Slashdot Mirror
IE6 to Implement W3C Privacy Standard
Arthur Phillip Dent writes: "News.com is running a story about IE6 being the first browser to implement the Platform for Privacy Preferences (P3P) standard. Bad news for Doubleclick et. al., that is unless it's just /.ers using the features! This will get real interesting if lusers' using it with sites that do not post P3P policies (and thereby blocking sites from setting cookies, for example) creates any kind of unrest/discussion about the exchange of marketing data for content and functionality." One thing no one writing about IE6 seems to note: Microsoft has carefully arranged their MSN cookie setting technique to avoid being blocked by their own browser - they bounce people through msn.com to log in to any Microsoft property, so it's always a "first-party" cookie being sent/placed.
Really? I see it every day, just the other way around:
Generally in the format of something like:
"Netscape 6/mozilla is not supported. Please go [here] to download the latest version of IE"
Or from shockwave (if you go to their site on a non-windows, non-ie browser... the only way to view anything on it is to fake the user agent string to a windows/ie code in konq).
"It appears that your operating system is not supported by shockwave.com. We support the following operating systems: Windows 95, Windows 98, Windows 2000, Windows NT 4.0 (or later), and Mac OS 8.1 (or later)."
I have to give kudoes to http://k10k.net/ because they had a "we don't support netscape 6 DCOM just yet, sucks to be you" type message up a while back, but they have apparently re-designed their site.
The Register's opinion (note that they have DoubleCLick ads on their pages can be read in these two articles:
WinXP IE6 spells death for Doubleclick - and a boost for MSN? and
IE6 will not monster our cookies, says Doubleclick
I want the ability to filter cookies based on the domain they came from. /. cookies - Yes. Doubleclick - No.
I want the ability to filter images based on the domain and/or size (no more 1x1 web bugs).
I want the ability to filter JavaScript based on the domain.
I want the ability to set up my browser so that sites cannot open new browser windows.
Most of all, I want these features built into the borwser. I should not have to download a third party application to control fundamental parts of my web browsing activities.
I normally use iCab on the Mac http://wwwicab.de/but for the past few weeks have had to use IE 5.0/Windows. iCab normally offers all of these filters (and more), and I find the features sorely lacking in IE.
- (c) 2018 Hank Zimmerman
You see, you don't like Microsoft because they tweak with standards.
However, I am not you. I like some of the stuff Microsoft has done with IE. Microsoft has done some selective implementation of CSS2, for instance, that I find commendable, even. Not buckling as Mozilla did to the W3C's demand that CSS2 compliance means allowing for the page to screw with the widgets appearance (besides color,) for one.
You see? I have a different opinion about browsers. It's informed, but it's different than yours. The problem is, everyone has different opinions. One group isn't in the right, the other in the wrong. Republicans aren't more right than Democrats, they're just more different.
Just like everyone wants everone else's browser to do different things. It's not because you're right and they're wrong. You just have different opinions. If everyone starts banning everyone elses' browser in order to try to force change, the WWW will become an unbrowsable mess. And that would suck.
So, present your ideas in a public forum. Convert all your friends to your browser of choice. Just don't ruin the web for everyone else. That's just being a jerk.
Been real boring day so I've come up with these ways to rearrange the letters in "Microsoft Internet Explorer" to spell:
it's for experimenter control
extort, enforce, imprint loser
extreme profits control rein
cern extortion reptile forms
export control terrifies men
cool printer, extreme font sir
Your welcome.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
What was I thinking?
Have I learned nothing in my years of Slashdotting?
At least I managed to close the two windows with which I was about to start raging fires.
I should know enough by now not to even look.
sigh.
we will still get blocked from our cookies, because the default setting doesn't allow 3rd party cookies
we don't do anything "bad" with the cookies we collect
Why don't you just stop using cookies then? Really, what nessicary functionality can't you implement on the server side for advertising that you need to use cookies for? You should be able to do all of the standard things. (Keep statistics, don't show people the same ad over and over. Track consumer preferences for targeted ads... The works.) Not only that, but when you store data in a cookie, your data is at the user's mercy. the cookie file can get cleared at any given time. If it's on your server, you have control over it.
If you're clever, you can even keep track of the data on the server when the user's dynamic IP address changes by keeping other information like the user agent string and what "block" of dynamic IPs the address is assigned from. If the user views more then one page from a particular site, you can seed the links with more information collected through javascript that will get sent to you when the user follows a link. Make a little (1x1) flash program that sends you some data. Really all of this cookie nonsense is just that. Nonsense. You can be so much more evil without cookies because the user can't tell you're doing it once they've left the page.
Umm, viewed both in Netscape 6.1PR1 (same as mozilla 0.9.1, not the same as Netscape 6.01) both look perfect to me, execpt the radio buttons are checked, and according to the source, only the first button should be checked, while the reference rendering both are unchecked. But anyways, I'll have to put a bug report out :) thanks
Anytime you have multiple websites owned by the same company, then you immediately have a condition where that information is assumed to be shared between sites. This is a backend issue unrelated to how browsers or privacy policies work.
I'm mildly amused that the poster seems to regard this as some kind of 'sneaky trick' by microsoft. As if it is 'wrong' to maintain a single login location, as if you 'should' create a separate login for every single website. I've been working on database driven websites for nearly 5 years now, and I can't recall a single technical reason why I'd want to make multiple points of entry to the same database. The only reasons that are valid are design issues... specifically, did we want to have the customer see that login page A is actually affiliated with website B. Microsoft, being such a public brand, has no need to hide the association.
The way I look at it, by having a single login location Microsoft is actually being open and honest. They COULD have multiple points of entry into the login database, one for each site, and thus hide the fact that they are pooling user information between domain names. With a single point of entry, they are revealing their practice of data sharing... something that would be obvious to anyone with technical understanding of database driven sites.
People get all up in arms about privacy with cookies, logins, and user information pages... completely forgetting that sites owned by the same company don't have to use ANY of that to create a profile of your activity on their multiple sites. People seem to have this idea that differing domain names create a magical 'wall' between sites, preventing anything from leaking from one domain to another. Anything they see as breaking that wall is somehow evil.
In all practicality, if Microsoft really wanted to, they could make all their sites as subdomains of microsoft.com... msn.microsoft.com, passport.microsoft.com, msnbc.microsoft.com, etc. Then, the actuality of data sharing would be more concrete for the less technically inclined.
Raven
And my soul from out that shadow that lies floating on the floor
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
The server must respond with:
Server: Microsoft-IIS
(or maybe that's IE6.1...)
Slashdot didn't give P3P such a warm reception the first time around.
It's 10 PM. Do you know if you're un-American?
No, the bad news is for IE users who think this will block DoubleClick.
The article states DoubleClick expects to be compliant with P3P before IE6 is released, which means IE6's defaults will allow DoubleClick cookies. Doncha think DoubleClick and Microsoft are gonna be talking about such business-model show-stoppers and finding ways to make each other happy? Users will still have to take individual opt-out actions to stop being tracked.
Even so, cookies are not the only way that people can be tracked. Any group of companies could just share apache logs and do some simple Perl analysis to correlate a huge number of visitors. Some factors like NAT and PPP reduce the effectiveness, but the majority of useful data can still be data-mined. Cookies are just the lazy way of doing the same thing, as well as providing stateful visits to the sites themselves.
[
One day mozilla will even cook your breakfast for you.
You know...basic browser stuff.
Got Rhinos?
If you want complete control over layout, don't use HTML - use TeX.
---
Book(n): Utensil used to pass time while waiting for the TV repairman
As far as I know, Internet Explorer performs better at Standards Conformance tests such as
- Todd Fahrner's Box Acid Test
- Inoshiro's browser test with a screenshot from IE 5 on the Mac courtesy of The Answer is 42
than most other browsers out there. Mozilla and Konquerer are up there as well but they aren't close especially with regards to the newer XML related standards.--
In a startling press release from Redmond, Microsoft has announced that it's corporate web site will incorporate the use of Slashcode.
However, the popular "geek" web site "Slashdot.com" was less than impressed.
In an article authored by Slashdot editor "michael", he writes "Microsoft has no business running Slashcode. We, um, don't like Slashcode anymore." When questioned about this sudden change in position, "michael" responded "If those bastards run it, it must really suck." "michael" then forked the sign of the devil, and foamed at the mouth.
Slashdot editor "Hemos", when asked for further comment, replied "Yawn".
So, it seems that, although Microsoft may make grand steps toward securing their browser software and optimizing their web presence, Slashdot nerds will never, ever, be satisfied.
--SC
You read fiction? I write it! Lemme know what you th
Microsoft has an article, Privacy in Internet Explorer 6 that should answer your questions.
Namely, even on the "High" security setting, IE6 will accept 3rd-party cookies that have an "acceptable" P3P policy ("acceptable" is defined). If you'd read that document, it looks like they're implementing this rather well. They've made intelligent exceptions (e.g. "Special Provision for Legacy Opt-Out Cookies"), and they're very clear about IE6's behavior.
Now, I don't particularly like P3P, nor do I like feeling that M$ is shoving it down my throat. Is it the best possible solution? Perhaps not, but what else is there?
