Pretty Poor Privacy

EPIC has just released a harsh criticism of the Pretty Poor Privacy specification from W3C. Although automatic data transfer is not in the P3P spec itself any longer (taken out after polls showed people didn't like it), implementations of P3P will still include automatic data transfer mechanisms - the idea behind P3P is that viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance, and that this data transfer will be effectively hidden from users so it will be "out of sight, out of mind". (For a more in-depth article about P3P and Internet privacy generally, see this paper, written in response to Lessig's support of P3P in his recent book.)

Seems to be a good tool for internet blackmail

[Madman]

Actually, it's Platform for Privacy Preferences Project.

What is wrong with companies not knowing who is accessing their site? Public sites should be open to all whether they want to be identified or not. Now companies will be able to deny access to anonymous users on a whim.
This is similar to the arguement a few years ago thet led to the "no purchase necessary" law. This case is similar in that it involves private companies blocking the people from public domain offerings. A web page should be considered a public offering.
A company cannot discriminate against you just because they don't know who you are. The phone company doesn't demand your ID when you put a quarter in a payphone, because it's a public service. Same thing again.

Re:Seems to be a good tool for internet blackmail

[Biff+Cool]

What is wrong with companies not knowing who is accessing their site? Public sites should be open to all whether they want to be identified or not. Now companies will be able to deny access to anonymous users on a whim.
Isn't that why god created logins and registration required. All P3P does is obfuscate that they are collecting information.

Conscience is the inner voice which warns us that someone may be looking.

Re:Seems to be a good tool for internet blackmail

[Biff+Cool]

What is wrong with companies not knowing who is accessing thier site?
Sorry I misread what you were saying.

Conscience is the inner voice which warns us that someone may be looking.

Re:Seems to be a good tool for internet blackmail

[Madman]

A login is different. I have no problem registering with a company I have checked out and approve of. Now a company can force me to register with them just to see if the page is what I'm looking for or not. There is a big difference

Re:Seems to be a good tool for internet blackmail

[Biff+Cool]

A login is different
Sort of... I think that's more of a semantic debate. Does Slashdot have a login or registration?
Either way I agree with you, I thought you were argueing for P3P at first.

Conscience is the inner voice which warns us that someone may be looking.

Re:Seems to be a good tool for internet blackmail

[Biff+Cool]

I'm still confused as to what the difference would be (reg requires more than just username/password maybe), but either way P3P is much worse in my opinion. I'll give fatbrain my real name and address, but I don't feel like giving it out to the nytimes just to read their paper. As is, registration (I'm assuming you mean it like above) is pretty easy to get around just lie. However when I've got forms popping up, or just autofilling and submitting it becomes much more of a pain in the ass.

This all seems to me like the NSA got ahold of Microsoft Wallet

Conscience is the inner voice which warns us that someone may be looking.

Re:Seems to be a good tool for internet blackmail

[delmoi]

What is wrong with companies not knowing who is accessing their site? Public sites should be open to all whether they want to be identified or not. Now companies will be able to deny access to anonymous users on a whim.

Why? If I don't want you to see my site, why should I be forced to show it to you?

Re:Seems to be a good tool for internet blackmail

[Rakarra]

You can get on slashdot without registering, but you must register and login in order to contribute.

Even this isn't true. You can post without registering by posting as an AC. But for you (or anyone else) to conveniently track your posts requires a login.

Re:Seems to be a good tool for internet blackmail

[Madman]

It's more than semantic: I'm not a lawyer, bit I think there are legal percedences that can be applied here. The main difference to me is being asked to register and being forced to register. You can get on slashdot without registering, but you must register and login in order to contribute. I have to problem with it at all. You have to have some contol. Imagine if you couldn't watch TV without the station knowing who you are, where you lived and how much you make. This is very similar to that situation, and if technology keeps going the way it is now, it just might happen too.

Re:Seems to be a good tool for internet blackmail

[vecna_99]

Does Slashdot have a login or registration?

slashdot has a registration. users are not required to log in before they can view the site; however, they have the option to activate their accounts for increased functionality.

it's a semantic debate, but it's a very simple one.

-steve

It could be good

[Dungeon+Dweller]

It could be, but it isn't. Changes in implementation will be necessary for anybody who wants to have a shred of privacy if this thing becomes incorporated. It may have started as a good idea that got mutated into a way to gather data without telling the user that you are gathering it, but it sounds more like something that was thought of as a way to gather data, that can be disguised as something good (and it's not a very good costume at that).

Re:What I don't get

[B-B]

Do not know if you will get this or not, sorry my resp is soooo late.

I do not know some of the issues in HOW this info gets out of your pc, and onto the net...but doesn't that info have to be on your PC for it to get out?

I never keep that info on my boxen. If/when I order foo online, I immediately go offline, trash all preferences (I am on a Mac) save my bookmarks, trash all history/cookies, etc and re login.

I agree, they have no right to mine for this data. It disgusts me. But my point stands...

I am not saying this is right....only that it is expected behavior in the new corpNet.

Tom

Re:Ha! Extorted Information is Crap

[bullschmitz]

You are absoulutely correct. Trying to extort information from people gives you a load of bunk. But there if there is a value exchange you are more likely to divulge that information (you recieve value by giving said information). If you are looking for a movie showing in your neighborhood on a site you frequent, how nice that they remember your zip code.

Personalization can only exist if you divulge information. And personalization is worth it. In the land of not-aol, not-yahoo, not-msn, there is just too much information, too many sites. If you dont want an editorial perspective or "programming", you need a mechanism to navigate the anarchy. Slashdot does this wonderfully for me. It filters out all the noise, by collecting ratings (which in some strange paranoid way, can show the interests of individuals and allow them to hunt you down and kill you, since you always bump up articles against MS).

The P3P was created to enforce a value exchange between individuals and sites, to allow for safe personalization. It was created so that there is a mechanism of informed consent before divulging information, so that one clearly knows why they are being asked for their coveted data, and how it will be used.

Without initiatives like the P3P we are left with extortion. And then government intervention. As internet professionals, we either try to create ways to protect our privacy online, or allow the government to attempt to do it for us. And with all the noise of "save the children", I guarantee the government will be more stern that most would like.

We are slowly moving forward on the privacy front (still years behind europe). Remember a few years back, there was no such thing as a privacy policy. Then everyone wrote a bunch of unread legaleze and called it a day. Now people are advocating human readable (short and in plain english) privacy policies, which informed consent principle of the P3P is premised on.

Propose something better, instead of just trashing. And keep in mind that the population is filled with real people not power geeks. There is always the tradeoff between convenience and security/privacy. And most people will go for convenience. This is a first good step for convenient and private. Let's here some alternatives.

Re:This Is Great!

[Nathaniel]

"So whats from keeping them from lying a little?"

It doesn't matter if they lie about what they will do with the information. If they require it, we don't use their site.

Suppose I set my machine up to let any site know that I'm 30 years old, live in the US, and use Linux exclusively.

Now if any site requires my SSN or address, my browser logs the name of the site, the time, and the fields they requested to a file, adds that site to a list of hostnames for which A Href's shouldn't be considered to be links, and redirects my request to a page that the browser generates displaying the actions it's taken, the reasons for the action, and a list of alternative sites with simular information.

What's wrong with that?

Re:BFD, another @hotmail address I'll give out.

[MadAhab]

Personally I use spammy@real.com, and ALWAYS opt to receive special announcements. The fun part about sending it to their own domain is that they will probably send it, refuse it, AND get the bounced message. It's a hat trick!

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:The W3C...

[Tower]

Nobody is *forcing* you to do anything... you don't have to visit sites that use it, you don't have to use it yourself, and if you do, you don't have to provide it with valid data...

Of course, sites that sell things don't have to provide you with any goods if you don't give them that information. If Tom's Hardware (for example) asked for this info, I'd just say no, and if they didn't let me in the hell with that. If a store asks me for info, and I'm actually going to buy something (need to give a real CC#, address anyway), what the hell.

A good implementation would allow you to select which pieces of information you would send to which (types) of sites. If they asked for more, you could selectively give pieces to them, or dey them that information if you found it too private. Again, nobody has forced you do anything...

P3P Is Great Stuff

[c]

Think about it. Well done cookies are opaque, which means you have no control over the contents. With a P3P enabled proxy server, we've got total control over what identifying information gets kept by a web server.

Unless a P3P server is requiring certificates for everything and actually verifying them as the user connects to each page (read: expensive), there's an opportunity to feed pretty much any information you want to the server.

I predict that Mr. Gates is going to be visiting some pretty racy web sites when P3P gets off the ground.

Also, with a well-done proxy, you can basically use the P3P protocol to implement your own form of nyms (you can't hide your IP address, but that's it). A junkbuster patch for this should be trivial.

I think that P3P can dramatically _increase_ the amount of privacy we have (compared to cookies), while at the same time making all that demographic information sites are collecting completely useless. If enough users routinely feed new random information to a site every time they connect, it could also get pretty expensive to store all that. I imagine they might catch on to that when the number of unique records exceeds the global population, but that'll be a while down the road.

c.

Re:perhaps WORSE than ANI?

