Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sites Wary of Adopting P3P

Posted by timothy on from the p2p-was-hard-enough dept.

technogamy writes: "CNN is reporting on the industry's take on P3P, the W3C's Platform for Privacy Preferences.According to the article, the W3C is expected by April to formally adopt P3P -- of course, as many of you are aware, Microsoft's IE6 already includes an implementation of the client side of P3P. 'Because Microsoft's browser checks for P3P, sites risk getting flagged if they don't adopt it.' P3Pizing (or 'pethripizing') a complex site can evolve into a Herculean task...! (See also EPIC's critique of P3P.)"

12 of 154 comments (clear)

  1. I worked on this.. by Sc00ter · · Score: 3, Interesting
    At my old job (before getting laid off) at an internet advertising company this was top priority. P3P is actually really cool, and it wasn't all THAT hard to get it implemented. It probably would have been faster for us if we didn't have a sucky developer.


    I wonder if doing it with a module for Apache would be a good idea.. mod_p3p, then it reads your privacy stuff from a config file. That sure would save a lot of time for a lot of people.

    --
    Free Mac Mini
  2. I can't be the only one... by oGMo · · Score: 3, Funny

    Am I the only one who saw the headline and wondered whether P3P was some new file distribution fad? ;-) I can see it now. P3P: Share music with two friends at once!

    OK, sue me, it's been a long day...

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  3. Why bother for private sites? by Bonker · · Score: 4, Interesting

    I have to say that this is a way of trying to shut out non-commercial sites from the web. For example, my site is a privately run anime fansite with nothing for sale and no adds. Despite this, it gets flagged for not having a compliant privacy policy.

    Now, I suppose that I could make a privacy policy for my site, but why should I have to bother when I'm obviously not in any kind of business, let alone selling personal information?

    The web should be for *everyone*, not just businesses with large advertising budgets. Shutting out sites who don't have privacy policies posted is FUD tactics against little guys, plain and simple.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  4. What about Slashdot? by los+furtive · · Score: 4, Interesting

    I'm sure it's members would like to know what they have to say about it. How far up the priority list is this one CmdrTaco? And what does Katz have to say about it?

    --

    I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.

  5. Mixed thoughts.. by steppin_razor_LA · · Score: 4, Insightful

    I haven't read the full specifications -- so take anything I write with a grain of salt. I've spent years building web applications, authored a popular anti-spam package, and have done some work building an advertising filtering & privacy enhancement proxy server-based package.

    It seems to me that a better approach would be something like this (call it Personal Information Widget):

    User puts all of their personal information into some form of a "wallet" (yes - I know there are technologies similar to this) -- the information resides on their computer not in a passport on a third party server.

    When a user goes to a site and wishes to sign up for registration, to purchase something, etc -- there should be a mechanism where that site is able to formulate a list of the fields that it wants + requires for registration. The site will send this (i.e. XML) to the Personal Information Widget.

    The PIW will pop a window on the user's screen showing them what information the site wants + requires. The other can then choose to "deny" "allow all" "allow required" or "custom".

    If they deny -- end of transaction.
    Allow all -- give the site everything it wants
    Allow required - give the site only required fields
    Custom - chose to give the site information different than in your profile.

    This sort of approach would solve one of the major problems of building registration-based sites -- the pain in the ass factor of getting people to type in their information for the Xth time -- without doing anything sneaky about privacy.

    In an ideal world, I would be able to choose to allow cookies that are required for a web application to funciton, but deny cookies used to track my viewing habits (especially across multiple sites). I don't think that a "protocol" can really solve this problem though.

    Once a site uses cookies, they inherently have the ability to track you -- whether or not that is there intent -- this protocol doesn't really protect your privacy.

    I'm not really opposed to cookies -- as a web developer, it is painful for me to imagine coding without them! That said, I don't like the idea of someone tracking my usage habits across multiple sites and then potentially correlating that back w/ registration information to me.

    I tend to disallow third party cookies. I know that this breaks a number of 1x1 pixel tracking tools -- but this same sort of technology could be ran off the web servers of the clients or if it was really necessary to outsource it -- you could use DNS (i.e. tracking.yourcompany.com points to webtrendslive.com ) to limit the tracking cookies to a single domain.

    You can disallow third party cookies and protect your privacy that way w/o this extra layer of technology added.

    I am a priori (guess I'm being closed minded) opposed to anything that facilitates that automatic transfer of information. I just can't wait to see someone find an exploit....

    --
    Evolution: love it or leave it
  6. l337 sp34k by metalhed77 · · Score: 5, Funny

    can we be l337 and call this new P3P technology 'Pep'

    --
    Photos.
  7. Am I the only one who has a problem with this? by wowbagger · · Score: 3, Interesting
    OK, let me see if I correctly understand P3P.

    1. I give my browser all sorts of information about me, some of which I don't want distributed widely
    2. I then trust the remote web site to correctly identify what they are asking for, and that they will use the data in the way the P3P data says it will be used.


    So, if I trust the web site to correctly implement their privacy policy, why don't I trust them with my data?

    If I don't trust them with my data, why do I trust them to correctly implement a privacy policy?

