Slashdot Mirror
Is W3C's P3P Good Privacy?
nileshch asks: "A very important development in recent times with regards to website users' privacy has happened with the W3C introducing the Platform for Privacy Preferences(P3P). P3P allows websites to create and maintain XML-based privacy policies for the entire website or sub sections of the site. These machine readable policies document what information is collected from users and how it is going to be used. Today, a few browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P (Mozilla here, IE here) . Although that support seems only skin-deep. I also find very few big sites adopting P3P seriously. Isn't it like the classic chicken-and-egg situation? Websites wait for full P3P support on browsers, browsers go slow on development because there isn't much feature demand happening on this front. Do you have P3P policies for your website? If not, what stops you from creating one? We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"
this way people will never know I'm downloading porn!
What would Brian Boitano do?
pop-up blocking
tabbed browsing
privacy
black and white porn
all in your favourite text editor.
Thats enough privacy for me.
We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"
Why? It's simple. Users don't care. Geeks do, but geeks don't make up a large percentage of the general population. The general population of Web users aren't nearly as paranoid.
Who are they to tell us how to run the web? You'd think that they were a big group of people who pretty much invented the web by the way they act.
You think that I'm crazy, you should see this guy!
Well, my issue with P3P was that my shopping cart, that is cookie based, stoped working on some IE6 browsers. It ends up that IE6 will not accept cookies from any server that does not use P3P compact headers when set at certain (read most) security levels. Nice to do, but it would be nice if anyone spoke of it in major forums before it happened. It took days to figure out what was wrong, and more time to figure out that it did not support (or require might be a better term) any form of P3P to operate. It just wanted compact headers. What I really want is some docs to figure out how to generate those headers. I actually had to spend some money to get some firm to generate those for me. I am not happy with this. Any free software to do this? Any good white paper on the subject?
-GReg
There are some papers about P3P HERE.
I think that if it puts spammers, pr0n peddlers and other crooks on the ropes, I'm all for it.
...can someone summarize what this means to me? I'm not doing e-commerce or banner ads. Should I add something to my sites indicating that I don't track people? My home page uses cookies to track preferences and stuff; how does this affect that?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
HAHAHAHAHA
We're watching you!
we wouldn't use our freaking credit cards, right? I suspect just a few people are making a lot of noise.
They say: "We say we won't do bad things. Trust us becasue we say so. If we lie, you can sue us later."
Compare with the European way: The gov't says that corporations mustn't do bad things. If they do, they can be sued.
P3P is basically about American sites saying something that is supposedly trustworthy, because otherwise they'd be lying. However, no one has why P3P should be better for The People than having FTC and the EU enforcing rules that prevented sites from violating privacy in any case.
Have you tried orinoco.o?
t ml
See http://www.sot.com/en/linux/server/hcl/network.sh
STFW rather than ask questions here, this isn't the right forum.
Not really on topic at all, but I was always wondering, what's the big deal with cookies!? All they can do is store information THAT YOU GIVE THEM (or that they arbitrarily assign to you)! In fact, you don't even need cookies to do that. You can just do it with Perl or PHP. Yeah, sure, there are some flaws with cookies in IE, but there are flaws with everything in IE! Hell, Slashdot uses them! The media has somehow given them a bad name. Most sites require cookies, and they work quite well, actually. Would you really want to enter your user name and password for every like you click? No, I don't think so. I'll never understand...
...comes with good ethics.... good ethics comes with good motives... good motives comes with epathy and understanding. All branches are limbs of the same tree - problems within a society are the dysfunction of that society. Change the society and things like this would not need to be discussed; they'd be a forgone conclusion.
I'm quite happy with P2P, though I might upgrade when P3.11P comes out.
As far as I can tell, even Slashdot, the bastion of privacy (paranoi) isn't using it either. Tough to advocate something that you don't do yourself, huh?
It is a solution looking for a problem
... Governments are instituted among Men, deriving their just Powers from the Consent of the Governed...
At my company, we have a corporate website and individual portals for our clients, all of which implement P3P. It's essentially mandatory, once your customers start using IE6. I would prefer to have the customers abandon M$ entirely, but most can be expected to follow the path of least resistance, which means IE6 more often than not.
