P3P Misses The Boat

Privacy standard has the right idea, but the wrong execution

November 20, 2007

2 Min Read
Network Computing logo

9:15 AM -- While I was at the OWASP/WASC AppSec 2007 conference in San Jose, Calif., this week, I had the opportunity to give a talk to my peers about the past, present, and future of browser security. Among other things, I suggested that browser technology should allow Websites to protect themselves from users who are subversively tricked into doing bad things in their browser, usually through cross-site scripting.

One of the attendees asked how my ideas differed from Platform for Privacy Preferences (P3P), the proposed standard for protecting user privacy on the Net. It was a good question.

Before I answered the question, I asked how many in the audience had read the O'Reilly book on P3P. Only the person who had asked the question (and myself) had actually read that book. Before you go run out and buy it, save yourself the trouble -- reading it was a huge waste of time. If you're one of the many who hasn't read it, P3P was designed as a method for people to understand the privacy policy of the companies they deal with.

The problems with P3P are many. It is a technical solution that requires integration with the browser, and most browsers either don't do anything with this information or they surface the information in obscure text boxes.

To see how P3P works, use Internet Explorer 7.0 to visit Yahoo's homepage. Click on "Page," then on "Web Page Privacy Policy" to see the privacy policy for Yahoo. It's an interesting idea, but it can be faked, there's no easy way to tell that the page supports P3P, and most consumers don't know how to find and use that information.

What I'm advocating are changes that are invisible to users -- and that require no interaction to protect them -- rather than information-only changes. P3P's purpose is good, but in practice it's almost completely worthless, except to the few people who know it exists. The problem can be solved much more easily by having an easy-to-find privacy policy in the footer of the page.

We should focus less on giving consumers choices -- which they already have -- and more on giving them the protection they expect.

– RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Sign-Up

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

Nextgen network management
Network Management
Nextgen Network Management: What’s Next and Are We Ready?Nextgen Network Management: What’s Next and Are We Ready?
byMary E. Shacklett, President, Transworld Data
May 27, 2024
4 Min Read
SASE Explained: Definition, Benefits, and Best Practice
SASE Networking
SASE Explained: Definition, Benefits, and Best PracticeSASE Explained: Definition, Benefits, and Best Practice
bySalvatore Salamone, Managing Editor, Network Computing
May 1, 2023
22 Min Read
NaaS 2024: A Look at the Future of Network Services
Network Infrastructure
NaaS 2024: A Look at the Future of Network ServicesNaaS 2024: A Look at the Future of Network Services
byPascal Menezes, MEF
Mar 22, 2024
5 Min Read
Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports
Live Events
More Live Events
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat