Re: Monograph opposing P3P from Lorrie Cranor on 2001-12-20 (www-p3p-public-comments@w3.org from December 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Thu, 20 Dec 2001 14:31:21 -0500
To: <hal@finney.org>, <www-p3p-public-comments@w3.org>
Message-ID: <01f901c1898c$e83aa9f0$9816cf87@barbaloot>

What Ben Wright proposes is a clear violation of the P3P
specification and many have suggested that this so-called
solution would likely be viewed by the FTC as a deceptive
practice. This is because his solution involves creating
a P3P "compact policy" that will get through IE6's
cookie blocking filters, but includes an extra token
(ignored by IE6) that basically means "just kidding."
The P3P spec is clear that unknown tokens do not change
the meaning of the P3P compact policy. Therefore,
a web site is still making a statement about its privacy
practices if it issues a P3P compact policy, even if
it includes Ben's extra token or crosses its fingers
behind its back. Members of the P3P working group have
discussed this with Ben, and he obviously disagrees with us
as he is continuing to advertise his solution and his web site
where you can buy his 30 page monograph for $49.95.

Lorrie Cranor
P3P Specification Working Group Chair



----- Original Message -----
From: <hal@finney.org>
To: <www-p3p-public-comments@w3.org>
Sent: Thursday, December 20, 2001 2:25 PM
Subject: Monograph opposing P3P


> Benjamin Wright, an attorney specializing in e-commerce issues, submitted
> a message to RISKS Digest 21.82, ftp://ftp.sri.com/risks/risks-21.82,
> reading in part:
>
> > Privacy filters in Microsoft's new Internet Explorer 6 pose for Web
> > administrators an unexpected legal predicament.
> >
> > The filters force administrators to post new privacy policies for their
Web
> > sites, coded in a technical language called P3P.   The filters punish
> > administrators who fail to publish properly coded P3P privacy policies
by
> > blocking or impeding their cookies.
> >
> > The P3P coding language raises, for any corporation, government agency
or
> > other institution that uses it, a lawsuit danger.  A privacy policy
written
> > in it exposes the organization to liability, with little or no escape.
> >
> > A privacy policy, even one written in computer codes, can be legally
> > enforceable like a contract.  In lawsuits filed in 1999, plaintiffs
forced
> > US Bancorp to pay $7.5 million for misstatements in a privacy policy
posted
> > on its Web site.
>
> He directs readers to his web site, http://www.disavowp3p.com, which
> advises site administrators to include a dummy P3P code which disavows all
> privacy protections promised by other codes.  The site includes a link to
> a page where you can buy his $49.95 monograph on the topic.
>
> Is this a legitimate concern, or is he just trying to make money by
> scaring people?  What would be the impact on P3P if disavowal codes come
> into common use?  Thanks for your attention -
>
> Hal Finney
> hal@finney.org
>
>

Received on Thursday, 20 December 2001 14:33:31 UTC