Many (15%?) people set their "cookie security" to "high". This makes cookies fail on all non-P3P websites, causing all kinds of application misbehaviors. So we either have an inconvenient/hard-to-follow set of instructions about enabling cookies, or we set up P3P on the server side. In our case, we never share or cross-market our client data with anyone, so P3P is administratively simple as well.
On the other hand, I don't see what stops the sleazier companies from simply lying about privacy via P3P. After all, these are some of the same people who sell everything you do to Doubleclick and quietly switch your privcacy preferences to "yes, spam me" (hint: 4-letter auction site; starts with "E"). What's another lie when there is direct marketing revenue at stake?
The sly part is Microsoft implementing P3P without telling anyone. Session management across the web getting slayed, and developers left slack jawed in frustration as to why.
I'm for self-regulation. P3P is self-regulation. I think it's a good idea...but only when everyone knows about it!
i'm not overly familiar with p3p (p2p i understand ;) ), but my ex-girlfriend has a website devoted to viewpoints on p3p (http://www.p3p-viewpoints.org/). from what i understand, the major issue with p3p is that it is overly complex. some user studies have shown that users don't effectively understand what p3p means or how it affects them. more info at the website...
smd4985
My company's website needs cookies enabled. So a week ago when we ran a survey all of a sudden all of our IE 6 users were not working at all. We had no idea of why these users could not get through other than that they had IE 6 and their cookies were not enabled. We searched the web for any signs of this and yet still nothing. It wasn't until one of our employees looked at the IE site and saw the section about P3P that we figure out what was wrong. Essentially all our cookies were being rejected by IE 6.0 because we did not have a P3P policy.
The next day we created a policy and haven't had a problem with IE 6 cookies since. Sad but true. Any site that relies on cookies are going to need a P3P policy.
> Then why isn't there much enthusiasm for P3P
> support in browsers?"
When I care about a site's privacy policy (and sometimes I do) I read it myself. I'm not about to trust my browser to tell me it's ok. When I don't care, I don't care. What good is P3P to me?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
When all users really need is a "Privacy" link on the home-page?!?!?!
That's worked okay for years. The P3P spec seems quite complicated for what it acheives...
Part of the reason why the adoption of P3P has been so slow is that it may actually make privacy problems worse.
The problem is that users (and perl programmers) tend to be lazy. And lazy users check the little "this is the default setting so stop showing me dialog boxes" checkboxes in order to make things easier for them. The problem with this is that with P3P, a website can "claim" to not sell/rent your email address, but because the user set their default options to accept that, their address is automatically sent to the website and they don't have the opportunity to consider the implications and evaluate it themselves.
Also, P3P is a total PITA to write and the one editor that I know of (free from ibm) seems to be long since dead (and downright confusing too). It can also open companies up to legal trouble since a discrepency between a P3P file and the actual practices of the website could be grounds for a lawsuit (IANAL).
I implemented P3P support for our web site at a previous company I worked for.
P3P isn't that hard to figure out... Anyone who actually reads the W3C docs, and Microsoft's docs on how IE implements P3P, can easily support P3P. And it wasn't a "surprise", Microsoft had been telling the world that IE6 would support P3P from about a year before IE6 came out.
It took about 1 day to set up and implement P3P on our web sites (some IIS, some Apache/PHP).
How useful is it? It depends on web sites honestly reporting their information in the P3P info. I'm sure most big legit companies accuratly report their privacy policy in the P3P info.
But what's to stop some unscrupulous Web site from lying? It's not like it's against the law to lie in your P3P info... Nobody is going to punish you for doing it. So, does it really make the web safer?
I can only agree, p3p is only useful for the paranoids that don't know what they are doing.
P3P is useless as the untrustworthy sites will simply lie about what they do with the info, so it buys us nothing.
IE+P3P+Hotmail is an annoying combo, because if you send people a link in mail to a hotmail account M$ think they need trap people in a frameset, neatly displaying "we ownz y00" and keeping people from bookmarking the site they are visting, however the most annoying effect is that it is impossible to get a cookie set in the framed site (so logging in just doesn't work on most sites), without a compact P3P header.