[FalseConsciousness]

Actually the use of ANI/ALI devices is restricted in many countries outside of the USA. That means that when you calling 911 (or the local variant) the operator can have the use of automatic lookup devices that provide a screen pop of your (the caller's) directory listing, home address, etc., but when you are calling to order 100 Timeless Country Classics, it would be technically illegal for them to have the same devices. But in the USA, anyone with the bucks can set up a phone room will lookup devices. I think this is guaranteed in the constitution somewhere, after all it's not ANI devices that invade privacy, it's people who invade privacy. If you outlaw them, only outlaws will have them. A well-maintained telemarketing industry is necessary for the survival of the republic.

But it's not

[hawk]

Left to itself, it's that anonymous. However, from the IP they get a certain amount of geography. With big enough databases, they can cross-correllate and come up with matches part of the time to your credit record, etc., by figuring you your interests. Not that, say, doubleclick, would try to do this . .

Well, why worry?

[Frodo]

So instead of putting in "John Random, email johnrandom@free-webmail-of-the-day.com" on every registration form, you just make your browser do it automatically. Clever people would even make client that would invent random names on-the-fly for every ecommerce site (and then you get promotional spams from emcommerce sites titled 'Dear Sir Kissmy Backend'). What's too much problem in it?

Umm. Pardon me, but...

[tietokone-olmi]

Couldn't you just forge your data that the browser sends? I'd think that if enough people send a "Like most other 'net users, I prefer to remain anonymous while surfing"-type P3P data, they'd give up soon enough.

Re:perhaps WORSE than ANI?

[rgmoore]

Expect a lot of bogus info.

The problem with this is that there are both legitimate and illegitimate reasons to want that info. Sure it's great that you can automatically give people a bogus address and watch them waste their money junkmailing non-existent addresses. Unfortunately, the on-line retailers are going to be asking for the same information, so that book you just bought from Amazon.com is going to be sent to the same bogus address.

I suppose that there are practical solutions to this problem, but it still is a problem. You could, for instance, have two browsers and only fire up the one with genuine info when you actually wanted to buy something. Or, for that matter, a really smart browser could have the option of deliberately feeding bogus info to sites that you don't like the privacy policies of, rather than simply not letting you access them at all. Actually, that last one seems like a great idea for a free software project ...

This Is Great!

[Seumas]

I mean, think about it. Instead of going through the trouble to research places you do business with online, to find out what their privacy practices and stances are, you can just go to the site and if it rejects you because you didn't automatically provide personal information that they have no right to, then you can just go elsewhere. They do all the 'footwork' for you in identifying themselves as businesses you may not wish to do business with!
---
seumas.com

Re:This Is Great!

[Steeltoe]

Except that their policies are not enforced by any central body, not governments, not laws or anything. So whats from keeping them from lying a little? It's not like they haven't done that in the past.

- Steeltoe

Re:Well?

[don_carnage]

Do you have any privacy when you walk into a store in the mall. Does it really matter?

Yes and yes. When you walk into a mall, you're not required to give you name, address, phone number, sex, top 5 most frequently visited websites and race.
--

Re:The W3C...

[exploder]

This is like the WTO telling the U.S. its environmental laws have to go in the name of good trade.

'Scuse me? Seems like you've got that one bass-ackwards. Check out the ongoing debate between the US and the EU over genetically modified foods, or Coca-Cola's actions at the upcoming Olympic Games in Sydney.

Re:Let's put the actual links in, please

[MindStalker]

While searching for the actual actice I came across another one very simular with the same title.
http://www.kcoyle.net/p3p.html

Lessig likes it? Then I don't.

[Zone5]

Hell, whether or not if fulfills its goal, the mere fact that Lessig supports it is enough for me to walk the other way.

Too bad...

[exploder]

...you only get to sell it once. Then the marketers sell it to each other.

Re:Too bad...

[Paul+Neubauer]

Wait, wait, isn't that illegal copying?

Seeling our data again, and keeping it, is hardly 'fair use' now is it?

Hey, it has to work or both ways, or not at all.
No 'legal diodes'... though there are a few things that need rectification. :)

Re:Too bad...

[delmoi]

If you ask me, personal data that you submit to sites should be covered under copyright, they sell it without your license, you could sue. And no stupid license "agreements" to rob you of your rights ether.

Re:Too bad...

[angelo]

Isn't that "There are two kinds of people: People who categorize people into groups, and people who don't"?

privacy?!

[purefizz]

face it... you never had any privacy anyways. Drug stores, magazines, and eveybody else knows what you by either by your credit card number, ssi, name, etc. You check out of Luckys using their little key ring tag, they might as well scan that tag off your forehead. Keep it simple, have one tag for eveything. ;)

cad-fu: kicking CAD back into shape

Not Quite...

[Philem]

...the way it works. P3P is designed to allow consumers to see what information the site is asking for, to what use they will put it, and how said site deals with information it receives. I think you may be slightly confused if you believe it will "automatically transfer" information. Quite the opposite, rather.

Could it be the..

[Mr.+Last+Post]

..last post?

Re:"Most"?

[tommyc]

In this country, "most" people are female.
And most of them do not have wives or "girlfriends" of the type alleged.

Re:BFD, another @hotmail address I'll give out.

[Roast+Beef]

Using counterfeit bills is illegal (against the law) because it is an offense against the government. Criminal law covers that. On the other hand, if you lie to a private citizen on a contract, they can take you to court and charge you under civil law. I intended it the way I said it.

Re:What I don't get

[B-B]

Hello, Jack/Jerry.

I do many things not the norm, but f#cking in public is not one of them. Guess my kinks run in a differnet direction. Reading Playboy in public should be allowed, just so you do not shove it in anyone else's face. Again, I wouldn't (out of common courtesy).

Lots of people pay with cash, and and the clerk a smart shopper card. Also, many people use credit cards. Yes, you can stay out of the digital shopping system. ut you end up in analog (tapes) anyway. NOT anonymous.

Home is private, your PC, private, your yard, private. Sidewalk, public, internet, public, roads, public.

Yes there is overlap and grey area between your PC and the net. Yes, the info on your PC gets transmitted (often against your desire) and without your knowledge. I am not saying it is right I was trying to state that you (for better or worse) have less privacy in the meat world that we (currently) have in the net. So, your orig point that because we have privacy in the meat world, therefore, we claim it in the net as a right is faulty.

We do not have privacy in the meatworld, therefore, we can expect to lose more and more privacy in the net.

And, I will let you know anything you want about me. I have nothing to hide. I read pron. I flirt with chix even though I am engaged. I drink. I did drugs. yada yada yada. who fucking cares.

Tom

Misidentify yourself

[dalroth5]

Naah, do whut I do: tell 'em all that you're real name is dal roth5 (they can't check names), that you live at 730 Third Avenue, New York, NY 10017-3206, phone 212-490-9000 (real address of a LARGE company where nobody lives), that you're over 90, female, a retired housewife and have a household income of less than $10,000 p.a. Not only does it gum up their works (tee hee) but it also drops you clean orf their marketing desirability meter.

Your title is incorrect..

[Rombuu]

P3P is Personal Privacy Platform.

Happy to help.

Re:Your title is incorrect..

[fedos]

P3P is Platform for Personal Privacy Project.

michael was making commentary on the protocol.

Happy to help.

Re:Your title is incorrect..

[ODiV]

Ah, but it would also be helpful to know what they're talking about as the real name isn't mentionned at all in the little paragraph up there.

Re:Your title is incorrect..

[Happy+Monkey]

P3P is Platform for Personal Privacy Project.

Actually, it's "P3P Prevents Privacy".

hth.
___

Show them why this sucks

[earwaxboy]

Why doesn't someone who has the resources and ability simply gather all of the personal information for someone like the CEO of Doubleclick? It can't be that difficult to get his home phone, address and social security number. Simply post them somewhere anonymously and everyone enjoy.

Internet Privacy

[BgJonson79]

It's up to those of us who are directly involved with the 'Net to insure that privacy will also be an issue, until the 'Net is completely anonymous (which it NEVER will be).

Re:Internet Privacy

[British]

it requires* a static ip? Doesn't that defeat the purpose?

Re:Internet Privacy

[mikpos]

No, it doesn't require a static IP address. To be a node (and there don't have to be *that* many nodes), it's preferably to have a static IP address.

If you read the Freenet protocol, though, you'll see that it doesn't matter much. The whole idea is that if I request a document from a node, the nodehas no idea whether it is actually I who is requesting it or whether I'm just passing on the request from someone else. Kind of like the people who phone into self-help shows with a "friend" who has a problem.

In practice, I think the measures taken to preserve anonymity (and there are quite a few) on Freenet work very well. They, of course, will work better once more people start using it, though.

Re:Internet Privacy

[baglunch]

Gotta have a static IP for freenet, which rules me out.

Automatic Data Transfer

[LaNMaN2000]

Just automatically reveal false data to all sites that you visit. If a group of people get together and all identify themselves as Jesus Christ or Linus Torvalds, then the data will be as worthless as if it were never collected. Your "identity" will not even function as a unique identifier as everybody in the group is identifying themselves as the same individual.

Re:Automatic Data Transfer

[Bieeardo]

Or Harry Buttle, perhaps?

Re:Automatic Data Transfer

[gilroy]

Blockquoth the poster:

If a group of people get together and all identify themselves as Jesus Christ or Linus Torvalds...

I vote for Harry Tuttle, or perhaps Yossarian.

Re:Automatic Data Transfer

[FlyingDragon]

That works really well until you try to order something or do anything else which requires your real identity.

