Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is W3C's P3P Good Privacy?

Posted by Cliff on from the sharing-those-first-impressions dept.

nileshch asks: "A very important development in recent times with regards to website users' privacy has happened with the W3C introducing the Platform for Privacy Preferences(P3P). P3P allows websites to create and maintain XML-based privacy policies for the entire website or sub sections of the site. These machine readable policies document what information is collected from users and how it is going to be used. Today, a few browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P (Mozilla here, IE here) . Although that support seems only skin-deep. I also find very few big sites adopting P3P seriously. Isn't it like the classic chicken-and-egg situation? Websites wait for full P3P support on browsers, browsers go slow on development because there isn't much feature demand happening on this front. Do you have P3P policies for your website? If not, what stops you from creating one? We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"

17 of 118 comments (clear)

  1. Why? by NineNine · · Score: 5, Insightful

    We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"

    Why? It's simple. Users don't care. Geeks do, but geeks don't make up a large percentage of the general population. The general population of Web users aren't nearly as paranoid.

    1. Re:Why? by Angry+White+Guy · · Score: 3, Insightful

      You mean nearly as informed.
      A lot of people don't understand the tracking that goes on. They still see the internet as everyone being anonymous, just because they don't understand the technology.

      --
      You think that I'm crazy, you should see this guy!
    2. Re:Why? by md17 · · Score: 4, Insightful

      Users may not care, but businesses care when people can not use their web site, because someone has their browser privacy setting high and they are not accepting cookies without P3P. The first time I implemented P3P it increased online ordering by about 5%. Most end users don't realize that a shopping cart doesn't work correctly because their browser is denying cookies. They simply get frustrated and go to another site. But when businesses realize that P3P is an easy fix, there is really no question about whether or not to use P3P.

      <rant>
      It really bugs me when people start bagging on P3P and saying how crappy it is. Why don't you do something about it? Right now P3P is the best privacy standard out there. Until someone comes up with something better, lets use it!
      </rant>

    3. Re:Why? by koreth · · Score: 5, Insightful
      No, they just don't care. I'm a geek who understands the tracking that goes on (I've written Web tracking software in the past) and for the most part, I don't care. If Joe's Bait & Tackle Shop can make an extra buck with the knowledge that I visit the Psychology Today website, more power to 'em. I see that as a slippery slope leading nowhere. I don't see it as worth my energy to object to data collection just for the sake of objecting to data collection, if no harm can come to me as a result.

      I suppose I see the Internet as being inherently non-anonymous (a sufficiently interested party could be tapping my cable modem, either by court order or surreptitiously) because I do understand the technology, so the fact that it's not anonymous isn't an issue I feel it's really fruitful to worry about. I'd far rather get worked up about things I have a nonzero probability of actually changing, or at least that do me harm. Mind you, my definition of "harm" includes things like sending me spam, but I see little evidence that web site information sharing will ever be responsible for more than a fraction of a percent of the mountains of spam that already hit my filters.

      In the instances when I really do want to resist observation by a third party, e.g. working from home which means I'm dealing with my company's trade secrets, I take care to encrypt everything I send. Even then, though, a sufficiently interested corporate spy or government agent could break into my house and install keyboard-monitoring software without my knowledge, or could be watching my monitor using a spy cam from the neighbor's roof. At some point you either have to go completely off the deep end with privacy paranoia or conclude that as an individual there's a point beyond which it's impossible to keep secrets from the world. From there it's a matter of figuring out where you think it's reasonable for that point to be, and it's on that score that well-informed people can disagree.

      Sun's Scott McNealy summed it up pretty well, I think ("You have zero privacy anyway. Get over it.") Obviously I'm in the minority here on Slashdot, but I think he's pretty much right.

    4. Re:Why? by Angry+White+Guy · · Score: 3, Interesting

      That is a very depressive outlook on the internet. Why, because it's true. I guess that our ideals of what the internet could be often blinds us to what the internet is. I don't subscribe to any sites, and do nothing for them aside from suck up their bandwidth. And then I am shocked when they dissappear from cyberspace.

      Let them sell off my information. Let them spam me, let these sites *gasp* make money to survive. There is no such thing as a free lunch. I've told the users which I support that same statement over and over again when they download all those seemingly free programs like hotbar and bonzai buddy. And yet I can't get it through my thick skull that even though I pay to access the internet, my responsiblity doesn't stop there. If I am to continue to use these sites, should they not get paid?

      Remeber, information is free, but you have to pay the tarriffs and transportation costs.

      --
      You think that I'm crazy, you should see this guy!
  2. Who do the W3C think they are? by Angry+White+Guy · · Score: 4, Funny

    Who are they to tell us how to run the web? You'd think that they were a big group of people who pretty much invented the web by the way they act.

    --
    You think that I'm crazy, you should see this guy!
  3. P3P by dolo666 · · Score: 3, Informative

    There are some papers about P3P HERE.

    I think that if it puts spammers, pr0n peddlers and other crooks on the ropes, I'm all for it.

  4. Re:P3P is required by Angry+White+Guy · · Score: 5, Informative

    From the p3ptools website...

    3. You should also have a compact policy associated with the cookie itself. This is done by sending the compact policy string of text along with the HTTP header when setting the cookie. The format of this text will vary depending on which web server software package you are using on your site. See Deployment Guide Section 3.1 "Using HTTP Headers" and Deployment Guide Appendix A for a discussion of various implementations.

    The appendix is HERE.

