Re: Do you know a resource that compares P3P to DNT?

Hi Eyal (and all),

A great question. When DNT is nailed down, that would make a very nice paper. For the moment, let me just hit a few highlights:

	- DNT is not finished, but it has a few parts that should remain stable.
		- Sending DNT:1 from a user agent (Firefox, IE, Safari, soon Opera & Chrome) is a user request for privacy. It is, first and foremost, a communications signal about user intent. This is the big difference between DNT and anything else, and the hardest one for users and others to get. DNT does not block cookies, delete cookies, or prevent advertising. 
		- Any service that responds to a DNT signal (either by replying with another HTTP header, or a response in a well-known location) is attesting that they follow at least the minimum privacy protections set out in the W3C specification. These could look something like third parties do no data collection or use, except as to support fraud prevention and billing for ads. [Real life will be more complicated; I'm trying to give the direction simply.] In some cases, companies may stop setting cookies, delete their cookies, or show different types of ads (contextual not behavioral, for example.) See http://blog.mozilla.com/privacy/2011/09/08/mozilla-publishes-developer-guide-on-dnt-releases-dnt-adoption-numbers/ for the developer guide, which details how some of the early (pre-standard) DNT implementations work in practice today.
		- DNT requires users to trust companies. As we've seen, that can go wrong. On the other hand, companies can no longer say "oh, we thought we were helping when we restored HTTP cookies by duplicating them in LSOs and restoring them." -- users are going on record that they affirmatively want privacy, rather than the benefits of personalization. The FTC has announced they will enforce DNT, so there are teeth there in the US.
		- Right this minute, DNT is all or nothing for all sites. That's changing, so users can say "DNT for everyone else, but I trust W3C, it's ok for them."

	- P3P is a machine-readable representation of a company's privacy policy, encoded in XML. When a company creates a P3P policy, they attest that they follow the practices they publish. It is highly expressive, and does a good job of capturing the sorts of statements companies typically make in their privacy policies. It is also extensible if companies want to assert things that were not envisioned in the original P3P schema. P3P policies and human readable privacy policies should contain the same content. See http://www.w3.org/TR/P3P11/ for the P3P specification.
		- Back in the day of dial up modems and the "browser wars," when dinosaurs roamed the earth, Microsoft was concerned that parsing a page of XML would slow page loads down. Enter Compact Policies (CPs.) CPs are a subset of full P3P policies and pertain just to the company's cookie practices. Companies set half a dozen three- or four-letter tokens that encode their cookie policies.  
		- Internet Explorer lets users block entirely or limit the lifespan of cookies based on companies CPs. If users don't care for a site's practices, they can automagically reject cookies. With preferences in Internet Explorer, users can set what they do and do not want to accept for CP policies. 
		- P3P CPs do not require users' trust. However, they also are not a statement of user intent. Right now we see companies skirting CPs by creating nonsense policies (for a while Facebook sent the token "HONK" which most assuredly has nothing to do with valid CP tokens) which are not blocked. My early guess is that it will be easier for companies to do bad things under DNT, but far harder on them once they get caught at it.

If you're asking out of personal curiosity, I hope this is adequate. If for some other use, please let me know what you are looking for and I'll try to help. You might (or might not) also be interested in Tracking Protection Lists.

	Aleecia
	(co-chair of DNT spec; PhD advisor was Lorrie Faith Cranor who chaired the P3P spec; speaking only for myself and not Mozilla, Stanford, or W3C)


On Feb 28, 2012, at 4:36 AM, Eyal Sela (ISOC-IL) wrote:

> What are the main differences and so on?
> 
> Thanks,
> 
> Eyal.
> 
> 
> 

Received on Tuesday, 28 February 2012 17:06:29 UTC