Re:Automatic Data Transfer

[C.Lee]

>That works really well until you try to order something or do anything
>else which requires your real identity.

Like what? I have *NO* intention of ever purchasing anything or paying any bills whatsoever via the internet.

Re:Automatic Data Transfer

[pod]

That's all fine and dandy for window shopping. As soon as you try to order anything that fake data will be used to charge and for shipping info. The only recourse would be to phone in (possibly long distance) and place your order. Of course it will take sites a long time to fully convert to P3P, with Netscape 2 and IE 3 still in wide use and lots of legacy stuff to look after. But I'm sure if your browser is P3P capable you will be required to provide information on yourself.

Re:Automatic Data Transfer

[MURDOCK1]

I, as I'm sure that many of you, have several free e-mail accounts in several locations. These accounts are used when I don't wish to provide my actual personal information. I feel that this is a great way to protect my privacy, and the very notion that a commity should dictate the common sense of protecting my information is a invasion of my privacy. The key to success in an alter ego is consistency, use the same information all the time.

Re:Jeez, pretty poor privacy?

[tietokone-olmi]

This would let people collect a certificate that states "this site (will|will not) (sell|share) you information. Information is kept for (foo) months." If visitorse have a problem in the future that they think is a result of visiting this site, or accuse the site of violating their stated terms, they have evidence by which to prove it.

And when $BIG_EVIL_COMPANY notices that you won't give your info away easily, they'll give you a page saying "you'll have to set the $FOOBAR in your $MENU to $PLEASE_REAM_ME in order to gain access to the $OFFERINGS".

Next!

Re:666

[browser_war_pow]

Even worse, you may have to get a crusoe embedded in your hand like those techno savy preachers like van impe tell us the antichrist will use.

Let's put the actual links in, please

[Decklin+Foster]

The actual report is at http://www.epic.org/reports/pret typoorprivacy.html.

Re:That's how it is supposed to work...

[Black+Parrot]

> Okay, decline to send that info. But you don't get in! If enough of us "honkin' huge" sites do this, most people will just set their P3P prefs to be something like "let it all hang out."

At some point, consumer advocacy is on the consumers' own shoulders. We already have sites that won't let you in without a cookie. I just go elsewhere. It's not like there aren't millions of other sites to visit. Consumers need to learn to say "no" to sites with bad privacy policies, excessive ads, etc.

--

So where is it?

[FascDot+Killed+My+Pr]

The link points to the W3C itself. Where is the "harsh criticism".

BTW, you are doing your readers (and therefore yourselves) a great disservice by confusing them with this "Pretty Poor Privacy" pseudo-joke. I'd never heard of it until just now and I was totally baffled why I should be surprised that a spec that was called "poor privacy" would have privacy problems.
--

Re:So where is it?

[mcrandello]

"Pretty Poor Privacy" was the name of the paper that they forgot to link to.

(It's been like this everywhere I go today...NetSol "forgot" to double check before switching the administrative contact and DNS info for my ISP. Gotta love when that happens.)

Who is responsible?

[Watts]

While this is filed under the "from the what'd-you-expect-from-AOL-and-Microsoft dept.", I'm sort of doubting that AOL and Microsoft are purely to blame for this. Ironically, "the Center for Democracy and Technology" is credited in the press release. But what I'm wondering is this:
Are upcoming specifications that the W3C are going to release public?
Is there a period for public review of upcoming technologies? I would think problems like this, and the flaws pointed out in the article, would have to be addressed. It really sounds from the press release that unless you're a corporation in on the development, your input doesn't count. Should the W3C's drafts have to undergo public review? Or do they already, and I'm missing a step...

Re:Who is responsible?

[Bieeardo]

On the off chance that anyone's interested, here is the link to the Center for Democracy and Technology.

Re:Who is responsible?

[KjetilK]

Everything W3C comes up with undergo public review. Just have a look at the W3C P3P homepage, there's a list there where you can send your comments.

Not enough for Windoze

[chrome+koran]

You have to make sure your name, etc. don't appear anywhere in any registry entry. The only easy way to do this is to build your drive from scratch and give false info every step of the way, any time an app asks for registration info. Otherwise, if you have ever put the data in to register software, etc. it's in there and spy software can get it and send it home. Ever notice how when you install an app in Windoze 98 and it asks you to register, it already has many of the fields pre-filled?

Giving one site false info does not make you anonymous...you must maintain a no exceptions policy of disinformation at all times! :-)

Re:Not enough for Windoze

[delmoi]

Or you could just search the registry and remove the stuff (or change it) yourself...

Re:Not enough for Windoze

[titus-g]

which all falls down when you have to use your real details, whether it is to make sure the purchase arrives at your door, not Mr Cypherpunks, or to prove your legal ownership/rentalship of something, and god forbid that the site involved might publish your details online

One solution is to maintain 2 (or more) identities and just hope no one ever makes it from A to B, tricky though, I'd imagine that there are some people who know who I am just from my nick here, and info on various sites from way back when that could be used to trace me...

I'd agree in general though, maybe it is time for a new nick and a bit more care in maintaining it.

Re:Not enough for Windoze

Very good point, Jesus. You and Jesus up there are right on.

-sincerely
Jesus. :-)

Re:What I don't get

[B-B]

Right. Nother bad analogy.

First: I do not f#ck, sh*t, piss, eat online. Since none of these "poor privacy" services force you to, it does not amount to the equivalency of watching someone do these things in the meat world.

Second: If you shop in the meat world, you do not ahve ANY privacy. Between Credit cards, smart shopper cards and cameras, you have less privacy offline than online.

Third: Some things are Public activities. Others are Private activities. The Internet is a Public space. The rules governing the public sphere apply here. Rights to pirvacy only apply to the Private sphere (ie the home...if you own it).

Watch out for where your analogies lead.

Tom

Not that bad?

[delmoi]

I don't see what's so bad about this, although I don't know the specifics of p3p, I know a lot of commercial sites require you to give them info before you get access (Nytimes, Ebay, etc). Instead of filling out long forms, you'd just have to click "Yes" or "No"

These people own their content, they have no obligation to give it to you in exchange for nothing. If you don't want it, don't give them your info. (There should be some restrictions, though, such as that they can't sell the info, or something like that). A good P3P implementation would allow you to choose witch info to send, or edit an instance of your info for that site. I don't think users would really want to have this happen without their knowledge, though.

Its not like you have any privacy anyway. Most of this info could be gotten by tracking down your IP address anyway, if they really wanted. Besides, you can just fill out the info with bogus data anyway :P

Re:BFD, another @hotmail address I'll give out.

[Roast+Beef]

who have been led to believe (for many years) that in order to receive good things we must first reveal all sorts of information, and trust that it won't be abused.

I'm well aware of potential consequences (I read privacy policies), and I still fill them out. Here's why: they are providing content to you, and although they may even say that it is provided free of charge, it is not free. In return, they are asking for your information. The personal information is a form of payment, and it is often worth money to them. If you give false information, that is the same as buying something with counterfeit bills.

Re:Well?

[albamuth]

I think all it really amounts to is what kind of banners you tend to see. Does everyone see that Maxim banner as much as I do? What did I do to deserve that banner follow me around like a puppy? Argh!

When my 6'7" friend stayed in Hong Kong for a while, tailors would chase him down the street demanding they be allowed to make a suit for him.

Okay, I'm not sure what that has to do with the subject, but I'm sure it's related somehow....?

Re:666

[Black+Parrot]

> Even worse, you may have to get a crusoe embedded in your hand like those techno savy preachers like van impe tell us the antichrist will use.

Wow. That Antichrist guy is really hip to technical trends.

Wonder how he feels about monopolies.

--

Re:Ha! Extorted Information is Crap

[Black+Parrot]

> I looked at the database once and found what I expected, hundreds of William Jefferson Clinton, thousands of Bill Gates and quite a few Saddam Husseins, Jesus Christs and Vladimir Lenins.

So. Which group claimed the largest average penis size?

--

Re:Does anyone posting on this know ANYTHING about

[Tackhead]

> HOPEFULLY you'll be able to say, check next to each item you're willing to allow.

Or, when faced with a huge list of "age/sex/favecolor/modelofcar/SSN/creditcardnumber " choices, the end user will click on "Send All" to save time.

Stupid user? Yes -- but how many folks turned cookies back on (and then used another technology to block them) after clicking on "NO" 500 times per page?

This technology is designed to facilitate data collection. You can bet your ass that the user interface will be designed to make any negotiation other than "send all data" extremely cumbersome.

> You are _optionally_ *INFORMED* of each piece of information the site wants from you, and what they're going to do with it.

And without enforceability, that's about as valuable as a TrustE seal of approval. Wow, the marketing guys told me via P3P that they wouldn't resell my data! They'd never lie, would they?

Bottom line: Privacy is a right, not a preference.

Re:That's how it is supposed to work...

[rangek]

At some point, consumer advocacy is on the consumers' own shoulders.

I totally agree. That is kind of the subtext of what I was saying. The thing is that a lot of people see technology, especially computers, which often do things "automagically" (with the emphasis on the magic part for most people, according to AC Clarke) as allowing them not to think, or doing things for them. So a lot of people are going to look at P3P and say, "hey my computer can ensure my privacy now," or something, rather than "Wow this gives me the ability to control my privacy decisions."

