on their site saying they don't sell your information. If they sell it, that should be against the law.
At a minimum, one might assert that the privacy policy is part of a contract I'm agreeing to by providing them with my personal information. If I provide that to them because they lied in their privacy policy, I might have grounds to sue.
I'd be interested in a real lawyer's take on this..
Re:We have it, but... (Score:1)
Re:We have it, but... (Score:2)
Considering how little IE does to suppress popups and other crap, it's odd that M$ suddenly decided to declare war on 3rd party cookies.
It never occurred to me that there could be a non-marketing application for 3rd party cookies, so I don't mind having IE ditch them.
Meaningless drivel (Score:1)
I'm for self-regulation. P3P is self-regulation. I think it's a good idea...but only when everyone knows about it!
Re:Meaningless drivel (Score:2)
Too Complex? (Score:3, Insightful)
Re:Too Complex? (Score:1)
If every Joe Website has to spend a half-hour either reading through the formidible XML specification, or filling out 16 pages of a web application to generate a P3P policy, nobody is going to do it. The "compact" policy is a step in the right direction, but still either requires a significant amount of up-front investment reading and learning P3P or the same 16-page online P3P generator process.
It's annoying, especially when your site doesn't really deal much with user data. Why should I spend so much of this time just to document the fact that yes, I collect HTTP server logs, and yes, I run them through a log analysis system?
For the users, it's the same. For those that bother to look at their browser settings, in IE it's just "low", "medium" or "high". If the setting looks OK, that's what they pick. But then things break for them and they don't know why, and that trivial privacy setting turns out to be a little more restrictive than they really care about, so they set it lower or turn it off.
The vast majority of people just don't care, and those that do care find that few web sites volunteer their privacy information with P3P anyway, except those that make a business out of tracking people with cookies. They almost certainly have P3P policies already, but who knows if they're truthful or accurate?
We had to... (Score:2, Informative)
The next day we created a policy and haven't had a problem with IE 6 cookies since. Sad but true. Any site that relies on cookies are going to need a P3P policy.
write a script... (Score:2)
Like, why keep taking it and taking it and taking it and taking it? Don't insult them, just show them a different thing that's "better" for them. Most people just slap don't know, the "internet"is "windows and explorer" because it came with their new conpooter and "microsoft" somehow "owns" the internet. We have to do everything we can to get this brainwashing reversed..
What's In It For Me? (Score:2)
> support in browsers?"
When I care about a site's privacy policy (and sometimes I do) I read it myself. I'm not about to trust my browser to tell me it's ok. When I don't care, I don't care. What good is P3P to me?
P3P is flawed (Score:4, Insightful)
The problem is that users (and perl programmers) tend to be lazy. And lazy users check the little "this is the default setting so stop showing me dialog boxes" checkboxes in order to make things easier for them. The problem with this is that with P3P, a website can "claim" to not sell/rent your email address, but because the user set their default options to accept that, their address is automatically sent to the website and they don't have the opportunity to consider the implications and evaluate it themselves.
Also, P3P is a total PITA to write and the one editor that I know of (free from ibm) seems to be long since dead (and downright confusing too). It can also open companies up to legal trouble since a discrepency between a P3P file and the actual practices of the website could be grounds for a lawsuit (IANAL).
Re:P3P is flawed (Score:5, Insightful)
"So, remind me why our extremely clear and readable privacy policy that explains the nuances of medical ethics and the Internet has to be re-hashed into someone elses over-complex set of quasi-technical categories?"
"It's so that users can simply select from a small number of generic pre-set privacy levels, and let their browser manufacturer tell them whether we take good care of their data!"
It's a dumb idea. It's a miss-appliance of technology.
P3P not that hard (Score:1, Insightful)
P3P isn't that hard to figure out... Anyone who actually reads the W3C docs, and Microsoft's docs on how IE implements P3P, can easily support P3P. And it wasn't a "surprise", Microsoft had been telling the world that IE6 would support P3P from about a year before IE6 came out.
It took about 1 day to set up and implement P3P on our web sites (some IIS, some Apache/PHP).
How useful is it? It depends on web sites honestly reporting their information in the P3P info. I'm sure most big legit companies accuratly report their privacy policy in the P3P info.
But what's to stop some unscrupulous Web site from lying? It's not like it's against the law to lie in your P3P info... Nobody is going to punish you for doing it. So, does it really make the web safer?
p3p is not a PET (Score:4, Interesting)
Re:p3p is not a PET (Score:2)
In the report, the Vice President of Sales at iVillage complains that because of P3P; Internet Explorer incorrectly mislabeled the privacy policy of iVillage as inadequate. (Page 5, first paragraph in the PDF report [epic.org].)
