W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2012

RE: P3P NOT fail

From: Giles Hogben <Giles.Hogben@enisa.europa.eu>
Date: Fri, 24 Feb 2012 12:14:38 +0000
To: Rigo Wenning <rigo@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <FC21791E875115429659FBC0994345730FAFD462@Hermes.net1.enisa.europa.eu>
Indeed, I have also been thinking that P3P could be revived/adapted to help web site owners fulfil the new European cookie rules which are already in force in some member states (as well as DNT). The compact policy is not impractical with an editor - few people write XML by hand either...

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: 24 February 2012 12:42
To: public-privacy@w3.org
Cc: Richard Barnes
Subject: Re: P3P NOT fail

Hi Richard, 

and here is Lorrie's answer: 


really worth reading. And I agree with her  answer to the claim that the P3P 
compact format is "impractical": "It's not obvious to me there's any 
fundamental reason why a proper P3P compact policy wouldn't work in that 

In the work on DNT I constantly see the desperate need for simple notification 
of the user coming up. And people there constantly re-invent P3P with other 
angle brackets. So claiming P3P is outdated is IMHO a self-serving 
declaration. P3P is not widespread anymore and we may re-invent it in some 
other ways. Because whoever asks for "Transparency:  Consumers have a right to 
easily understandable information about privacy and security practices." will 
have to look at P3P as it provides exactly that.
(see http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-

obama-administration-unveils-blueprint-privacy-bill-rights for that last 

But I also think it's clear that we won't take up P3P as is. How to re-invent 
P3P? Dave Raggett had made a nice suggestion:

This merits further discussion IMHO



On Tuesday 21 February 2012 08:43:20 Richard Barnes wrote:
> Internet Explorer is configured by default to reject cookies unless a
> certain P3P policy is present.  Google, Facebook, et al. say "This is
> not a P3P policy".  According to Lorrie Cranor, this practice is used
> by around 1/3 of websites, including msn.com and live.com.
> "
> "Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating
> from 2002 under which Microsoft asks websites to represent their
> privacy practices in machine-readable form," Google Senior VP of
> Communications and Policy Rachel Whetstone says in a statement
> e-mailed to Ars. "It is well known—including by Microsoft—that it is
> impractical to comply with Microsoft’s request while providing modern
> web functionality."
> "
> <http://arstechnica.com/tech-policy/news/2012/02/google-tricks-internet-expl

> orer-into-accepting-tracking-cookies-microsoft-claims.ars>

Received on Friday, 24 February 2012 12:15:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:23:53 UTC