I guess what I am saying is that this is not a "plug and play" thing as far as effort goes. P3P could be a valuable tool for consumer advocacy, but only if people see it as that, not the technological magic that some people might get tricked (or duped) into thinking it is.

Consider The Source

[~packetfire~]

When a standards body is formed, few except
those who have profits at stake take the time
and trouble to serve on the commitee.

Is it any wonder that these groups come up
with "solutions" that serve their needs rather
than yours?

Given that "opt out" seems to be tolerated
rather than punished in the US, we can expect
no better. Europe seems to have a much better
grasp on the subject of privacy as an absolute,
rather than a relative thing.

Once one allows even a tiny amount of relativism
into the mix, one can expect to have no privacy
at all.

Re:What I don't get

[talesout]

While you have some valid points I will ask this one question:

If you just walk into a store a "window shop", do they automatically get your name, address, phone-number, credit card number, social security number, etc?

Then why the hell do you think that sites online have the right to do this. If I want to look at something out in the real world I am not required to give anyone any personal piece of information they want. With this, you could easily be a victim of identity theft (some moron in middle America builds a site to grab my info and uses it to purchase a thousand dollars worth of stuff, am I responsible?). This is the question with something like P3P.

What "BigBrain" thought of this idea?

[_Mustang]

Is what I'd like to know. Forcing me to provide personal information just for the sake of my being given "the privilege" to access some commercial website? Excuse me??!! Last I checked, I was the consumer and the one in need of protection from exploitation. I notice that no where does it seem possible for me to get ahold of the personal info of the CEO of any of these companies, so where do they get off expecting me to - no wait, TRYING TO FORCE ME to provide my personals. It's getting ridiculous.
I've never been one to cry out "down with the man", but this is starting to turn my stomach...

Re:What "BigBrain" thought of this idea?

[max99ted]

...no only that but the fact that this will invariably be abused by large corporations in one form or another. Think AOL gives a shit about the privacy of its members? I can dream of many ways in which this automatic transfer of personal data can be mined for profit and/or malicious use. That's the real stickler here - once again we are forced to trust M$ and the like to use this wisely and without prejudice.

You Do sell your information

[EnderWiggnz]

ever go to the supermarket and use your "shoppers club" card?

Every single instance of a club that saves you a nominal amount of money does so in order for them to better market their products to YOU. You save some money so you will spend much more later.

ever use a Credit Card? Yep, they track purchasesd, too.

Buy with a check and they use a check scanner? same thing.

Free email service? you have to provide your info.

Free Registration on any site? Yep, same thing... You are getting "valuable" content just for giving up your information. It may not be cash, but you are selling it anyway.

Re:You Do sell your information

[YoungHack]

Well, if you don't mind an auto-generated name
(i.e. auto#####) you can have an email account
at hushmail
without giving up any personal information.

Re:You Do sell your information

[startled]

Do I? Let's see.

1) No, I don't use those damned club cards.

2) There are many laws about the tracking of purchases with credit cards (at least in the U.S., I am not familiar with these laws in other countries), and the selling of that information. Some credit cards have further privacy policies.
3) Nope, no scanned checks.
4) Free e-mail-- that one's laughable. Who puts in their real info?
5) Free registration-- see #4

I agree that there are many insidious ways that people attempt to collect our data. A lot of these are fairly widespread-- i.e., club cards. But there are also enough people out there concerned about privacy providing the information you need to prevent this sort of thing, if you choose to do so. Corporations have always been ruthless. It's always been laissez faire-- now it's just in new and different ways.

Re:You Do sell your information

[C.Lee]

>ever go to the supermarket and use your "shoppers club" card?
>Every single instance of a club that saves you a nominal amount of
>money does so in order for them to better market their products to
>YOU. You save some money so you will spend much more later.

Whoever said that "shopper's club card" was in my real name? Joke's on them. They're busily tracking the purchases of someone who doesn't exist. All the personal history on that card is bogus.

Re:Well?

[Sangui5]

But I do have privacy when I walk into a store in the mall, simply because nobody at the mall knows who I am. But if the P3P protpcal is implemented, tying some random IP number to my name, address, phone number, SSN, and credit card data can all happen automatically. Privacy isn't so much about doing stuff anonymously, but the inability of others to tie information about you together.

So now Rob knows that there is a guy whose nick is cannes, who (supposedly) buys porno every once in a while, and has a fake email address of fuzz_face_05@hotmail.com. He also knows at least one valid email address tied to that nick. But that's about it. The hotmail account (probably real) has very little to no attachment to some real person.

Rob doesn't know where you live. He doesn't know what your specific tastes in porn are, or what other products you buy. He doesn't know your phone number, your credit card, or your bank account numbers. He has no idea what your income is, whether you are married, have kids, and if so, how many. But if P3P is implemented, he could find out all of that with little difficulty.

The danger of that is that then Rob can do some very mean things. If Rob was a perspective employer, he could not hire you because he has issues with pron. As a bank, he could deny you a loan, or give you a worse interest rate. He could even pretend to be you, getting credit cards in your name, or use your name as a cover for criminal acts, since this information is the way you validate your identity to the rest of the world.

Each individual bit of information is worthless. All of it together has a lot more worth, and is a lot more dangerous to give away.

Re:Ha! Extorted Information is Crap

[Bieeardo]

That would be the Rasputins. Takes a big man to satisfy the Queen of Russia, don'cha know?

Re:What I don't get

[talesout]

You are totally missing the point. You won't be "asked" to take off your shoes. Someone will in effect walk up to you, knock you down, rip your shoes off and stand you back up. You will not have any choice in giving this information out. This is not any different than someone walking up to you when you walk in a store, taking your wallet, making a copy of every piece of paper in it and giving it back. They don't have to ask, it's there for them to take. This is a privacy issue that is just as real in the real world (if someone said they were going to do this) as it is in the online world. Pay attention.

Generate random personal data at intervals

[Dave+Burbank]

If you wish to opt out all you need is an application scheduled to rewite your locally stored personal data at set intervals or on a particular event. Just because you are asked ( and potentialy required) to submit data or have your browser negotiate info release does not mean you have to supply anyonw with accurate information.

Knowledge is a weapon...

[crazy+nick]

Im sure every one already knows this, but knowledge is a very dangerous weapon. If some illigetimate site gets my email address, they just might (most definately) hand it over to obnoxious spam/p0rn sites.

i have n amount of email accounts, and my yahoo address is just one of them. i do check it, but i prefer that the general public not have access to my main account. Not even businesses.

information IS quite powerful. perhaps i could wallop someone with it...

I've heard this before...

[Angst+Badger]

If I were God, I would subtly alter the laws of physics so that spontaneous human combustion would result every time someone excused an injustice by saying:

1. People have always been screwed this way, or...
2. Someone is screwing you in a similar way right now.

Suggesting that we should put up with further invasions of privacy because other invasions already exist is like saying that we ought not to mind being mugged because people have always been mugged, or that there's no point in outlawing muggings because there's always shoplifting.

Yes, there are other Bad Things in the world. And we should fix them, too. What we should not do is sit around in online discussions trying to score the most points for hipper-than-thou cynicality by ignoring the evil that men do. Dammit.

Freedom to Deny and Freedom to Lie

[Klync]

To me, it seems clear that, if a protocol provides for "transparent" transfer of personal data, then thousands or more users will end up giving out info that they wouldn't have, if they had known the data was being given. This is simple -- imagine a business person who suddenly finds out that their personal cell phone number is on their business card, which they've given to hundreds of people who were only meant to have the office number. So, that, for me, is the crux of the problem. Go ahead and argue whether P3P is really a security concern; I'm assuming that it is. Given that this is a security concern, I have two points about what freedoms we can exercise to avoid harm, if P3P is accepted as a standard. 1. A good number of people who've posted comments have said "No problem, I'll just provide false info!" That may be legal now, but it's unlikely to be legal in five years. Suggesting that you're going to write a program to autogenerate false ID's (is cool, but) might be considered "conspiracy to commit fraud" or something like that. 2. People have also defended P3P on the basis that users have the "freedom to choose what sites to visit" and "content providers have the right to demand info for access." Well, this is about as true as the assumption that price is purely the outcome of an infinite number of market players influencing supply and demand (i.e. sounds nice in theory, but 99% of the time, it's just not true). Another example: here in Canada, we have, in our blessed "free market", the ability to "choose" among 6 banks. They all have pretty much the same policy: "If you aren't investing tens of thousands in mutual funds and RRSP's, bend over and give me your wallet." Oh, but I have a choice, right? If I think it's unfair that all 6 banks will charge me when I ask for my money back (when I deposited it, I gave it to them to invest while I wasn't using it), then I can choose not to have a bank account. Which means choosing to not be able to pay my hydro bill (they only accept cheques or direct debit), which means choosing not to have heating in my house. Now, I know this might sound like I'm getting off topic, but the point is, that this freedom to choose, or freedom to be denied access to a site, is a myth. It might hold in some cases, but not in others. What happens when UUNet (which owns the backbone to most of Canada's internet) decides to demand full P3P disclosure as a condition of using their service? I just find a "competing" internet backbone, right? Or move to Jekyll Island, right?

Re:Freedom to Deny and Freedom to Lie

[C.Lee]

>is accepted as a standard. 1. A good number of people who've posted
>comments have said "No problem, I'll just provide false info!" That
>may be legal now, but it's unlikely to be legal in five years.