    In fact, this is one of the few real uses for a Cue-Cat I can think of- have your credit card numbers et. al. printed out on a barcode chart next to your computer. You see the pretty shiny thing you want on the web site, they want your credit card number, you scan the paper. I DEFY any 1337 haxor to get that by ownxoring my machine - I have to scan it.
    --
    www.eFax.com are spammers
    1. Re:Am I the only one who has a problem with this? by Monkeyman334 · · Score: 3, Informative

      You still have to trust the site to be honest in its privacy policy, but with P3P you can't obscure it, make it in legaleese, or have it be misinterpreted. P3P makes it so all *trusted* companies, C|Net, CNN, MSNBC, give you a standardized, automated, and consistent way of getting someone a privacy policy. Just because it is a trusted company does not mean they aren't selling your information. It might say in the privacy policy "Yes, we sell your personal information." But when was the last time you read the privacy policy for a site? P3P makes it automated so anyone and everyone can check the policy for every site they visit. (My site has the XML piece in there already, btw, still don't have the cookie part, probably never will)

  8. Join P3PSI by yerricde · · Score: 3, Informative

    When will Slashdot become P3P complaint?

    You might want to start a P3P Slashdot Initiative. Tell those in charge that you won't subscribe until Slashdot implements P3P, a W3C Proposed Recommendation. You can even call it P3PSI (pronounced PEP-see).

    --
    Will I retire or break 10K?
  9. Re:The problem with P3P is... by Fweeky · · Score: 4, Informative

    "in P3P you can only set a different policy for (sub-)folders (differrent URI's)"

    Uhm, no, you can specify policies for URI's, methods (GET/POST/PUT/DELETE etc) and cookies (including name, value, domain and even content).

    For example:

    <POLICY-REF about="/P3P/UserPolicy.xml">
    <COOKIE-INCLUDE name="loggedin" value="*" domain="*" path="*"/>
    </POLICY-REF>

    If you really can't describe your case:

    1. Generate the headers dynamically based on whether they're logged in or not.
    2. Generate the P3P dynamically based on whether they're logged in or not.
    3. Just describe the case for logged in users, since your anonymous logging is likely just a subset of that anyway

    And, of course, talk to the peeps on the P3P ml and see if you can get it fixed in version 2.

  10. I've implemented this, and use it day-to-day. by SuperBug · · Score: 4, Informative

    To actually implement P3P, you only need mod_headers when using apache. There is no magic here, it's only a damn header + two XML files, at it's most basic.
    At it's most basic P3P just a header being looked at by a http user agent which has a P3P agent built in. I believe to date it's only I.E. 6.0. Though Mozilla, Opera, Galeon, and Konquerer are sure to follow.
    Many aspects of P3P are positive, but there are parts of the specification which have yet to be properly determined and implemented, in a real-world environment.
    The main parts affected would be any "Third-party" though any "First-party" running a site and issuing cookies of any unacceptable fashion, mainly things which are PII related and cannot be opted out of, will be flagged.
    . In short, be sure you have an opt-out mechanism for your shoppers if you're an e-commerce site.

    Also, any "Third-party" acting as an "Agent" on behalf of any "First-party" which is issuing cookies or collecting data, regardless if PII is involved. The spec for being a "Third-party Agent" has yet to actually be implemented by anyone, though I know some people who will try this soon. Up to this point, the view of "Third-party Agent" is quite desireable to anyone on the 'net who operates in such a manner. It nearly absolves them of "having" to deal with any consumer related issues regarding their data collection because you can point people back to the "First-party's" P3P policy, rather than having to maintain your own.

    The obvious problem here though, is scalability and maintainability. It's tantamount to remote key-managment. You must then manage your "First-party" client's P3P Policies and keep in contact/communication with them to ensure that any changes are propagated to you, should it change, yet you continue to serve an *out of date* P3P Compact Policy in the web server's headers for that client, you very well could be blamed for screwing the data they hired you to collect for them in a very bad way.
    Aside from that, P3P is a very positive thing for consumers and business persons in such a way that it opens a channel of communication which did not exist so much in the foreground, as P3P enables, before. Hope this is useful to anyone trying to understand some of what P3P really is.

    --
    --SuperBug
  11. OECD Privacy Policy Generator by rtos · · Score: 3, Informative
    What is the OECD Privacy Policy Generator? It's a freely available tool to help you put together a working privacy policy for your website. Here is the site description:
    "It provides guidance on conducting an internal review of existing personal data practices and on developing a privacy policy statement. It gives links to private sector organisations with expertise in developing a privacy policy. It offers links to governmental agencies, non-governmental organisations and private bodies that give information on applicable regulations.

    The Generator makes use of a questionnaire to learn about your personal data practices. A Help Section provides explanatory notes and practical guidance. Warning flags appear where appropriate. Your answers are then fed into a pre-formatted draft policy statement. You must assess this statement: is it an accurate reflection of your personal data practices and policy?"

    I'm not sure if it fits with the P3P standard, but I thought some site admins might find it to be useful.

    PS. OECD = Organization for Economic Co-Operation and Development. According to their site they are "an international organisation helping governments tackle the economic, social and governance challenges of a globalised economy."

    --
    -- null