Luckyly you can just add some garbage P3P header:
P3P: CP="CAO ADM OUR IND PHY ONL PUR NAV DEM STA"
and IE will allow the framed site to work normally, it did take a lot of angry users to find that particular IE+hotmail-misfeature.
In closing: death to IE and hotmail, may they both be taken behind the barn and shot through the head ASAP!
-- To dream a dream is grand, but to live it is divine. -- Leto ][
The Electronic Privacy Information Center has published a report on Why P3P is not a PET (Privacy Enhancing Technology) (PDF file). It's worth a read as it challenges a lot of the justifications and goals of P3P.
Also for folks using Windows IE (the majority) ATT&T offers up their free eternally-beta AT&T Privacy Bird which gives folks visual and auditory feedback (both controlled/turned off in Prefs) on site's P3P settings. Quite informative actually, I discovered just how awful Yahoo's policies are when I used their headline aggregator (just who are they selling my newsreading habits to?) [rhetorical question]
The P3P folks have put together a great website at P3P Public Overview which is chock-full of useful information. On the other hand here is an interesting critique and here another, suprisingly both by lawyers. Security guru Richard Smith also has an important (though hopefully now fixed?) page on supercookies and how MS IE 6's touted protections can be got around.
Mozilla of course supports P3P and it's useful to understand just how MS IE 6 suppports and applies P3P and cookies.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
OK, I run a personal site powered by PHP. I try to keep my site as HTML-compliant as I possibly can, so far everything is fine until I added a Flash header to my site.
.postal.street, .postal.city bla bla). If I'm a full-fledged business, that info might not be so sensitive... heck, I would want everyone to know the physical location of my business.
Somehow there is a severe lack of info on how to make Flash codes HTML compliant. I figured maybe I should use the <OBJECT> tag to somehow smuggle the Flash code from an external file.
OK, end of unrelated rant, now for the P3P thingy. I figured this will be important for my site in the future because I'm considering engaging in e-commerce (very small scale), so what the heck.
The thing is, the examples of P3P XML files I looked at from various sources always contain sensitive elements like business.contact-info.postal.address (using loosely, I know that it's supposed to be
But what if it's a home-based business? I surely don't want customers knowing my home address and dropping in whenever they like, a main reason why I chose to do online business in the first place. So in order to safeguard the privacy of my customers, I now seem to be compromising my own.
If there is a proper workaround for this issue (without any legal problems), can some intelligent and experienced individual point it out to me? Are all those business.contact-info.* tags required in the first place? It seems that every compliant site have them.
Thanks in advance.
Welley Corporation - SLM Scammers
P3P doesn't offer any real security anyway...
It's an overall stupid idea bound to make security even worse if it gains popularity.
As lawyers are likely required to review the privact policy, I believe that the spec is impossible to implement, specifically:
- the spec refers to 'compact' policy. I have not seen an example of a contract or agreement that would meet 'compact' by any stretch of the imagination.
- the spec refers to non-ambiguity.I have not seen an example of a contract or agreement that is not purposely ambiguous.
- statements are positive. What, no 'except', 'subject to', 'contrary to above' ??
- finally, xml is well formed.
So does Anonymous Coward have good karma?
Data miners use the GUIDs in these cookies to see
how often a given user comes back to the site. If
everybody set their cookies to expire it would drive
them up a wall.
Either that or we should all standardize on one MSN
cookie so we all have the same GUID.
All generalizations are false, including this one. Mark Twain
I think P3P is a step in the right direction. With tools like this one from IBM every site owner can create his P3P policy very easily. Those policies will help categorize sites and provide a nice filtering possibility.
Of course one problem remains: since it's entirely up to the site owner, he/she can enter EVERYTHING. There is no way to know whether a particular site stays true to the poolicy it has created. Your data isn't safe just because the one stealing (and selling) it says it is. On the other hand, there is probably no way of verifying stuff like this, so P3P is the best shot we got.
Yes, (some) geeks care about little things like civil rights. Just because so few people care about these things, does it mean they are irrelevant?