And just how are you going to prove that the info provided was false if it looks like a legit customer name, a legit mailing address and so on and so forth? You've got *DEAD PEOPLE* voting in elections dude.......

It's just a matter of personal preference.

[crazy+nick]

While some people would like this so they don't have to fill out forms, still others would prefer to fill out the form so they know exactly what they are telling others. I, myself, enjoy my privlige of telling what i want and keeping the rest of it to myself.

This debate can't be solved by arguing opinions and speculation. I don't think it can really be resolved. All that is left is for this system to be implemented and let everyone decide what is best for themselves.

Re:Does anyone posting on this know ANYTHING about

[Wolfier]

Works much the same way like M$IE makes anything other than allowing all ActiveX control to run bothersome. Without ActiveX it is a PGB (pretty good browser) and everyone knows why they have to put that damn un-disable-able fucking box asking for a click whenever you turn ActiveX off.

Offtopic I know, but it annoys the hell out of me when I use it.

Re:What I don't get

[amigabill]

>Why do people think they are entitled to privacy online? Uhm, why do companies, governments, etc. all think that just because I visit their web page they are entitled to know my name, address, etc.? It's of no concern to them what other web sites I visit, IMNSHO. It's of no concern to them to know what I buy from other web sites. It's just none of anyone's business unless I decide it is. Where do you live? While you're away sometime I'll install hidden webcams everywhere in your house so these government organizations, companies, etc. can watch every damn thing you do, since you seem to think that privacy is a total non-issue.

Re:P3P vs. PGP

[Phroggy]

Actually, it says "Platform for Privacy Preferences (P3P) Project", implying that P3P stands for Platform for Privacy Preferences, and this is the P3P Project.

But you may be right that the acronym is actually supposed to include the word "Project", in which case I withdraw my comment.

--

Beware: rant ahead

[Reality+Master+101]

the idea behind P3P is that viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance,...

Exactly where in the specification does it state this as the goal of the protocol? Oh, I see, you made it up. Does Michael actually understand the difference between the intention of something, and the possibility of abuse of something? Apparently not.

And by the way, do you think that a site actually has no right to demand personal information before it's accessed? Uh -- yes they do. They can do any damn thing they want. You have a choice -- either provide the information, or don't visit the site. It's called freedom -- on both sides.

Oh I see -- you know what's best for everyone else. You will decide they should not have a convienant capability to pass their personal information automatically. People are too stupid to make that decision for themselves, so they need protection from Michael.

And the "pretty poor privacy" thing is unprofessional. At least give the proper name of the specification, and if you want to make your little joke, then make it. But putting it in the article's title is just disrespectful and immature.

I wish Slashdot would get someone that has a little more class and maturity to do these sort of articles.

--

Re:Beware: rant ahead

[angelo]

You sound like someone who actually read the spec or listened to the report yesterday on NPR. Good. This program/initiative seeks to make sites take responsibility for their actions when selling names. Nobody likes a welcher. You can refuse to enter data on most sites, and still get something out of it. /. doesn't require you to login, but if you want a name, you have to give up the comodity of information (which has never been abused so far.) which they do not resell.

Re:Beware: rant ahead

[Rombuu]

Oh I see -- you know what's best for everyone else. You will decide they should not have a convienant capability to pass their personal information automatically. People are too stupid to make that decision for themselves, so they need protection from Michael

This shouldn't surprise you, this is the typical liberal viewpoint... they are the enlightened, everyone else is a sheep, unless you disagree with their point of view, in which case you are "intolerent" or an astroturfer or such.

For people who are so concerned about freedom, people who oppose P3P are pretty damn set on making sure that no one has the freedom to use P3P.

Re:Beware: rant ahead

[bnenning]

While I believe P3P has serious flaws, I mostly agree with your point. A few quotes in particular from the article struck me as very strange:

Central to the legal and ethical norms for privacy protection is the recognition that individuals should not be required to negotiate or choose among Fair Information Practices. Such negotiations would invariably disadvantage those who could not purchase sufficient privacy and would lead to a gradual decline in the level of protection available to the general public.

In other words, web users should not even have the option of providing personal information in exchange for increased access or financial benefit. This is like saying that all cars must have exactly the same safety features because otherwise (in EPIC's words) it would disadvantage those who could not purchase sufficient safety.

The FTC Chairman, in a report released in May 2000, made the point very well that the reason we need privacy laws today is that consumers are too often asked to give up their privacy for some benefit.

Translation: the FTC commissioner knows the value of your personal information better than you do, and for your own good should prevent you from offering this information in exchange for a benefit. If the exchange is made voluntarily, it is no more an invasion of privacy than paying money for a product or service is theft. Both involve two parties exchanging items of value.

There is a huge difference between saying that net users should have some degree of privacy by default (easily achievable by technical means) and the position of many privacy advocates that no transaction involving personal information should be permitted, even if both parties accept the conditions.

I agree

[swdunlop]

I kept wondering why this wasn't filed under 'It's funny, laugh!'

perhaps WORSE than ANI?

[British]

This reminds me of how 800 numbers can quickly trace your # since they are the ones picking up the tab. IIRC, it also is nice enough to display your address to whoever you are calling.

This sounds a wee bit worse. I dunno about you, but I sure as hell don't fill in any real info(whenever possible) to any service, website, or software package.

What's not to stop some bogus company from starting a website, implementing this protocol, and gathering up thousands, if not millions of address to send junk mail and spam to?

Okay, I'll fill out my address

Reggie Stration
4321 Blastoff Drive
Legoland, USA
90210

Expect a lot of bogus info.

No Enforcement

[exploder]

This is merely a protocol to talk about privacy. It does nothing whatsoever to enhance privacy in any way.

Is it too much to ask for the priciples of Transparency (I get to see any information that is collected about me) and Fairness (my permission is required for any other use of my information) to be implemented here in the US? Most likely. The big commercial interests would rather have all our information served to them on a silver platter so we can be more easily and accurately targetted for consumption. We would probably be outraged if we knew just how much the marketers know about us. Then we might not buy their products! Can't have that can we?

Re:No Enforcement

[Rombuu]

Fairness (my permission is required for any other use of my information) to be implemented here in the US? Most likely.

Why should you have control over this information after you give it up? I thought information wanted to be free, etc.. etc...

Re:No Enforcement

[exploder]

Fairness and Transparency are the foundations of privacy policy in the European Union. They're good ideas.

Personal information is given for a particular purpose. The notion of Fairness is an extension of the conviction that doctors, lawyers, accountants, and other professionals hold, that information received during the rendering of a service should be held confidential.

As far as Transparency goes, do you not find it creepy that you have no right to see what personal information about you a company is holding? No way to know if your medical records have been leaked, or your attorney-client privlege has been breached? This is plain wrong.

Re:No Enforcement

[Rombuu]

Fairness and Transparency are the foundations of privacy policy in the European Union. They're good ideas.

Are they good ideas just becuase they are used by the EU?

Personal information is given for a particular purpose. The notion of Fairness is an extension of the conviction that doctors, lawyers, accountants, and other professionals hold, that information received during the rendering of a service should be held confidential.

I have a hard time see why Radio Shack (for example) asking for and knowing my mailing address needs to remain confidential.

As far as Transparency goes, do you not find it creepy that you have no right to see what personal information about you a company is holding?

No. Again, why should I have any control about this information after I give it to someone else? If I give someone something material of mine, I don't have control over what they do with it after that. Why should data be any different?

I'm glad this was moderated down

[delmoi]

We can't have people thinking about other positions. Everything that slashdot editors "timothy" "emmet" and "michel" think is absolutely correct. Their knee-jerk reactions are perfectly valid. And would remain correct regardless of the amount of research, or even thinking, done. Censorware is always bad, in all cases. Privacy is a fundamental right in all facets of life. I'm glad such dangerous ideas were quieted.

Re:I'm glad this was moderated down

[YASD]

I don't think it was modded down for failing to follow what you perceive as a "party line". I think it was modded down because it's so brain-dead it has to be a troll.

------

Re:I'm glad this was moderated down

[Tower]

Nice troll 8^)

George Orwell...

[Paul+Neubauer]

...was the suggested name I've heard proposed for this sort of thing. So very apt.

Re:What I don't get

[Rombuu]

I own my house, so no, you may not put live cams in my house. On the other hand on the internet, you are sending packets over number of privately and publicly owned networks using a protocol that makes to guarantees about the inscruitability of these packets. Given these conditions, again, why do you think you have a right or even an expectation of privacy under these conditions???

The straight deal on P3P

[ryry]

Well first off, having the subject name as "Pretty Poor Privacy" is just unprofessional. The actual project's name (as many have pointed out) is "Platform for Privacy Preferences" (I'll admit it's a little unwieldy and doesn't roll off the tongue as nicely :-)

People are trying to make P3P out to be more than it actually is or tries to be. All it is is some XML code people can use to automate (very useful) privacy negotiations. Say you don't want to do business with sites that hand out your e-mail address to marketers. Bingo! P3P will make sure you're warned before clicking 'Submit'. Say you don't have a problem with a site that gives out your zip code for aggregate, non personally identifiable data. Bingo! P3P will make sure you can do business with those sites. P3P itself does not facilitate data transfer, automatic or manual, in any way shape or form.