    --
    You think that I'm crazy, you should see this guy!
  5. The deal with cookies by stevejsmith · · Score: 4, Insightful

    Not really on topic at all, but I was always wondering, what's the big deal with cookies!? All they can do is store information THAT YOU GIVE THEM (or that they arbitrarily assign to you)! In fact, you don't even need cookies to do that. You can just do it with Perl or PHP. Yeah, sure, there are some flaws with cookies in IE, but there are flaws with everything in IE! Hell, Slashdot uses them! The media has somehow given them a bad name. Most sites require cookies, and they work quite well, actually. Would you really want to enter your user name and password for every like you click? No, I don't think so. I'll never understand...

  6. Useless idea by woogieoogieboogie · · Score: 3, Insightful
    The flaw in P3P is that it assumes people have preferences in these matters. Most people simply do not care. For those who do care, it is even more flawed because nobody has the will power to avoid their favorite websites because of disagreements over the sites privacy policies. How many Slashdotters would quit using Slashdot if Slashdot needed to sell some customer information to stay afloat?

    It is a solution looking for a problem

    --
    ... Governments are instituted among Men, deriving their just Powers from the Consent of the Governed...
  7. Too Complex? by smd4985 · · Score: 3, Insightful

    i'm not overly familiar with p3p (p2p i understand ;) ), but my ex-girlfriend has a website devoted to viewpoints on p3p (http://www.p3p-viewpoints.org/). from what i understand, the major issue with p3p is that it is overly complex. some user studies have shown that users don't effectively understand what p3p means or how it affects them. more info at the website...

    --
    smd4985
  8. P3P is flawed by zachlipton · · Score: 4, Insightful

    Part of the reason why the adoption of P3P has been so slow is that it may actually make privacy problems worse.

    The problem is that users (and perl programmers) tend to be lazy. And lazy users check the little "this is the default setting so stop showing me dialog boxes" checkboxes in order to make things easier for them. The problem with this is that with P3P, a website can "claim" to not sell/rent your email address, but because the user set their default options to accept that, their address is automatically sent to the website and they don't have the opportunity to consider the implications and evaluate it themselves.

    Also, P3P is a total PITA to write and the one editor that I know of (free from ibm) seems to be long since dead (and downright confusing too). It can also open companies up to legal trouble since a discrepency between a P3P file and the actual practices of the website could be grounds for a lawsuit (IANAL).

    1. Re:P3P is flawed by Jon+Peterson · · Score: 5, Insightful

      That pretty much sums it up. It's a complete pain to implement. Getting your management to sit down and write (and sign off on) a decent privacy policy is hard enough, but to then translate that into some arcane XML format both difficult and pointless.

      "So, remind me why our extremely clear and readable privacy policy that explains the nuances of medical ethics and the Internet has to be re-hashed into someone elses over-complex set of quasi-technical categories?"

      "It's so that users can simply select from a small number of generic pre-set privacy levels, and let their browser manufacturer tell them whether we take good care of their data!"

      It's a dumb idea. It's a miss-appliance of technology.

      --
      ----- .sig: file not found
  9. p3p is not a PET by ajkessel · · Score: 4, Interesting

    The Electronic Privacy Information Center has published a report on Why P3P is not a PET (Privacy Enhancing Technology) (PDF file). It's worth a read as it challenges a lot of the justifications and goals of P3P.

  10. Some Resources by maggard · · Score: 5, Informative
    Gotta recommend IBM's great little free Java-based P3P Policy Editor as a fast & straighforward way to create compact polcies.

    Also for folks using Windows IE (the majority) ATT&T offers up their free eternally-beta AT&T Privacy Bird which gives folks visual and auditory feedback (both controlled/turned off in Prefs) on site's P3P settings. Quite informative actually, I discovered just how awful Yahoo's policies are when I used their headline aggregator (just who are they selling my newsreading habits to?) [rhetorical question]

    The P3P folks have put together a great website at P3P Public Overview which is chock-full of useful information. On the other hand here is an interesting critique and here another, suprisingly both by lawyers. Security guru Richard Smith also has an important (though hopefully now fixed?) page on supercookies and how MS IE 6's touted protections can be got around.

    Mozilla of course supports P3P and it's useful to understand just how MS IE 6 suppports and applies P3P and cookies.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  11. Re:Why Cookies? by zsmooth · · Score: 3, Informative

    The alternative to using cookies is not tracking by IP address, but passing some session variable around every request. Yes, it's a pain (unless you use a framework that will handle it for you). Yes, it doesn't always work. I don't know of ANY web developer that would even consider tracking someone based on IP address, for the reasons you stated.

  12. P3P means nothing by cybpunks3 · · Score: 3, Interesting

    Just because there is a P3P privacy policy doesn't mean the policy itself is being truthful or accurate. There is no real accountability or certification of P3P policies, so companies can put any sort of generic boilerplate BS in their P3P policies and as long as there IS one, the browser will accept cookies, etc...

    It can say "oh yeah, we're not selling your information to 3rd parties or anything" when in fact they are. If you trust what it says, then you allow the site to set cookies. You shouldn't be trusting the word of the site itself. It should be a 3rd party certification.

    That's not really protecting privacy, IMHO.

    If P3P policies could be used as evidence in court cases for misrepresentation, then it might force companies to provide more accurate P3P policies, but I haven't heard of any lawsuits coming from inaccurate P3P policies. You'd have to KNOW their policy was misleading in order to take them to court anyway, which is hard to do.