W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2012

Re: Do you know a resource that compares P3P to DNT?

From: Eyal Sela (ISOC-IL) <eyal@isoc.org.il>
Date: Wed, 29 Feb 2012 11:13:35 +0200
Message-ID: <CAMb6=s3+0uEy7=q7UOyykPHtDp2exTxe19fsnChnca=YWNd0bQ@mail.gmail.com>
To: "Aleecia M. McDonald" <aleecia@aleecia.com>
Cc: public-privacy@w3.org
Thanks a lot!
I asked because I had been asked that questions a few times, and also
because I'm writing about DNT on the Israeli W3C website.

Best regards,

אייל סלע | מנהל פרויקטים, הועדה הטכנולוגית ומשרד ה-W3C הישראלי | איגוד
האינטרנט הישראלי | www.isoc.org.il | www.w3c.org.il

Eyal Sela | Project Manager, Technology Committee & the Israeli W3C office
| Israel Internet Association (ISOC-IL) |  www.isoc.org.il | www.w3c.org.il

*עדכונים שוטפים על כל פעילויות האיגוד: באתר הפעילויות <http://j.mp/zKPrrF> או
ב-RSS <http://j.mp/wsxWwa>

On Tue, Feb 28, 2012 at 19:05, Aleecia M. McDonald <aleecia@aleecia.com>wrote:

> Hi Eyal (and all),
> A great question. When DNT is nailed down, that would make a very nice
> paper. For the moment, let me just hit a few highlights:
>  - DNT is not finished, but it has a few parts that should remain stable.
> - Sending DNT:1 from a user agent (Firefox, IE, Safari, soon Opera &
> Chrome) is a user request for privacy. It is, first and foremost, a
> communications signal about user intent. This is the big difference between
> DNT and anything else, and the hardest one for users and others to get. DNT
> does not block cookies, delete cookies, or prevent advertising.
>  - Any service that responds to a DNT signal (either by replying with
> another HTTP header, or a response in a well-known location) is attesting
> that they follow at least the minimum privacy protections set out in the
> W3C specification. These could look something like third parties do no data
> collection or use, except as to support fraud prevention and billing for
> ads. [Real life will be more complicated; I'm trying to give the direction
> simply.] In some cases, companies may stop setting cookies, delete their
> cookies, or show different types of ads (contextual not behavioral, for
> example.) See
> http://blog.mozilla.com/privacy/2011/09/08/mozilla-publishes-developer-guide-on-dnt-releases-dnt-adoption-numbers/ for
> the developer guide, which details how some of the early (pre-standard) DNT
> implementations work in practice today.
>  - DNT requires users to trust companies. As we've seen, that can go
> wrong. On the other hand, companies can no longer say "oh, we thought we
> were helping when we restored HTTP cookies by duplicating them in LSOs and
> restoring them." -- users are going on record that they affirmatively want
> privacy, rather than the benefits of personalization. The FTC has announced
> they will enforce DNT, so there are teeth there in the US.
>  - Right this minute, DNT is all or nothing for all sites. That's
> changing, so users can say "DNT for everyone else, but I trust W3C, it's ok
> for them."
> - P3P is a machine-readable representation of a company's privacy policy,
> encoded in XML. When a company creates a P3P policy, they attest that they
> follow the practices they publish. It is highly expressive, and does a good
> job of capturing the sorts of statements companies typically make in their
> privacy policies. It is also extensible if companies want to assert things
> that were not envisioned in the original P3P schema. P3P policies and human
> readable privacy policies should contain the same content. See
> http://www.w3.org/TR/P3P11/ for the P3P specification.
>  - Back in the day of dial up modems and the "browser wars," when
> dinosaurs roamed the earth, Microsoft was concerned that parsing a page of
> XML would slow page loads down. Enter Compact Policies (CPs.) CPs are a
> subset of full P3P policies and pertain just to the company's cookie
> practices. Companies set half a dozen three- or four-letter tokens that
> encode their cookie policies.
>  - Internet Explorer lets users block entirely or limit the lifespan of
> cookies based on companies CPs. If users don't care for a site's practices,
> they can automagically reject cookies. With preferences in Internet
> Explorer, users can set what they do and do not want to accept for CP
> policies.
>  - P3P CPs do not require users' trust. However, they also are not a
> statement of user intent. Right now we see companies skirting CPs by
> creating nonsense policies (for a while Facebook sent the token "HONK"
> which most assuredly has nothing to do with valid CP tokens) which are not
> blocked. My early guess is that it will be easier for companies to do bad
> things under DNT, but far harder on them once they get caught at it.
> If you're asking out of personal curiosity, I hope this is adequate. If
> for some other use, please let me know what you are looking for and I'll
> try to help. You might (or might not) also be interested in Tracking
> Protection Lists.
> Aleecia
> (co-chair of DNT spec; PhD advisor was Lorrie Faith Cranor who chaired the
> P3P spec; speaking only for myself and not Mozilla, Stanford, or W3C)
> On Feb 28, 2012, at 4:36 AM, Eyal Sela (ISOC-IL) wrote:
> What are the main differences and so on?
> Thanks,
> Eyal.
Received on Wednesday, 29 February 2012 09:14:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:23:53 UTC