A side effect of standardizing privacy policies is that they are machine readable and therefore can be scanned automatically by a user agent.

The only problem with P3P is that it doesn't provide a way to make sure companies are actually following their policies, but nowhere does any spec even say they are trying to do that, so why lambaste them for it?

And lastly, P3P is a WORK IN PROGRESS. It is by no means finalized.

P3P's official website is here.

And no, I don't work for the W3C, but I've been researching P3P for awhile now and feel this story post was unfairly presented.
-ryry

Re:The straight deal on P3P

[C.Lee]

>And no, I don't work for the W3C, but I've been researching P3P for
>awhile now and feel this story post was unfairly presented.

Of course you would, Astroturfer. No big surprise here.

Re:The straight deal on P3P

[Todd+Knarr]

One problem: P3P blocks access to the site as soon as the negotiation is complete if it doesn't fit my requirements. I don't want that. I simply want to not give that site the data I don't wish it to have. Why should I tell them I don't want to give out that data as soon as I enter the site, as opposed to only refusing to give it when they finally ask for it? My preferences are private information as well, after all.

Re:P3P vs. PGP

[Phroggy]

What about PCP, PHP, PSP, PAP, PPP etc?

I don't remember what PCP or PSP are, let alone the average consumer. Of those, only PCP and PPP rhyme. Finally, how many of those acronyms have anything to do with privacy?

--

Re:P3P vs. PGP

It originally was called "P3". The it turned out that "P3" was trademarked by someone, and the W3C got a "cease and desist" letter...so the name was hastily changed to "P3P". "P3P" was certainly NOT chosen to intentionally confuse people - we just needed something that was close to the old name but not trademarked.

Relax- and worry.

[lurker786]

There is nothing wrong with P3P per se. It *could* increase privacy. There are (at least) two problems, however (IMO). And at least one is a biggie.

One risk is that it becomes a de facto standard. And I don't mean using P3P, I mean requiring full disclosure for access to every site. If one or two sites require more information than I want to give for me to have access, no sweat, I don't go there. If it becomes an accepted standard to require obscene amounts of information for any sort of site-- that *is* a problem, I can't surf. I like to think it is extremely unlikely. I fear that may be wishful thinking.

Another scary point is implementation. There is just too much trust involved and too big a risk of errors. An implementation error (and there will be, you can bet on it) could give all your personal information to everybody without even telling you...

I just hope they invest enough time and effort to make it robust enough to minimize the risk.

-----------------------------------
This is a work of fiction. All the characters, events and opinions posted are fictional, and any resemblance to real people, incidents or opinions is purely coincidental

Re:Does anyone posting on this know ANYTHING about

Yes, I think quite a few people do know somthing about this, and you are very wrong.

This is not really a privacy tool, but an anti-privacy tool. Please read the article at EPIC. I did read the entire piece, and could not agree more.

For this to even nominally become a tool which enhances privacy rather than degrades it, a lot of trust is required.

*You have to trust each web site you visit to really acquire only the information you want to let out and further trust that you will be notified that your personal information is being transferred or logged when it happens. P3P makes it much easier for web sites to acquire all kinds of information without your knowledge and to transmit that information by installing helpers in web browsers and even operating systems to do that.

*You have to trust the browser to be honest about doing the same. Get real. AOL-Netscape and Microsoft already have numerous built-in trojans which are difficult for users to remove or even know about. Working in conjunction with Active X, VB Script, Java Script, cookies and trojan horses hidden in the Widows registry, the browser can completely expose your local computer to a web site. It already does in some cases. This is truly 1984 - a nightmare. If an individual did what these companies do, he would be sentenced to years of imprisonment and forbidden to ever use the internet again when released. This is computer crime on such a large scale as to make the actions of every script kiddie and cracker inconsequential. If the lie is big enough, and is repeated with conviction, many people will believe it. A well known technique.

*As stated in the article, users will be overwhelmed with having to make choices about privacy levels at each web site and will tend to set the global setting to the lowest possible privacy level for all sites to avoid irritating popups. And, even if they set their desired level of privacy to the higest possible level, there is no guarantee that the browser and the web site will respect that setting, or that web site will not be able to change these setting without the user's knowledge. As described above, helper applications imbedded into a browser or an OS, or run by an ISP without a user's knowledge, will greatly facilitate the ease of silent transfers.

*Microsoft and other application service providers will increasingly be able to alter, without the users knowledge, information which is on a remote computer if their software is used. For example, in "updating software" all your setting can be changed to the default (the lowest possible privacy setting of course). Rememember, you do not own the software which operates your computer if you use Windows, Mac and some other proprietary systems. You only have a license to use that software. Increasingly such licenses will be time-limited and subject to cancellation on mere suspicion of internet "piracy" and so forth or even for having another OS also installed on the same machine, which can be interpreted as a breach of the license contract (installing "non-standard" software which might interfere with proper functioning of licensed, proprietary products).

Finally, consider the source of support for this new "standard". Corporations like MS, AOL and Real have been prosecuted or sued time and time again for violations of privacy and will continue abusing their customers unless the penalties become prohibitive or unless customers boycott them.

Even if it is remotely possible for this P3P protocol and "standard" to enhance privacy, your post which implies that those of use who do have concerns are completely off base rings false. Such concerns are well justified by past "untrustworty" behavior by the major corporations behind this standard for abuse. And yes, I do trust the people at EPIC and Junkbusers a lot more than I trust Bill Gates and Steve Chase.

No, it's not bass-ackwards

[JoeBuck]

The WTO is being used by corporations of multiple nations to gut environmental laws of multiple nations. It isn't just US corporations vs Europe.

The WTO has already demanded that the US repeal a law mandating that tuna be caught in a way that doesn't kill dolphins, under threat of sanctions -- and the US complied. Result: more dead dolphins.

Now, there are some possible good uses for the WTO rules: why haven't people sued the RIAA yet? Surely the region codes in DVDs are a trade violation!

Privacy disappearing at the speed of technology

[quintessent]

Next I'll have to have my IPV6 address tatooed on my forehead to do business in the brick and mortar world. You won't need anything tattooed to your forehead, because every establishment with a budget and disregard for privacy will have a face recognition system. Of course they will all be networked, so your daily whereabouts, purchases, etc. will all be neatly logged in a database in some city you've never heard of. Today: savings cards, IP addresses, cookies, and milk. Tommorow: souls.

What's so bad?

[lukel]

What's so bad about this. If I don't like it, I'll turn it off and only visit sites that don't require it, or feed it false information.

The only good argument against it seems to be that some new users will be confused and not realise what they're doing. But 2 minutes explaining and 2 clicks and they can turn the thing off too if they want.

Re:What's so bad?

[Dannon]

I've tried explaining why I use PGP to my mother. I've tried explaining cookies to my father. I've tried to explain digital signatures to non-nerd friends. In some few, rare cases, they actually get the idea. All too often, though, the answers I hear are 'what's the big deal', or 'Yeah, I know they can get information about me, but there's nothing I can do about it', or even 'What does anyone care about my information for?'

And still, there's the growing majority of internet users who don't have a clue, don't want a clue, and wouldn't have anyone to give them a clue anyway. Sad, but these are the folks that businesses are going to take the most advantage of.

Re:Well?

[delmoi]

you are however, put on camera, and if you use credit cards, or checks, all your info is reveled.

You can pay in cash, and you could fill p3p with bogus data...

Re:Anonymity has caused no problems yet.

[Rombuu]

Anonymity and privacy are two different things.

Re:BFD, another @hotmail address I'll give out.

[mcrandello]

You would be amazed how many newbies are out there. As a general rule, maybe 1 of the 20 people I talk to each day at my ISP's support line are familiar with the concept of 'munging'. My mom was shocked to see me type in;

first name: nunya
last name: bidnes

on an online form. The thought that we shouldn't just answer these questions is totally new to some people, who have been led to believe (for many years) that in order to receive good things we must first reveal all sorts of information, and trust that it won't be abused.

They got to the government

[Jason+W]

The White House site is one of the first to implement P3P (press release)

ZDNet story

Idea!? An open sourced privacy-browser for linux

[dloolb]

I'm not much of a developer but with all these privacy concerns these days, seems to me that a group could code a browser that works around these privacy 'problems'. We've seen 3rd party software to do away with cookies (so you don't have to keep pressing 'No') maybe incorporate that into a browser that did it for you. Along with a workaround to this P3P nonsense, maybe go old school with plain GET requests to the server or just include your favorite politicians' name, DOB, address, email to send to the requesting website to 'voice' your concerns.

Re:What I don't get

[kaisyain]

Why do you think you are entitled to view their web page without agreeing to the conditions they place on it? If I walk into someone's house and they ask me to take off my shoes, where do I derive my moral authority to claim that my feet's right to privacy outweighs their ownership and host rights?

Re:Microsoft support P3P

[YASD]

Why do you say "we"? Do you use IE? If so, why?

------

Re:666

[mindstrm]

To every commercial site, eh? who decided that?

Hmm. I run commercial sites.. and we aren't planning on 'requiring' this kind of information.. I wonder who they've been talking to..

