Re: Compact versus full P3P policy? from Lorrie Cranor on 2002-01-31 (www-p3p-policy@w3.org from January 2002)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 30 Jan 2002 19:04:50 -0500
To: "Clifford Lyon" <Clifford.Lyon@cnet.com>, <www-p3p-policy@w3.org>
Message-ID: <001801c1a9ea$e9722d60$3e06cf87@research.att.com>

What Ben Wright proposes is a clear violation of the P3P
specification and many have suggested that this so-called
solution would likely be viewed by the FTC as a deceptive
practice. This is because his solution involves creating
a P3P "compact policy" that will get through IE6's
cookie blocking filters, but includes an extra token
(ignored by IE6) that basically means "just kidding."
The P3P spec is clear that unknown tokens do not change
the meaning of the P3P compact policy. Therefore,
a web site is still making a statement about its privacy
practices if it issues a P3P compact policy, even if
it includes Ben's extra token or crosses its fingers
behind its back. Members of the P3P working group have
discussed this with Ben, and he obviously disagrees with us
as he is continuing to advertise his solution and his web site
where you can buy his 30 page monograph for $49.95.

Lorrie Cranor
P3P Specification Working Group Chair


----- Original Message -----
From: "Clifford Lyon" <Clifford.Lyon@cnet.com>
To: <www-p3p-policy@w3.org>
Sent: Wednesday, January 30, 2002 6:26 PM
Subject: RE: Compact versus full P3P policy?


> Any comments from the w3 on the information at the pointer below?
>
> -----Original Message-----
> From: Ben Wright [mailto:Ben_Wright@compuserve.com]
> Sent: Wednesday, January 30, 2002 5:57 PM
> To: INTERNET:www-p3p-policy@w3.org
> Subject: Compact versus full P3P policy?
>
>
> Message text written by INTERNET:www-p3p-policy@w3.org
> >What is the general view on whether it's better to code your privacy
> statement into a compact P3P policy or a full P3P policy?<
>
> I don't know what the general view is.  However, I believe the P3P
language
> is dangerous for corporations and government agencies to use.  Those
> organizations may want to disavow any liability or legal responsibility
for
> P3P stuff.  They may find it safer to state all privacy matters in full,
> plain English so as to avoid misunderstandings in court.  See
> http://www.disavowp3p.com
>
> --Ben
>
> Benjamin Wright
> Dallas, Texas
> tel 214-403-6642
> ben_wright@compuserve.com
>

Received on Wednesday, 30 January 2002 19:06:00 UTC