W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > November 2001

Re: Can P3P work in the real world?

From: David Wall <dwall@Yozons.com>
Date: Mon, 12 Nov 2001 14:35:16 -0800
Message-ID: <02c201c16bca$4e4512c0$5a2b7ad8@expertrade.com>
To: "Lorrie Cranor" <lorrie@research.att.com>, <www-p3p-public-comments@w3.org>

Thanks for your response.  It's not that I don't like P3P, but I just wonder
if a smaller, simpler first step might have been better.

> > 1) It's too complex, allowing policies to vary page by page.
> This is an option -- but most web sites seem to be
> declaring one policy for the whole site. Sites do not have
> to take advantage of this complexity.

I wonder if this has more to do with the complexity than anything else.
After all, most privacy policies were written to cover the entire site
because it would be way to confusing to visitors to have policies that vary
page by page.  In our world, our policy actually does vary page by page, but
we chose to say our policy covers the entire site because it's easier to
understand.  (For example, we don't track users at all while on our public
site, but we do as soon as they go to the registration/signup page.)

> > 2) It requires changes to all existing web sites/pages.
> Deploying P3P requires each web site to add one or
> two files to the site. It does not require changes to every
> page, nor the installation of any new web site software.

Well, sort of.  Compact policies are returned in HTTP headers, so each page
either needs to send that header, or the web server needs to be tweaked to
always send them out.  If the web server does it, generally that means the
same compact policy must be sent for all pages in the web site.

> > 3) Generating an accurate policy.xml file is quite complex compared to
> describing the situation in the human readable privacy policy.
> If you use a P3P policy generator tool the problem should
> not be that complex. Furthermore, we hope it will become
> easier as better documentation becomes available over
> the next few months.

The complexity is not with the XML or the tool, but understanding what all
of the attributes really mean so that we are correctly converting our
standard privacy policy into the attributes defined in P3P.  There are lots
of categories and options that make it more complex to know what's going on.

> > 4) Who enforces that the policy.xml or compact policy are accurate for a
> site?  What's the fallback if the site says they do X to allow a user
> such as IE 6 to believe they don't track you, etc., but then do Y instead?
> This is the same problem we have enforcing human-readable
> privacy policies. How do you know that they are accurate?
> Depending on what country or jurisdiction a web site is in,
> there is probably a government agency that would investigate
> accusations of false claims in privacy policies. We expect that
> such agencies would also be interested in false claims in
> P3P policies.

Agreed, but why create a solution that has the same pitfalls?  At least
people could read the regular policy, but they generally can't read the P3P,
so if I spoof the P3P -- and especially the compact policies in the HTTP
headers -- the user would be tricked without even knowing it.  And privacy
policies are easy to print if you are concerned, but the others less so.

> > 6) It's rather hard for a user agent to make sense of such policies.
> Actually, since user agents are computer programs, they can
> be developed to do all sorts of interesting things with P3P policies,
> including functioning exactly as you describe in your next point.

Agreed, though the user-agent needs to let a person know what they are
trying to accomplish in order to parse it out.  And it's one thing to say
"don't share with a third party" is what I want, but if I enter a credit
card, then a third party is guaranteed since you want to validate the card.
But this is dramatically different from sharing information to a third party
marketing company which creates spam and is often what people want to avoid.

> > Is this standard just something to make people feel good, but the
> implementation will be so complex that it's ignored by the masses?
> No. We realize it will take some time for implementers to
> figure out what the best ways are to present these complicated
> concepts to users in a useful way, but we do believe that over
> time P3P will become something truely useful. If your company
> focusses on the privacy of the individual, then I think you
> should be able to appreciate this. There are a lot of different
> opinons about what are the important privacy issues, and
> these vary from country to country as well as from person to person.
> We developed P3P to be very flexible, but we expect that user
> agent tools will be developed that will simplify this complexity
> for users.

I guess time will tell.  I'd have preferred a simpler model up front so that
most sites could easily setup their policies using a limited set of
information that are perhaps the most critical for web users.  Complexity
could grow over time as people came up to speed.  If I have a hard time
understanding what the various options mean in a privacy policy and in the
compact policy, for sure a typical end-user won't have a clue, and many web
site administrators won't know either.  We just trust that the info pumped
out by tools like IBM's P3P tool are correct and reflect what we really do.

> You may find
> /ie6privacyfeature.asp
> useful for better understanding IE6. You may also be interested
> in joining the www-p3p-policy mailing list
> to discuss your questions with other folks working on
> implementing P3P
> http://lists.w3.org/Archives/Public/www-p3p-policy/

Thanks. The links were useful, though even reading how IE6 works continues
to confuse me.  Our current compact policies show up as:


I'll continue to struggle with this, to ensure that these things really
represent our cookie policies.  In general, we don't require any cookie
other than a session cookie to track the user while logged on, yet we're
blocked by IE6 in HIGH mode, but are fine in MEDIUM-HIGH.  I'm not entirely
sure why.  Obviously, we customize the user's view when logged in so that
they see their data (what would the privacy be if we showed them other
people's data? <wink>), and because they are customers, they have provided
us credit card information, so we have contact and financial info that they
are free to update.  But if they were not our customer and were just a
recipient of a document from our customer, they don't need to provide us any
of that information, yet they are on the same site.  So the use of a cookie
depends -- even if the cookie just as a session id in it.  The cookie does
have financial info related to it -- though not stored in the cookie! -- for
customers, but not for others, and sending out different compact policies
for that means I have to change every page to emit the right CP depending on
the customer's mode of use.  Yikes!

Best of luck, and thanks for your reply....

Received on Monday, 12 November 2001 17:35:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:43:00 UTC