W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > November 2001

Can P3P work in the real world?

From: David Wall <dwall@Yozons.com>
Date: Sun, 11 Nov 2001 14:01:08 -0500 (EST)
Message-ID: <006f01c16ae3$1e9b4fe0$5a2b7ad8@expertrade.com>
To: <www-p3p-public-comments@w3.org>
P3P seems ripe for failure:

1) It's too complex, allowing policies to vary page by page.

2) It requires changes to all existing web sites/pages.

3) Generating an accurate policy.xml file is quite complex compared to describing the situation in the human readable privacy policy.

4) Who enforces that the policy.xml or compact policy are accurate for a site?  What's the fallback if the site says they do X to allow a user agent such as IE 6 to believe they don't track you, etc., but then do Y instead?

5) It's rather hard for a web site to be compliant, generating accurate policies, keeping them up-to-date, etc.

6) It's rather hard for a user agent to make sense of such policies.

7) It's rather hard for an end user to make sense of such policies.

It seems that a simpler standard would have been more powerful, including the ability for the user agent to determine:

a) Allow/disallow persistent cookies.

b) Allow/disallow session cookies.

c) Allow/disallow third-party cookies.

d) Warn if a site shares my information with third parties for marketing purposes.

e) Warn if a site doesn't have a customer service mechanism to correct incorrect data about me.

f) Warn if a site doesn't allow me access to view and update the data they keep about me.

g) Provide a link to their posted privacy policy page.

Personally, these questions are much easier for me to handle as a web site operate and as a web surfer, and I have the basic control I need.  In practice, privacy policies change over time, and unless users keep a copy of each policy as they visit and the time they visited it, it would be hard to claim that a web site violated their privacy policy if the most current policy would not be in violation.  And what remedies does the average Joe have if the web site does violate the policy, and how would that Joe even know it?

Is this standard just something to make people feel good, but the implementation will be so complex that it's ignored by the masses?  Our company focuses on the privacy of the individual.  We use cookies to track the login/use of our web app while logged on.  We encrypt all client data.  We don't share with third parties and don't do any advertising.  Yet I've found getting a P3P privacy policy in place rather complex (I'm not entirely sure it's accurate in comparison to the human readable one which is), less sure about the compact policy since I don't really even know what it says (because of the cryptic codes!), and yet IE 6 still won't work with my site when using HIGH level security -- though it will at medium-high.  Oh well...

David A. E. Wall
Chief Software Architect
Yozons, Inc.
724 17th Avenue
Kirkland, WA 98033 USA
Tel 425.822.4465    dwall@yozons.com
Fax 425.827.9415    www.yozons.com
Received on Monday, 12 November 2001 08:50:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:43:00 UTC