Report on the Platform for Privacy Preferences Privacy from Companies6/22/2000; 2:48:06 PM I've been examining the Platform for Privacy Preferences stuff, though I haven't had time to read through the actual standard.While P3P is powerful, it is amazingly complicated (even by computer geek standards!), which has been noted by several others I've read. I looked at AT&T's policy file, and it's huge and full of... stuff. P3P has complexity-through-too-many-options written all over it. Not only will sites and browsers need to adapt to using it before it will be of any use, powerful tools will need to be freely available to assist in generating these complicated files. AT&T has a generator based on earlier drafts, but a simple examination of some of the code it output shows it's not half as complicated as the AT&T site's code, nor was that simple generator enough for me to truly specify this site's privacy policy. Critique of P3P, along with a decent (albiet biased) summary: Pretty Poor Privacy: An Assessment of P3P and Internet Privacy. Summary:

This report examines whether P3P is an effective solution to growing public concerns about online privacy. The report surveys earlier experience with "cookie" technology and notes similarities. The report finds that P3P fails to comply with baseline standards for privacy protection. It is a complex and confusing protocol that will make it more difficult for Internet users to protect their privacy. P3P also fails to address many of the privacy problems specifically associated with the Internet. The report further finds that earlier versions of P3P were withdrawn because the developers recognized that the proposed negotiation process was too burdensome for users and that the automatic transfer of personal information would be widely opposed. It is anticipated that this version of P3P will also be significantly overhauled once it is reviewed. The report concludes that there is little evidence to support the industry claim that P3P will improve user privacy citing the widely accepted Fair Information Practices.The report recommends the adoption of privacy standards built on Fair Information Practices and genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. Simple, predictable rules for the collection and use of personal information will also support consumer trust and confidence. P3P, on the other hand, is likely to undermine public confidence in Internet privacy.

By far the most damning thing against P3P was said by the European Union (which has actual privacy policies) after evaluating P3P for use, which the paper relays:

A technical platform for privacy protection will not in itself be sufficient to protect privacy on the web. It must be applied within the context of a framework of enforceable data protection rules, which provide a minimum and non-negotiable level of privacy protection for all individuals. Use of P3P in the absence of such a framework risks shifting the onus primarily onto the individual user to protect himself, a development which would undermine the internationally established principle that it is the "data controller" who is responsible for complying with data protection principles.

Emphasis mine.Anyhow, iRights hypothetically is in compliance with this standard, just for fun, even though there's not a browser on the planet that can easily use P3P and I'd probably remove the P3P code if there was such a browser (as the code would only annoy users of that browser). If you look in the source of this page, you'll find a LINK to the code I linked to above, which is supposed to tell browsers where my P3P policy is. If I am correctly compliant, apparently I'm one of the first. This means that, if you were using a P3P compatible browser, and you tell the browser you do not want to give out any information to a site, you would either get a warning about this site or be blocked. The problem is, I don't collect any information about you, it's just that if you want to post a message in the discussion area, you have to sign up as a member. I don't use that info in any other way, I don't require that you give it to me. I'm not sure that P3P would let me correctly express "This site asks that you give it your real name if and only if you chose to participate on its message boards."I see no real reason to believe this will provide anything but a buzzword to crawl behind and a way to maintain the status quo. I'd like to see it improve privacy on the web, but I think it's destined to end up like the TRUSTe seal,