Is W3C's P3P Good Privacy?

nileshch asks: "A very important development in recent times with regards to website users' privacy has happened with the W3C introducing the Platform for Privacy Preferences(P3P). P3P allows websites to create and maintain XML-based privacy policies for the entire website or sub sections of the site. These machine readable policies document what information is collected from users and how it is going to be used. Today, a few browsers like Mozilla/Netscape & Internet Explorer are committed to giving support for P3P (Mozilla here, IE here) . Although that support seems only skin-deep. I also find very few big sites adopting P3P seriously. Isn't it like the classic chicken-and-egg situation? Websites wait for full P3P support on browsers, browsers go slow on development because there isn't much feature demand happening on this front. Do you have P3P policies for your website? If not, what stops you from creating one? We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"

Why?

[NineNine]

We all create hoopla over tiny privacy issues, user profiling and doubleclick.net . Then why isn't there much enthusiasm for P3P support in browsers?"

Why? It's simple. Users don't care. Geeks do, but geeks don't make up a large percentage of the general population. The general population of Web users aren't nearly as paranoid.

Re:Why?

[koreth]

No, they just don't care. I'm a geek who understands the tracking that goes on (I've written Web tracking software in the past) and for the most part, I don't care. If Joe's Bait & Tackle Shop can make an extra buck with the knowledge that I visit the Psychology Today website, more power to 'em. I see that as a slippery slope leading nowhere. I don't see it as worth my energy to object to data collection just for the sake of objecting to data collection, if no harm can come to me as a result.

I suppose I see the Internet as being inherently non-anonymous (a sufficiently interested party could be tapping my cable modem, either by court order or surreptitiously) because I do understand the technology, so the fact that it's not anonymous isn't an issue I feel it's really fruitful to worry about. I'd far rather get worked up about things I have a nonzero probability of actually changing, or at least that do me harm. Mind you, my definition of "harm" includes things like sending me spam, but I see little evidence that web site information sharing will ever be responsible for more than a fraction of a percent of the mountains of spam that already hit my filters.

In the instances when I really do want to resist observation by a third party, e.g. working from home which means I'm dealing with my company's trade secrets, I take care to encrypt everything I send. Even then, though, a sufficiently interested corporate spy or government agent could break into my house and install keyboard-monitoring software without my knowledge, or could be watching my monitor using a spy cam from the neighbor's roof. At some point you either have to go completely off the deep end with privacy paranoia or conclude that as an individual there's a point beyond which it's impossible to keep secrets from the world. From there it's a matter of figuring out where you think it's reasonable for that point to be, and it's on that score that well-informed people can disagree.

Sun's Scott McNealy summed it up pretty well, I think ("You have zero privacy anyway. Get over it.") Obviously I'm in the minority here on Slashdot, but I think he's pretty much right.

Re:P3P is required

[Angry+White+Guy]

From the p3ptools website...

3. You should also have a compact policy associated with the cookie itself. This is done by sending the compact policy string of text along with the HTTP header when setting the cookie. The format of this text will vary depending on which web server software package you are using on your site. See Deployment Guide Section 3.1 "Using HTTP Headers" and Deployment Guide Appendix A for a discussion of various implementations.

The appendix is HERE.

Re:P3P is flawed

[Jon+Peterson]

That pretty much sums it up. It's a complete pain to implement. Getting your management to sit down and write (and sign off on) a decent privacy policy is hard enough, but to then translate that into some arcane XML format both difficult and pointless.

"So, remind me why our extremely clear and readable privacy policy that explains the nuances of medical ethics and the Internet has to be re-hashed into someone elses over-complex set of quasi-technical categories?"

"It's so that users can simply select from a small number of generic pre-set privacy levels, and let their browser manufacturer tell them whether we take good care of their data!"

It's a dumb idea. It's a miss-appliance of technology.

Some Resources

[maggard]

Gotta recommend IBM's great little free Java-based P3P Policy Editor as a fast & straighforward way to create compact polcies.

Also for folks using Windows IE (the majority) ATT&T offers up their free eternally-beta AT&T Privacy Bird which gives folks visual and auditory feedback (both controlled/turned off in Prefs) on site's P3P settings. Quite informative actually, I discovered just how awful Yahoo's policies are when I used their headline aggregator (just who are they selling my newsreading habits to?) [rhetorical question]

The P3P folks have put together a great website at P3P Public Overview which is chock-full of useful information. On the other hand here is an interesting critique and here another, suprisingly both by lawyers. Security guru Richard Smith also has an important (though hopefully now fixed?) page on supercookies and how MS IE 6's touted protections can be got around.

Mozilla of course supports P3P and it's useful to understand just how MS IE 6 suppports and applies P3P and cookies.