An earlier linked article at EPIC complains about how difficult most users find changing their cookie preferences and how confusing privacy is. Their solution? A "tools" page with 62 bloody links on it, to proxies, cookie managers, filters, PGP, SSH, anonymizers - most Windows users would have a heart attack just trying to understand the acronyms. That's supposed to be easier?? This is precisely the problem Microsoft is trying to address.
I hate to be an IE apologist, but IE6 kicks the shit out of Mozilla at cookie-handling. This is classic Microsoft strategy: move into a market space that has no standards and leverage their monopoly to say, "From now on, you're doing it our way." I don't like their monopoly powers, but no one else was even doing a half-assed job at this. What's the leading contender to P3P? There isn't one. You can install the something from EPIC's page (as far beyond the reach of most Windows users as recompiling a kernel), but I bet none of these have even 2% market penetration.
The only reason Microsoft could adopt P3P and take over this privacy space so easily is that the rest of the 'net has done such a piss-poor job of it for the last 10 years.
question: is control controlled by its need to control?
answer: yes
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Don't think Doubleclick is going to have much trouble, they helped write the P3P standard.
"To those who are overly cautious, everything is impossible. "
All they are doing is passing people through msn.com first before sending them to any other MS web site. If I had a big organization with 20 different sites, I would do the same thing. It makes sense - you track total usage of your web properties in one place.
Besides, if you don't want cookies, just turn off cookies. If you want to be warned each and every time someone tries to set a cookie on your machine you can do that to and refuse each cookie individually.
This is not that big of a deal. I personally welcome the added security features.
No, Thursday's out. How about never - is never good for you?
There was an interesting follow up the following day, see here, under the Title "IE6 will not monster our cookies, says Doubleclick"
The gist of the second story:
And there is this tidbitLovely, simply lovely.To get off on arguing about Double click misses the main point entirely. MS is there first with the most money in the next generation of privacy control, via IE6.
Time to play connect the dots.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
The IE 6.0 implementation of P3P, as stated by Microsoft here, is basically unenforceable and IE 6.0 relies on those who are implementing the P3P policies to be honest and forthcoming for what their real privacy policy is. Also, there are several ways around even needing to USE P3P.
The simplest is for someone like DoubleClick or AdForce, or Mediaplex (here on slashdot), to just redirect the cookie data being sent back to their servers, to their clients' sites and have the first party site re-set the cookie so now it is simply first party, but is still globally available.
Then by changing the code which performs cookie operations on the clients' sites, it will then be a first party cookie, and the first party will then generate the call for the banner ad, etc, but with data popluated by the first party instead of cookies set by the third party. Just a tip.
- SuberBug
--SuperBug
Microsoft is only ever going to implement standards which it thinks are in it's best interest. You can bet M$ bCentral.com (remember www.linkexchange.com?) will have their P3P policy in place in a hurry if it isn't alredy there...
/.ers, etc.) are unlikely to start trusting in the almighty Bill because of this move. What's the angle here?
To be honest though, the business advantage for Microsoft, of implementing this standard atthis point is still a bit sketchy in my mind...
What do they hope to gain? User trust? Most users blindly trust them anyway, and those who don't (ie:
--CTH
---
--Got Lists? | Top 95 Star Wars Line
Yep, this really sucks for third party ad serving companies (like mine). The shitty thing is, it doesn't matter if we implement p3p on our systems or not, we will still get blocked from our cookies, because the default setting doesn't allow 3rd party cookies. (and who in the world is going to relax that?) We (as a industry segment, not just individual companies) have complained to MS about this and their response has been pretty lame. It is really easy for them to redirect their people to their website, but that isn't feasable to everyone else.
I know what some will say, that finially these advertisers are getting what they deserve, and I don't totally disagree, but keep in mind, that (I don't know about other comanines, well, yes I do, but that is totaly someone else) we don't do anything "bad" with the cookies we collect. We don't sell personally identifiable data, etc. We have one of (I don't know of a better one) the best privacy policies in the industry. If everyone just decided that they didn't want 3rd party cookies, that would be one thing, but they haven't, because most people don't mind, as it doesn't hurt anyone. We don't deserve for our business to get impacted this much because of some arbitrary decision made by those people.
Oh, well, enough of this ranting.
room101 -- how much can you stand before they break you?
(they always break you eventually)
There was some talk of this earlier in the Mozilla development. The founding father of Mozilla rejected it, since they steer development, and blocking ads is not in thier best interest.
The founding father in this case is,
Netscape Corporation
That's good, but I wanted to point out that P3P, like almost everything coming out of the privacy space is just smoke and mirrors.
P3P will allow a company to *describe* it's privacy policies versus every element/form/ or page on their site. It's a start, and will be the glue to enable a privacy "UI"'s. What it won't do is provide any means of enforcement. That is, just becasue site "x" says we don't divulge your purchase habits doesn't mean you can trust them.