What Junkbusters had to say: p3p equiv. in music

[sulli]

Jason Caslett can be annoying, but he's right on this one. He had a great comment in response to the P3P proposal last fall:

http://www.junkbusters.com/h t/en/standards.html#supply

To see the absurdity of the current state of American privacy and P3P's part in it, imagine switching the interest concerned from privacy to copyright, a very similar right concerning the restriction of dataflows. Suppose that in response to the music industry's alarm about unauthorized distribution of songs over the Internet, a consumer group proposed a technology called the "Platform for Piracy Promises". Each consumer would configure his own "piracy policy" in his browser, stating the circumstances under which he promises to copy, modify, transmit or broadcast certain different kinds of recordings, such as poetry, country music, and heavy metal containing profane lyrics. A rich language will be developed to express information about the various uses, owners and types of content. When the consumer visits the site of a recording company to download MP3 tracks, his browser would automatically "negotiate" with the company's server to determine whether the consumer's piracy policy "matches" recording company's "preferences" for use of its property.

If the music industry is suing like mad to fight piracy, perhaps the "identity industry" (i.e. consumers) might want to do the same to fight privacy invasion!

sulli

What I don't get

[Rombuu]

Why do people think they are entitled to privacy online?

Re:What I don't get

[Deosyne]

Simply because I would like my privacy while I'm online? Why is it that I have to justify my desire not to have every fucking shred of my existance than can be broadcast to the world at large actually broadcast? I'm already forced to deal with people on a day to day basis in meatspace, wondering what the hell they think about me and what kind of impression that I'm leaving on them, so why can't I have a nice, cozy feeling when I'm sitting at home in front of my computer bebopping around different websites. Because i can't justify it with some load of bullshit that ties into the Constitution of the United States and the good of all mankind?!? Fuck you; I may not be entitled to privacy online, but as it doesn't seem to be taking away from the public good for me to have some privacy when I am online, then who the fuck are you, the online retailing community, Bill Gates, Jesse Jackson, the W3C or the fucking Easter Bunny to say whether I am entitled to privacy?

If I scare you that much that I need a really good reason just to get some bloody privacy, just say so and I'll post my name, address, phone number, SSN, dick size and number of hairs on my ass, because I sure don't need you cringing in the corner of your shrink's office with your thumb in your ass wailing, "But I'm afraid, make him stop! He wants to be left alone, so he must be dangerous! WAAAAA!" Idiot...

Deo

Re:What I don't get

[jbarnett]

Right. Nother bad analogy.

First: I do not f#ck, sh*t, piss, eat online. Since none of these "poor privacy" services force you to, it does not amount to the equivalency of watching someone do these things in the meat world.

So you don't ingauge in anything considered against the norm? What if a adult wishes to look at adult material, (ie p0rn)? Do you sit around in public places reading playboy and penthouse? Some people might get creepied out by that, but it is a public place so it should be allowed?

Second: If you shop in the meat world, you do not ahve ANY privacy. Between Credit cards, smart shopper cards and cameras, you have less privacy offline than online.

Cash, all cash. I buy a bag of chips and give them a $5 bill, they give me change I walk out. The don't know my name, address, or anything about me. They know I am a white male in my early 20s, that could fit anyone.

Third: Some things are Public activities. Others are Private activities. The Internet is a Public space. The rules governing the public sphere apply here. Rights to pirvacy only apply to the Private sphere (ie the home...if you own it).

See the point above. Also, if you are in your own home, it is considered private, but if you use the internet out of your home, it is considered public? If I am watching tv at home, is that considered "private space", why should the Internet or a computer be any differant?

I did play the CB high school Quake3 death match, but I wouldn't want to tell my boss about it. I downloaded it and played it at home "private space", but some how in your weird world, this information should be avaiable to anyone that wants it?

Watch out for where your analogies lead.

Uh, you mean to my orignal point? :)

Tom

Hi Tom. What is your Social Security Number? My name is Jack^H^H^H^H Jerry btw, nice to meet you.

Re:What I don't get

[ODiV]

for the same reason that they think they're entitled to privacy anywhere else.

Re:What I don't get

[Tower]

>ingauge
engage, BTW - ingague is not a word [/pedantic]

>The don't know my name, address, or anything about me. They know I am a white male in my early 20s, that could fit anyone.

They also have cameras taking your picture, possibly cameras on the parking area (could get your plate number), and anybody could follow you home, finding out where you live. Simple, easy, legal. Plus, everybody knows what kind of chips you buy ;-)

Not all that private, really... especially in those cities that have street cameras, too...

Re:What I don't get

[jbarnett]

Cause we like to look at p0rn online. Why do you want privacy in the real world? Can I put a 24/7 live cams all over your house? Do you mind if you have to use open and public restrooms, or would you want a little privacy when you where about to drop a steamy load of crap?

Next time you and your girlfreind have sex, can I watch? Oh you would want some privacy in the real world, for some reason you think you are entitled to it... what ever gave you that idea?

(half the above post is loaded with sacarism, the other half is pepsi, can you tell the differance? Take the pepsi challenge)

The URL for the harsh paper is...

[victim]

http://www.epic.org/reports/pretty poorprivacy.html

(Its currently missing in the article.)

Re:BFD, another @hotmail address I'll give out.

[Ekapshi]

>You never type in your real email address to any software (Windoze, browsers, flash, etc.) you install, right?

Everybody I know seems to enter "lamer@aol.com" as their email address when Real/Flash/etc asks them....that address must cost AOL hundreds of dollars in bandwidth a month :-)

Bad link

[Sig��l+11]

The link mentioned above for the harsh criticism is actually the official page. The criticisim is here.

By the way, it's not actually a criticism of the system itself (its implementation), but of whether or not it fufills its goal (which they think it doesn't).

Re:BFD, another @hotmail address I'll give out.

[C.Lee]

>I'm well aware of potential consequences (I read privacy policies),
>and I still fill them out.

Because you're an idoit, don't make the mistake of assumimg everyone else is...

Re:BFD, another @hotmail address I'll give out.

[sebmolo28]

er, no, buying something with counterfeit bills is illegal and you can go to prison. giving out false information to a private citizen is not. of course, if by 'the same as' you mean 'is different from', then i agree completely. s

Re:HAHAHA

[Caled]

What moderation?

:)

Jeez, pretty poor privacy?

[angelo]

The P3P standard is being developed to let users decide how much of the data their computer will give up about them.

It has nothing to do with PGP, even though it begins and ends with P. btw, so does PHP and PCP. I don't think anyone is confusing those with PGP either. It is not an encryption technology, but a policy technology.

It would send out a PICS-like code to a user, and it would match to user preferences to check for violations of personal security rules.

This would let people collect a certificate that states "this site (will|will not) (sell|share) you information. Information is kept for (foo) months." If visitorse have a problem in the future that they think is a result of visiting this site, or accuse the site of violating their stated terms, they have evidence by which to prove it.

There really aren't many implementations available yet, aside from some of you usual startup-of-one-purpose companies.

This is a consumer protection measure intended to keep governments (particularly the pesky US) from passing yet more laws that don't work.

This was reported on NPR yesterday. Some folks form junkbusters commented on it saying it was a good idea to take back personal information, but more needs to be done to ensure enforcement, or the whole system would fail.

I needn't remind anyone that using junkbuster with cookie protection is usually enough for most privacy addicts.

Re:Jeez, pretty poor privacy?

[angelo]

It has nothing to do with your settings. Yes, they could say that, but the standard has a way to simply override and accept.

This system does NOT NOT NOT send out your information for you! It is not a "wallet" program! It informs you of site policy, should you want to sign up. It does not sign you up indiscriminately. that is up to you.

Re:Jeez, pretty poor privacy?

[angelo]

from The spec:

P3P does not include mechanisms for transferring data or for securing personal data in transit or storage.

This was exactly what I was looking for.

Does anyone posting on this know ANYTHING about it

[Tumbleweed]

It sure doesn't look that way!

Okay, with P3P, you are supposed to be able to:

1) Define different things about yourself, such as your age, sex, address, favourite colour, waist size, whatever.

2) Set rules for how each of those piece of information are shared, or even IF they're shared (though there's not much point in defining them if you're never gonna share 'em. So don't define them if you don't want to!)

3) Okay, so you've got your Internet app configured with the information and the rules on how and when and to whom you'll share.

Scenario:

You go to an online retailer (e-tailer, ugh.). This place sells clothes, woohoo! When you hit the site, your internet app does a check - it checks how you set up your P3P settings in that app - do you get notified of where your P3P rules clash, does it autonegotiate sending _some_ of your info based on what the site says it will do with it, or will it pop up a thing that lets you 'dicker' with the site about what you will and won't share? Okay, so if the site says it'll use the info it's requesting for non-personally identifiable marketing purposes (age, sex, favourite colour, nothing that can identify YOU), then hopefully you've set your P3P rules to allow that to happen automagically. The site then has all those nice customized features to match your age, sex, and favourite colour. Nice.

