- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Mon, 12 Nov 2001 09:30:27 -0500
- To: "David Wall" <dwall@Yozons.com>, <www-p3p-public-comments@w3.org>
Dear David, Thank you for your comments about P3P. We are sorry that you have had difficulties implementing P3P on your web site. We are in the process of developing better documentation, which we think will make the P3P implementation process much easier. In addition, a number of software tools are under development which make this process much easier. http://www.w3.org/P3P/implementations has the latest information on implementations. The IBM P3P Policy Editor is a good tool for generating P3P policies. The P3P Compact Policy Translator can help you understand what your compact policy really says. Let me also try to address some of your comments and questions. > 1) It's too complex, allowing policies to vary page by page. This is an option -- but most web sites seem to be declaring one policy for the whole site. Sites do not have to take advantage of this complexity. > 2) It requires changes to all existing web sites/pages. Deploying P3P requires each web site to add one or two files to the site. It does not require changes to every page, nor the installation of any new web site software. > 3) Generating an accurate policy.xml file is quite complex compared to describing the situation in the human readable privacy policy. If you use a P3P policy generator tool the problem should not be that complex. Furthermore, we hope it will become easier as better documentation becomes available over the next few months. > 4) Who enforces that the policy.xml or compact policy are accurate for a site? What's the fallback if the site says they do X to allow a user agent such as IE 6 to believe they don't track you, etc., but then do Y instead? This is the same problem we have enforcing human-readable privacy policies. How do you know that they are accurate? Depending on what country or jurisdiction a web site is in, there is probably a government agency that would investigate accusations of false claims in privacy policies. We expect that such agencies would also be interested in false claims in P3P policies. > 5) It's rather hard for a web site to be compliant, generating accurate policies, keeping them up-to-date, etc. The same thing holds true for huaman-readable privacy policies. Sites should be very careful any time they change their practices in ways that impact their privacy policies. > 6) It's rather hard for a user agent to make sense of such policies. Actually, since user agents are computer programs, they can be developed to do all sorts of interesting things with P3P policies, including functioning exactly as you describe in your next point. > 7) It's rather hard for an end user to make sense of such policies. > > It seems that a simpler standard would have been more powerful, including the ability for the user agent to determine: > > a) Allow/disallow persistent cookies. > > b) Allow/disallow session cookies. > > c) Allow/disallow third-party cookies. > > d) Warn if a site shares my information with third parties for marketing purposes. > > e) Warn if a site doesn't have a customer service mechanism to correct incorrect data about me. > > f) Warn if a site doesn't allow me access to view and update the data they keep about me. > > g) Provide a link to their posted privacy policy page. > > Personally, these questions are much easier for me to handle as a web site operate and as a web surfer, and I have the basic control I need. In practice, privacy policies change over time, and unless users keep a copy of each policy as they visit and the time they visited it, it would be hard to claim that a web site violated their privacy policy if the most current policy would not be in violation. And what remedies does the average Joe have if the web site does violate the policy, and how would that Joe even know it? These are all things that a user agent could do. It is now up to software implementers to decide whether a user agent with this sort of functionality is worth building. Right now we're seeing fairly simple user agents that essential put an overlay on top of the complicated choices so that end users see something much simpler. > Is this standard just something to make people feel good, but the implementation will be so complex that it's ignored by the masses? No. We realize it will take some time for implementers to figure out what the best ways are to present these complicated concepts to users in a useful way, but we do believe that over time P3P will become something truely useful. If your company focusses on the privacy of the individual, then I think you should be able to appreciate this. There are a lot of different opinons about what are the important privacy issues, and these vary from country to country as well as from person to person. We developed P3P to be very flexible, but we expect that user agent tools will be developed that will simplify this complexity for users. > Our company focuses on the privacy of the individual. We use cookies to track the login/use of our web app while logged on. We encrypt all client data. We don't share with third parties and don't do any advertising. Yet I've found getting a P3P privacy policy in place rather complex (I'm not entirely sure it's accurate in comparison to the human readable one which is), less sure about the compact policy since I don't really even know what it says (because of the cryptic codes!), and yet IE 6 still won't work with my site when using HIGH level security -- though it will at medium-high. Oh well... You may find http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html /ie6privacyfeature.asp useful for better understanding IE6. You may also be interested in joining the www-p3p-policy mailing list to discuss your questions with other folks working on implementing P3P http://lists.w3.org/Archives/Public/www-p3p-policy/ Regards, Lorrie Cranor P3P Specification Working Group Chair > David > --------------------------------------------- > David A. E. Wall > Chief Software Architect > Yozons, Inc. > 724 17th Avenue > Kirkland, WA 98033 USA > Tel 425.822.4465 dwall@yozons.com > Fax 425.827.9415 www.yozons.com
Received on Monday, 12 November 2001 09:32:35 UTC