Well, their privacy policy [ivillage.com] *is* inadequate. Their policy is too freeeeaaakking long. It's nine pages long and contains three thousand seven hundred words. I am not going to read that every time I discover a new web site.
Some Resources (Score:5, Informative)
Also for folks using Windows IE (the majority) ATT&T offers up their free eternally-beta AT&T Privacy Bird [privacybird.com] which gives folks visual and auditory feedback (both controlled/turned off in Prefs) on site's P3P settings. Quite informative actually, I discovered just how awful Yahoo's policies are when I used their headline aggregator (just who are they selling my newsreading habits to?) [rhetorical question]
The P3P folks have put together a great website at P3P Public Overview [w3.org] which is chock-full of useful information. On the other hand here is an interesting critique [anu.edu.au] and here another [gigalaw.com], suprisingly both by lawyers. Security guru Richard Smith also has an important (though hopefully now fixed?) page on supercookies [computerbytesman.com] and how MS IE 6's touted protections can be got around.
Mozilla [mozilla.org] of course supports P3P and it's useful to understand just how MS IE 6 suppports [microsoft.com] and applies [microsoft.com] P3P and cookies [microsoft.com].
Re:Some Resources (Score:1)
Need some insight from web pros... (Score:2)
Somehow there is a severe lack of info on how to make Flash codes HTML compliant. I figured maybe I should use the <OBJECT> tag to somehow smuggle the Flash code from an external file.
OK, end of unrelated rant, now for the P3P thingy. I figured this will be important for my site in the future because I'm considering engaging in e-commerce (very small scale), so what the heck.
The thing is, the examples of P3P XML files I looked at from various sources always contain sensitive elements like business.contact-info.postal.address (using loosely, I know that it's supposed to be
But what if it's a home-based business? I surely don't want customers knowing my home address and dropping in whenever they like, a main reason why I chose to do online business in the first place. So in order to safeguard the privacy of my customers, I now seem to be compromising my own.
If there is a proper workaround for this issue (without any legal problems), can some intelligent and experienced individual point it out to me? Are all those business.contact-info.* tags required in the first place? It seems that every compliant site have them.
Thanks in advance.
Re:Need some insight from web pros... (Score:2)
Mailboxes etc. has a handy resource for a majority of small business questions. Check it out here. [mbe.com]
This isn't a plug ( I don't work for them), but your business is their business. Even if you don't use their services, their small business page has great information on it.
Re:Need some insight from web pros... (Score:2)
Re:Need some insight from web pros... (Score:1)
Hey you! Become an early adopter of new technology! That way I don't have to work so hard when I steal your ideas!
Re:Need some insight from web pros... (Score:1)
Remember, P3P is just a web recommendation. It's neither a standard nor law. There's nothing legal or illegal at this point about the contents of these policies (or lack thereof), except perhaps if you deliberately lie and say you aren't doing something that you really are doing.
An impossible task (Score:1)
- the spec refers to 'compact' policy. I have not seen an example of a contract or agreement that would meet 'compact' by any stretch of the imagination.
- the spec refers to non-ambiguity.I have not seen an example of a contract or agreement that is not purposely ambiguous.
- statements are positive. What, no 'except', 'subject to', 'contrary to above' ??
- finally, xml is well formed.
Re:An impossible task (Score:2)
> agreement that is not purposely ambiguous.
You've not seen many contracts, then. Most lawyers strive to eliminate ambiguity.
Any lawyer who puts ambiguity in a contract of adhesion (which these things are) is a fool. The courts will always interpret such ambiguities in the consumer's favor.
Set your cookies to expire at the end of the sess (Score:1)
how often a given user comes back to the site. If
everybody set their cookies to expire it would drive
them up a wall.
Either that or we should all standardize on one MSN
cookie so we all have the same GUID.
Re:Set your cookies to expire at the end of the se (Score:1)
I mean really, isn't it *terrible* that web sites might know how often you come back to the site? You know what that leads to, right...? First it's that, and from that, they can figure out your height, weight, favorite food, and even dick size! You'd better protect that privacy at all costs!
One problem remains (Score:2, Interesting)
Of course one problem remains: since it's entirely up to the site owner, he/she can enter EVERYTHING. There is no way to know whether a particular site stays true to the poolicy it has created. Your data isn't safe just because the one stealing (and selling) it says it is. On the other hand, there is probably no way of verifying stuff like this, so P3P is the best shot we got.
What stops me? (Score:2, Insightful)
Return on investment.
Creating a P3P policy would take alot of my time - I would have to research and learn the format and possiblities of the language, then write the policy, reconcile it with various departments within the company, then finally integrate into the site, and potentially have to deal with questions from confused visitors.
