Slashdot Mirror
Is W3C's P3P Good Privacy?
nileshch asks: "A very important development in recent times with regards to website users' privacy has happened with the W3C introducing the Platform for Privacy Preferences(P3P). P3P allows websites to create and maintain XML-based privacy policies for the entire website or sub sections of the site. These machine readable policies document what information is collected from users and how it is going to be used. Today, a few browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P (Mozilla here, IE here) . Although that support seems only skin-deep. I also find very few big sites adopting P3P seriously. Isn't it like the classic chicken-and-egg situation? Websites wait for full P3P support on browsers, browsers go slow on development because there isn't much feature demand happening on this front. Do you have P3P policies for your website? If not, what stops you from creating one? We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"
There are some papers about P3P HERE.
I think that if it puts spammers, pr0n peddlers and other crooks on the ropes, I'm all for it.
From the p3ptools website...
3. You should also have a compact policy associated with the cookie itself. This is done by sending the compact policy string of text along with the HTTP header when setting the cookie. The format of this text will vary depending on which web server software package you are using on your site. See Deployment Guide Section 3.1 "Using HTTP Headers" and Deployment Guide Appendix A for a discussion of various implementations.
The appendix is HERE.
You think that I'm crazy, you should see this guy!
My company's website needs cookies enabled. So a week ago when we ran a survey all of a sudden all of our IE 6 users were not working at all. We had no idea of why these users could not get through other than that they had IE 6 and their cookies were not enabled. We searched the web for any signs of this and yet still nothing. It wasn't until one of our employees looked at the IE site and saw the section about P3P that we figure out what was wrong. Essentially all our cookies were being rejected by IE 6.0 because we did not have a P3P policy.
The next day we created a policy and haven't had a problem with IE 6 cookies since. Sad but true. Any site that relies on cookies are going to need a P3P policy.
Also for folks using Windows IE (the majority) ATT&T offers up their free eternally-beta AT&T Privacy Bird which gives folks visual and auditory feedback (both controlled/turned off in Prefs) on site's P3P settings. Quite informative actually, I discovered just how awful Yahoo's policies are when I used their headline aggregator (just who are they selling my newsreading habits to?) [rhetorical question]
The P3P folks have put together a great website at P3P Public Overview which is chock-full of useful information. On the other hand here is an interesting critique and here another, suprisingly both by lawyers. Security guru Richard Smith also has an important (though hopefully now fixed?) page on supercookies and how MS IE 6's touted protections can be got around.
Mozilla of course supports P3P and it's useful to understand just how MS IE 6 suppports and applies P3P and cookies.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
There's a good free P3P editor (in Java) available on the IBM alphaworks site ( http://www.alphaworks.ibm.com/tech/p3peditor ) which I used to generate the policy for our site.It was very easy to use - the hardest part was reviewing the generated output with the suits in Customer Service =;)
The alternative to using cookies is not tracking by IP address, but passing some session variable around every request. Yes, it's a pain (unless you use a framework that will handle it for you). Yes, it doesn't always work. I don't know of ANY web developer that would even consider tracking someone based on IP address, for the reasons you stated.
Ernst & Young have a regular P3P Dashboard Report[PDF] that summarizes adoption of P3P by large Web sites.
Privacy is a difficult issue; P3P has been derided because it doesn't do enough (actively negotiate or protect your privacy), because it does too much (intrusion into the browser, difficult to implement) and generally because it's too complex.
As a result, it's a compromise that noone is 100% happy about, but it does give us something to work with. Standards that try to do everything for everyone almost always fail.
The W3C is, next week, holding a workshop to look at the future of P3P; I haven't had a chance to read the position papers yet, but the fact that they're holding a workshop shows that they know there's more work to do.
Quote: browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P
? id=128639
Mozilla, commited to P3P?
I refer you to this bugzilla thread:
http://bugzilla.mozilla.org/show_bug.cgi
which has been going since March. Several people supported P3P, but the people in charge weren't having any of it.