Okay, say what the site wanted wasn't allowed by your P3P rules. Okay, if the internet app has been coded nicely (that's an assumption), then it might pop up something saying, "Site X wants such and such information, but promises it won't be shared with anyone under any circumstances." It's then up to you to say yea or nay, HOPEFULLY to each individual item of information. HOPEFULLY you'll be able to say, check next to each item you're willing to allow. Then the internet app goes back to the site with the additional items you're willing to share. If the site says okie dokie, then you're fine. Or else some features of the site may be disabled. Or perhaps the price of the item is higher (lower price for people willing to share more info? A better way to 'pay' people for sharing information.). Or maybe you don't get access at all, but that brings us to the friggin' POINT of P3P:

You are _optionally_ *INFORMED* of each piece of information the site wants from you, and what they're going to do with it. You don't get that information at many sites now, and you certainly don't negotiate anything. Either you share it, or you don't. This will _NOT_ give out information you don't want given out. Anyone who thinks that knows nothing about P3P. This is about giving INFORMED CONTROL over your information. You don't have to give out anything you don't want to, or you can selectively give out INDIVIDUAL things (there's no "all or nothing" aspect here!!!), to sites, based on what they say they'll do with the info.

P3P _IS_ a good thing. It's GREAT for privacy. It's good for children and other living things. It also stays crunchy in milk, and has a good beat that I can dance to. I give it a 42, Dick.

don't diss IngSoc

[delmoi]

There were some good things in 1984. Um... I'm sure there were... Government sponsored porn, for example.

Pseudonyms -- true anonymity on the net.

[Remus+Shepherd]

The internet is as anonymous as you want to make it...because we still have the option of lying to those who ask us for information. Look at me. Did you think my real name was 'Remus Shepherd'? No -- it's a psuedonym, a lie.

99% of the websites I visit and do business with know me by an IP address and maybe the name Remus Shepherd. The other 1% are those that require real information and whom I've decided to give that information to. But most advertisers and databases out there know me as Remus, with no connection to my real name. They can't get a credit history on Remus Shepherd. Mailing address? None known. Bombard Remus Shepherd with 'targetted' ads all you like -- they're easy for my mailfilter to trash, while the few trusted sites that know my real name are allowed through.

The net may evolve into a communication medium where people have screen names and True Names (thanks again, Vernor Vinge). I think it's a simple and effective response to commercial invasion of privacy.

Re:Microsoft support P3P

[DrgnDancer]

Actually, no I don't. I was using "we" as in the human race in general... Surely we must all benefit from Microsoft's glorious innovation.
Or maybe I was being sarcastic

Re:P3P vs. PGP

[Tower]

PCP.... like LSD... (both hallucinogens)

Well?

[cannes]

Do you have any privacy when you walk into a store in the mall. Does it really matter? I'll confess like most others I buy skin books every once and a while.

Dear marketers,

[don_carnage]

If my personal data is really worth that much to you, then I'll be selling it for $10 a pop!

Love, Don
--

A good thing for slashdot?

[Cornflakes]

Hey, at least now the anonymous cowards on slashdot won't be able to hide as much. Taco could suffix coward with their name and address.

Sweeeeeeet. Hmmm, snail-mail flames?

Link

[jyuter]

Also check out this Wired article and a href="

It's just a data-gathering tool.

[exploder]

The main function of this "privacy protocol" is to streamline the gathering of personal information, and to make it as "painless" as possible for the user.

...it provides a way for users to exchange their data with web sites without having to key it in. P3P includes data elements for a large number of user data elements (name, address, phone number, gender, date of birth).

Our privacy is supposed to be "enhanced" by a protocol which standardizes all these aspects of personal information, and facilitates their transfer, possibly without the user initiating even noticing the transfer, to any web site that happens to implement the protocol. The name for this protocol sounds like it comes straight out of 1984.

No, no, no! Protocol != Privacy Loss

[Jeremy+Lee]

I will do this by means of character play: Corporate Server: Hi there! Welcome to GlobalCorp! Modified Mozilla Client: Yeah, hi. S: Please auto-download your details now. C: I don't want to. S: But you have to! C: I really don't want to. S: Then you can't have the page! Nyah. C: Oh, all right then. Bill CLinton. 1400 pensylvania avenue. Female. Guatamala. Sheep. S: Beep. Thank you. You may now read the page. C: [aside] Suckah. What P3P does is allow the machine to do all this for you! Transparently even! With no more of those stupid on-line forms. Mmmmm. Technology==Good. ~ Orinoco

Re:Ha! Extorted Information is Crap

[Steeltoe]

Why the hell did your company need information about who downloads your "free" app anyways?

I've always hated sites requiring you to give up who you are. It's against the basic principles of Internet, or how the Internet used to be that is. Why do we want to limit something so great?

- Steeltoe

Better idea

I'm very skeptical of a privacy protocol that depends on trusting servers to obey the rules they claim to obey. I'd much rather use something like freedom.net that puts control in my own hands, technologically. Sites won't know my IP, they'll get the set of cookies for the pseudonym I feel like giving them, and that's that. It doesn't matter what they claim they're privacy policy is.

I don't think its that braindead because...

[delmoi]

I've never heard the answer. If the question was braindead, whats the answer?

Re:Microsoft support P3P

[YASD]

Well, that's my point. So far at least (and let's all try real hard to keep it that way), no one has to use Microsoft's crap (except at work maybe, but that's just one more aspect of the pointy-hairedness of work in general). Anyone who goes to the trouble of getting a clue can switch to Netscape, Linux, BSD, StarOffice, whatever.

Considering all the opportunities computer users have for finding out about the alternatives, I'm not inclined to waste a lot of tears on the ones who continue to use junk.

------

Ha! Extorted Information is Crap

[johnos]

My company used to require information from users before they could download our free app. We dropped this requirement for two reasons, first, the users hated it, and second, the information we collected was crap. I looked at the database once and found what I expected, hundreds of William Jefferson Clinton, thousands of Bill Gates and quite a few Saddam Husseins, Jesus Christs and Vladimir Lenins.

The point being, if you try to compel people to give you information, that information becomes useless. The more you attempt to compel them, the more useless it gets. Sort of like a Hiesenberg's principle for info.

Some of these folks who want to set up huge databases from user info will find that the extra money generated won't pay for the boxes and bandwidth the infrastructure will require.

Qustion for those who know abt P3P

[catseye_95051]

Like some of the reply posters .

Is there any authentication scheme for thsi information or is it purely a way for a suer to answer qustiosn automaticly?

The fact of the matter is that ther are quite a few web applciations that would benefit from a cheap, easy, reliable way to identify users. the issue isn't si much "knowing who you are" as it is having a foolproof handle by which to track you. (Anyone who ever played UOL I'm sure can see the benefits of being able to, for instance, remove destructive players (cheaters) from the environment.)

I don't see any reason why a site should not identify itself as requiring a validatable unique ID.. and I don't see how this is any threat to anyone. If you don't want to give such an ID just don't use the site. (It's a whole lot like my Caller-ID box, actually. If you don't want me to know who you are, the answer is easy just don't call me.)

That's how it is supposed to work...

[rangek]

You don't have to give out anything you don't want to, or you can selectively give out INDIVIDUAL things (there's no "all or nothing" aspect here!!!),

You're right, that does sound like a good thing. But what if I am some honkin' huge "e-tailer" and I set the P3P rules on my site to be: I need your name, address, telephone number, email address, and SSN for you to access my pages?

Okay, decline to send that info. But you don't get in! If enough of us "honkin' huge" sites do this, most people will just set their P3P prefs to be something like "let it all hang out."

3P _IS_ a good thing. It's GREAT for privacy.

Or maybe not. It all depends on how it is implemented at the majority of popular sites...

Why only for Linux?

[WS6]

Hi, hope this isn't too unpopular to bring up, but a better way to screw with the anti-privacy people is if you can port such a thing to as many OSes as possible.

I'd like to see a browser for Win9x that would actually *tell* me what info it was sending out. I already run Zone Alarm to tell me when programs such as RealPlayer are trying to connect to the 'net without my asking, but I.E. and Netscape still love to announce my operating system, etc., to every webpage I visit. Not to be too paranoid, but I like to know when such info is being sent, you know? I mean, why is it necessary to give more info than necessary out? IP I get, but... oh well.

Oh, and I can't deny that I'd like it even better I could configure the info it sent, so the next one of those pages that repeats your info back to you would say something like:

Operating System: MS-DOS version 0.01a
Browser: Screwyou v. 1.1.5
... if only for the fun of wondering if anyone bothers to log these things.

666

[the_other_one]

viewers will be required to reveal their addresses and other personal information to every commercial site they access or be denied entrance

Next I'll have to have my IPV6 address tatooed on my forehead to do business in the brick and mortar world.

The W3C...

[Captain+Constitution]

... is violating my 11th Amendment rights.

The Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.

Forcing me to reveal my identity to commercial sites outside of U.S. soil is utter bullshit. This is like the WTO telling the U.S. its environmental laws have to go in the name of good trade. That's right, trample the constitution, make way for corporatism!

Microsoft support P3P

[DrgnDancer]

I read just today that Microsoft is plannig to implement P3P in the next version of I.E.. Link is here. I am so glad that they value our privacy enough to protect it with a discredited standard. Luckilly I am sure they will find some way to change it and make it even "better" than it already is... We are so lucky.

P3P vs. PGP

[Phroggy]

Has it occurred to anyone else that the name P3P was chosen just to confuse consumers who've heard the name PGP floating around before? It's supposed to be an abbreviation for three words that start with P. P3 or 3P would make sense, but P3P is redundant and can only have been chosen because it sounds familiar.

The World Wide Web Consortium is abbreviated W3C, and this makes sense. P3P would make sense if there were another P, but there isn't.

IANAL, but is this grounds for a lawsuit by whoever owns PGP trademark?

--