Implementing P3P on my site would cost me no money, but a great deal of time.
TIME IS MONEY
Why bother... (Score:2)
Why (not) implement? (Score:1)
However, Opera aleady allows me to block the popups....
And, what marketer is going to use P3P when they read this:
"Imagine that, in an effort to reduce the mail she receives, Cindy has told her browser that she wants to be warned whenever a site says that it will use her information to send her marketing promotions."
It only helps if those you want to block decide to use it.
p3p adoption and tradeoffs (Score:2, Informative)
Ernst & Young have a regular P3P Dashboard Report [ey.com][PDF] that summarizes adoption of P3P by large Web sites.
Privacy is a difficult issue; P3P has been derided because it doesn't do enough (actively negotiate or protect your privacy), because it does too much (intrusion into the browser, difficult to implement) and generally because it's too complex.
As a result, it's a compromise that noone is 100% happy about, but it does give us something to work with. Standards that try to do everything for everyone almost always fail.
The W3C is, next week, holding a workshop [w3.org] to look at the future of P3P; I haven't had a chance to read the position papers yet, but the fact that they're holding a workshop shows that they know there's more work to do.
P3P means nothing (Score:3, Interesting)
It can say "oh yeah, we're not selling your information to 3rd parties or anything" when in fact they are. If you trust what it says, then you allow the site to set cookies. You shouldn't be trusting the word of the site itself. It should be a 3rd party certification.
That's not really protecting privacy, IMHO.
If P3P policies could be used as evidence in court cases for misrepresentation, then it might force companies to provide more accurate P3P policies, but I haven't heard of any lawsuits coming from inaccurate P3P policies. You'd have to KNOW their policy was misleading in order to take them to court anyway, which is hard to do.
No external auditing (Score:2)
There is no external auditing of P3P that I can see.
I set this up on one website I built, but why? I was able to say whatever I wanted. If my browser acted on this sort of information I would be forced to disable it, since it is not, and cannot be trusted without an external verification.
Mozilla and P3P (Score:2)
Mozilla doesn NOT, in fact, support P3P. It did at one point. Support was removed, because, as I understand it, P3P is "dumb".
Netscape reincludes it in there releases, but it hasn't been in Mozilla proper for some time now.
Game geek ponders ... (Score:1)
Am I the only one who read the headline and thought: "Well, I've never had a privacy problem playing Warcraft III 3Player skirmish!"
Oh, bloody hell. I'm just a game dweeb. Never mind.
Reason why P3P doesn't work... (Score:2)
P3P Seal of trust? Good and strong as the weakest link of chain. Just think Thawte or Verisign.
P3P embedded in Mozilla or IE browsers? Yeah, right. Gotta see the code in order to trust the browser.
How much trust and confidence does that inspire to "We, the Web Surfers?"
None, Nothing, Na-da!
Re:Reason why P3P doesn't work... (Score:1)
Or worse, TRUST-E.
Mozilla support (Score:2, Informative)
Mozilla, commited to P3P?
I refer you to this bugzilla thread:
http://bugzilla.mozilla.org/show_bug.cgi
which has been going since March. Several people supported P3P, but the people in charge weren't having any of it.
Tools for the lazy? (Score:2)
Are there any tools out there that let you edit a p3p XML file quickly and easily? I'm to lazy to look up the specs and edit an XML file in notepad right now (and I have other things to do).
Why I am not using P3P (Score:1)
As a "web application" development and hosting company (read: writing and hosting custom shopping carts mostly), I can make a P3P policy that covers our use of the information easily. However, what about the 30+ companies I host for? Do I need seperate policies for each of them? If I write a policy for them, and they don't like it, will they sue me? Even if the policy is true? Can I write one policy for the whole batch and hope that the "good" companies don't sue me for being included with the companies that sell all your information AND your newborn babies for cash?
Not only that, but the information-sharing parts aren't all that hot... all of them appear to assume that the policy creator/hoster is the "primary" user of information... in my case, I only use administrative access (backups, restores) to the information, its the individual companies who use the personal information.
I could use "other-recipient", but I have this bad feeling that browsers will balk at that. The definition of "ours" talks about other entities that we collect data for, but it just seems a little shady that way.
In the end, I suppose I'll wind up having each company create their own.
Yes! (Score:1)
All I want to know is... (Score:1)
PxP? (Score:2)
Re:What's the point? (Score:2)
Re:Please help with Linux driver (Score:1)
...and MS has the best tracking facilities (Score:1)
I think cookie-tracker schemes and companies like Doubleclick will be wiped by this, and MS will dominate the served advertisement market before too long.