Sure, 99% of the population probably believes that the government is their friend; that it will never repress them in any way; that it will respect their rights as a human being. And most of the time they'd be right.
But what if some person or group manages to subvert government into a tool for repression? At that point you'd wish you had not given them the tools for repressing you, that you had protested when you had the chance.
Sorry for going offtopic here; it is just that I abhor it whenever people are talked down just because they care about something fundamental to human existence.
In the words of one country, "life, liberty, and the pursuit of happiness". In the words of another, "liberte, egalite, et fraternite" (sorry for the missing accents).
"Do you have P3P policies for your website? If not, what stops you from creating one?"
Return on investment.
Creating a P3P policy would take alot of my time - I would have to research and learn the format and possiblities of the language, then write the policy, reconcile it with various departments within the company, then finally integrate into the site, and potentially have to deal with questions from confused visitors.
Implementing P3P on my site would cost me no money, but a great deal of time.
TIME IS MONEY
...if, for example, a user orders something on your site through a NAT firewall, say from a university dorm or something. Now supopose another student on the NAT happens to go to your website at the same time. If you are tracking by IP, these two appear to be the same user (due to the singular IP of the Internet gateway both of them share), so, essentially, you have just given full access to your customer's account to an unauthorized party, which of course, is a Very Bad Thing.
This can also apply to home users, or businesses, or anywhere else a NAT is set up. Uh-oh.
Throw some cookies in there and now suddenly each users request becomes uniquely identifiable, and although not entirely secure, it certainly is much more difficult than "accedentally."
CAn'T CompreHend SARcaSm?
... why so few people have implemented this. Our website actually has one of these thingys -- we just put it up, in fact, because its absence was causing trouble with some IE releases. Wading through the P3P docs to come up with a meaningful XML privacy description document is a non-trivial undertaking. The funny thing is that, IIRC, having this little shred of XML puts us ahead of a bunch of other commercial sites that don't do it.
Dog is my co-pilot.
This might be off topic, but shouldn't all web traffic travel through https? Howecome we allow so much information to travel around unencrypted? What is the barrier to adopting a secure protocol for all web traffic?
NO ONE actually believes anything these sites say. They will sell their grandmothers organs for a dime, and we know that if they are violating their policies left and right, nothing will happen. Even if the company says no, as soon as they switch hands or go under that potential capital will be utilized one way or another. The key is successfull obsfuscation on the client side. You can't avoid footprints, so leave HUGE one in clown shoes all over the place, in different ID's.
errr....umm...*whooosh* *whoosh* Is this thing on ?
It causes random websites to stop working for people using IE6. Then I tell those people, "try Mozilla."
:)
And somehow, more than all my raving about the good things about Mozilla, more than trying to explain in a hundred different ways why tabbed browsing and popup killing and everything is so good, this is one of the things that causes those stragglers to switch to a real browser. And then they discover all the other features and stick with it.
Implementing P3P the way they did is one of the best things M$ has ever done.
Yeah, that's a great idea. You should write an article: How to Be a Complete Web Leech and Screw Over Every Site You Visit For Free!
I mean really, isn't it *terrible* that web sites might know how often you come back to the site? You know what that leads to, right...? First it's that, and from that, they can figure out your height, weight, favorite food, and even dick size! You'd better protect that privacy at all costs!
deliberate over whether to call it P3P and not P4 (or P^4)
The alternative to using cookies is not tracking by IP address, but passing some session variable around every request. Yes, it's a pain (unless you use a framework that will handle it for you). Yes, it doesn't always work. I don't know of ANY web developer that would even consider tracking someone based on IP address, for the reasons you stated.
..write a script to gently but firmly ask politiely that your visitors arriving using IE would have a better and more secure "total internet surfing experience" if they "upgraded their browsers" to "a better one" then provide some links to them.
Like, why keep taking it and taking it and taking it and taking it? Don't insult them, just show them a different thing that's "better" for them. Most people just slap don't know, the "internet"is "windows and explorer" because it came with their new conpooter and "microsoft" somehow "owns" the internet. We have to do everything we can to get this brainwashing reversed..
