Recent Blog Articles on P3P from Rigo Wenning on 2005-08-19 (www-p3p-policy@w3.org from August 2005)

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 19 Aug 2005 18:08:23 +0200
To: www-p3p-policy@w3.org
Cc: juppeterson@gmail.com, mossberg@wsj.com
Message-Id: <200508191808.34971.rigo@w3.org>

Dear all,

starting with a Wall Street Journal Article[1] from Walter Mossberg
there were recent remarkable Blog-Entries.

Mossberg started off complaining about tracking cookies. He said, those
cookies would fit his spyware definition and wanted a real prompt for
tracking-cookies (going straight). Implementing P3P on the Server means
exactly that: going straight. Note that a lot of sites today have P3P
Policies.

Eric Peterson blogged[2] in a response that prompting the user for
cookies would generate a very painful browsing experience. I think he
is right. As a professional paranoid, I have instructed my browser to
prompt on cookies. Some sites propose you the same cookie every time
you get to the next page. This means an average of 2-6 clicks per page.

Now, being fatalistic does not seem to be a solution. The critic from
Peterson was taken up by Joe Wilcox in the Microsoft Monitor Weblog
[3]. He describes the P3P capabilities of Internet Explorer and has
some trouble explaining P3P. I think, P3P is not " P3P support means
when that prompt comes, say for microsoft.com, the user has the option
of accepting or rejecting the cookie and applying the response to all
future cookie requests."

The trouble with cookies is that "22993519736004617" has no meaning for
the user. This is opaque and generates fears, often far beyond the real
danger of a given cookie. P3P[4] tries to tackle that by adding metadata
to the cookie explaining what it collects and does and how this
personal information is retained/distributed etc.

P3P means that metadata about the cookie has been exchanged, so the user
and his agent (browser) knows what this cookie is about. So the "Spy"
part is already cleared. P3P in fact helps to distinguish between good
and bad cookies and increases user trust by telling them what the
cookie is supposed to do. In a nice implementation, the browser would
then offer the possibility to block/erase/fake acceptance for that
future cookies based on a user reaction, a kind of constant learning.
With P3P, such a tool could even ask if the user wants to block cookies
of that _category_.

IE had a good first start with the cookie-blocker based on the P3P
compact format. But IE remains at 15% of P3P's capabilities. Privacy
Bird[4] shows some of the notification wisdom achievable. But the
software vendors still owe us a tool that takes full advantage of P3P
to take away the necessity of Articles like the one from Walter
Mossberg.

So an interesting question to Microsoft and Firefox would be, how much
of P3P they intend to implement. Going straight here means implementing
an existing Standard ;)

1.http://online.wsj.com/article_email/0,,SB112129842537185221-IBjfINilaV4opynaICHa6mFm4,00.html
2.http://weblogs.jupiterresearch.com/analysts/peterson/archives/009281.html
3.http://www.microsoftmonitor.com/archives/009285.html
4.http://www.w3.org/TR/P3P/
http://www.w3.org/P3P/

Best,
--
Rigo Wenning W3C/ERCIM
Staff Counsel Privacy Activity Lead
mail:rigo@w3.org 2004, Routes des Lucioles
http://www.w3.org/ F-06902 Sophia Antipolis

Received on Friday, 19 August 2005 16:31:30 UTC