Personally, I had never heard of it. Since I wrote the webserver I am running (replaced Apache), I am pretty sure that I don't currently support it. Might take a look at it though....
However, Opera aleady allows me to block the popups....
And, what marketer is going to use P3P when they read this:
"Imagine that, in an effort to reduce the mail she receives, Cindy has told her browser that she wants to be warned whenever a site says that it will use her information to send her marketing promotions."
It only helps if those you want to block decide to use it.
http://www.google.com/profiles/malachid
I mean why should I trust a site just because the site sends me some text saying - "trust me, because I promise to do A, B,C"
That's ridiculous. If any entity wants to gain my trust it has got to EARN it. Empty promises = waste of bandwidth.
Ernst & Young have a regular P3P Dashboard Report[PDF] that summarizes adoption of P3P by large Web sites.
Privacy is a difficult issue; P3P has been derided because it doesn't do enough (actively negotiate or protect your privacy), because it does too much (intrusion into the browser, difficult to implement) and generally because it's too complex.
As a result, it's a compromise that noone is 100% happy about, but it does give us something to work with. Standards that try to do everything for everyone almost always fail.
The W3C is, next week, holding a workshop to look at the future of P3P; I haven't had a chance to read the position papers yet, but the fact that they're holding a workshop shows that they know there's more work to do.
Hmm, yes I didn't think about that. Good call.
Implemented simply with a GET request which has some kind of ID number in it. Essentially, though, Cookies are just a more sort of hidden way to do this.
Whenever I see one of those absurdly long URLs with all kinds of session info in it, I wonder why the developers couldn't just use a little JavaScript and an <INPUT TYPE=HIDDEN VALUE="whatever">. When you click on a link, instead of using the HREF, use an onClick="go('thisLink.html')", where the go() function will set the appropriate hidden form values and use a form.submit(). The server will parse all nessesary info, including session info, from the POST request, and redirect or dynamically generate as nessesary. Of course, if the user takes action on an <INPUT TYPE=SUBMIT>, this becomes quite trivial.
Of course, that's a lot of trouble for the same functionality you get from cookies, and in some situations (depending on implementation) could be a little too trusting of the end user as well... I never understood why people where bothered by cookies in the first place.
CAn'T CompreHend SARcaSm?
Just because there is a P3P privacy policy doesn't mean the policy itself is being truthful or accurate. There is no real accountability or certification of P3P policies, so companies can put any sort of generic boilerplate BS in their P3P policies and as long as there IS one, the browser will accept cookies, etc...
It can say "oh yeah, we're not selling your information to 3rd parties or anything" when in fact they are. If you trust what it says, then you allow the site to set cookies. You shouldn't be trusting the word of the site itself. It should be a 3rd party certification.
That's not really protecting privacy, IMHO.
If P3P policies could be used as evidence in court cases for misrepresentation, then it might force companies to provide more accurate P3P policies, but I haven't heard of any lawsuits coming from inaccurate P3P policies. You'd have to KNOW their policy was misleading in order to take them to court anyway, which is hard to do.
The same people that shut off cookies also shut off javascript - often shutting off javascript INSTEAD of cookies. The only real option is to put everything in the URL, which is damn ugly. Also, imo, increases the chance that someone will try to play around with the session ID in the URL, simply because it's there.
creation science book
There is no external auditing of P3P that I can see.
I set this up on one website I built, but why? I was able to say whatever I wanted. If my browser acted on this sort of information I would be forced to disable it, since it is not, and cannot be trusted without an external verification.
The story and comments here are incorrect.
Mozilla doesn NOT, in fact, support P3P. It did at one point. Support was removed, because, as I understand it, P3P is "dumb".
Netscape reincludes it in there releases, but it hasn't been in Mozilla proper for some time now.
The slippery slope will lead to profiling agencies, much like credit reporting agencies, who sell your profile to employers, landlords, lawyers, law enforcement, and anyone else who wants to make a decision about you.
they just don't care. I'm a geek who understands the tracking that goes on (I've written Web tracking software in the past) and for the most part, I don't care.
This is one reason the Electronic Privacy Information Center argues that P3P is not a privacy enhancing technology. Websites will eventually demand that you reveal everything, or they won't let you access the site. If people don't care, they will comply. The end result will be like cookies (only with your name, age, address, and other personal data attached). Handing your full identity over to every site you visit will simply become the de facto standard.
WC3.exe? 3PvP?
Am I the only one who read the headline and thought: "Well, I've never had a privacy problem playing Warcraft III 3Player skirmish!"
Oh, bloody hell. I'm just a game dweeb. Never mind.
The Pjammer Chronicles --
Submitting forms "breaks" the back-button in many browsers.
There is nothing to prevent the web site operator from lying between their teeth in setting a false P3P policy.
P3P Seal of trust? Good and strong as the weakest link of chain. Just think Thawte or Verisign.
P3P embedded in Mozilla or IE browsers? Yeah, right. Gotta see the code in order to trust the browser.
How much trust and confidence does that inspire to "We, the Web Surfers?"
None, Nothing, Na-da!
Quote: browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P
? id=128639
Mozilla, commited to P3P?
I refer you to this bugzilla thread:
http://bugzilla.mozilla.org/show_bug.cgi
which has been going since March. Several people supported P3P, but the people in charge weren't having any of it.
whenever u answer on the question like this one, it _was_ the right place to ask :)
The problem with P3P is that each user decides:
1. what level of info they are prepared to release (as a blanket decision applying to all sites that will be allowed the info), i.e. email address, snail address, phone number etc
2. what sort of use may be made of this info (effectively, what sites have permission to grab this info)
This info can then be grabbed by any site that claims the agreed 'safe' level, even though it's unnecessary for general browsing or even general site traffic analysis statistics.
Effectively, the user chooses to discard all anonymity, or not to 'trade' via the internet.
Through Hotmail and Passport, MS can largely guarantee that your identity is correct - certainly on XP systems. With IE6 forcing P3P on commercial sites, the MS databases will be in the best position to accurately profile web users.
I think cookie-tracker schemes and companies like Doubleclick will be wiped by this, and MS will dominate the served advertisement market before too long.
Hrm, I take it you can setup a p3p thing in the same way you setup a cookies.txt. Just drop the thing in the right URL?
Are there any tools out there that let you edit a p3p XML file quickly and easily? I'm to lazy to look up the specs and edit an XML file in notepad right now (and I have other things to do).
autopr0n is like, down and stuff.
Not only do they need to 'log on', but they need to keep logging on (like fark) or have their log on tied to an IP address. For huge sites this becomes a major headache, as it requires HUGE Databases of pointless information.
Really, why should I have to store gigs of data so that people can chose what background color or what kind of porn they want to see when they visit my site?
autopr0n is like, down and stuff.
Aside from the somewhat confusing specification (I have copied a working P3P xml file, and made changes and still can't get it to work "right" in IE) I can't figure out how to make the P3P standard cover our particular case.
As a "web application" development and hosting company (read: writing and hosting custom shopping carts mostly), I can make a P3P policy that covers our use of the information easily. However, what about the 30+ companies I host for? Do I need seperate policies for each of them? If I write a policy for them, and they don't like it, will they sue me? Even if the policy is true? Can I write one policy for the whole batch and hope that the "good" companies don't sue me for being included with the companies that sell all your information AND your newborn babies for cash?
Not only that, but the information-sharing parts aren't all that hot... all of them appear to assume that the policy creator/hoster is the "primary" user of information... in my case, I only use administrative access (backups, restores) to the information, its the individual companies who use the personal information.
I could use "other-recipient", but I have this bad feeling that browsers will balk at that. The definition of "ours" talks about other entities that we collect data for, but it just seems a little shady that way.
In the end, I suppose I'll wind up having each company create their own.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Thanks for encouraging this practice.
I insisted that we do it for our site (a large financial services company). It's a very large piece of work if done properly, but we're getting there.
...is this really 50% better than P2P? Cuz I'll abort my limewire download right now.
myselfmusic
Oh, I though P3P was P2P, just cooler! :]
You can also use the SSL session key as a identifier. Of course, that requires the entire session to be encrypted, which is not practical in most situations.