Forum Moderators: open
Full CNN Article [cnn.com]
Larry Ponemon of the Privacy Council, an advisory organization for large companies, says P3P strips away the ability to have statements purposely containing loopholes or inconsistencies."They don't see the value, need for this," he said. "A lot of organizations feel they are being forced."
(edited by: tedster at 6:05 am (utc) on Mar. 17, 2002)
People are not interested yet. In my experience.
"Does it really work for the average user, or is it too complicated?" said Sharon Anolik, chief privacy officer at Ask Jeeves Inc. "We want to make sure it's a right solution."
Not only is it too complex for the average user, they don't have a clue that it exists! What exactly are the forces behind the creation of a "solution" that users won't grok and websites are so wary about?
Where was the "buzz?" I work in music marketing and we work very hard to create interest along before an artist releases any new material.
It is all just basic marketing, which entails getting all the good points of a product out there so when it hits the shelves... people want it, instead of saying, "huh?"
Pity...
These are just some ideas I'm playing with:
1. The industry needs to head off privacy advocates at the pass -- we don't want to see a spread of that cookie legislation mess they've got in Europe.
2. By putting an obfuscated privacy policy upfront, but making it too techy for the average user, the path may actually be clear for LESS privacy in reality and more personal data collection (how's that for a paranoid thought?)
If your clients do any business in Europe, then the answer is a clear YES.
Most european countries (all of the EC and then some) have legislation in place that makes it mandatory for a business site to clearly and unambiguously state its privacy policy. The purpose of P3P is to ensure exactly this. If you use P3P on your site, then no authority or competitor can blame you for violating this kind of legislation, as you are using a globally accepted official W3C standard.
And for the grokability of P3P, this is not really an issue. After all, P3P requires that the same policy be also stated on the site in clear english (or whatever the language of the site) in human readable form. P3P is only a more formal representation of the information that you should have on your site anyway. It has the additional advantage of being language-independent. If a visitor from Japan visits your site and has troubles understanding your english language legaleze, then he can check with P3P, and his browser will present him the same information in unambiguous terms in japanese language. This is very hard to beat if you want to gain trust with international users.
Of course, if a site is exclusively targeted at visitors from the US, then privacy is not really a concern. The general public there simply doesn't seem to understand the concept. Heck, they don't even care that every bozo can look up their credit and health care history on the net. You'd be surprised at the results if you tried that in Europe...
I've seen very few emails asking. "Do I have to?" and many emails asking, "How do I"? Interest in the technology is increasing and given that it is relatviely new to most people I think a 33% implementation rate is rather good.
Some companies have questioned whether the brief privacy declarations will be so simple that they would be open to charges of deceptive practices.
That is a misconception that can be cleared up by simply asking someone with IE6 to visit a site that is P3P compliant and asking them to click "View" and then click Privacy Report.
P3P was never intended to enforce privacy policies. It's about accessabiliity and standardization. The majority of privacy advocates that are concerned with enforcing privacy policies should look to legislators and litigators, not technology for a way to enforce privacy policies. Many of the people that seem to be concerned with everyone else's privacy send unencrypted email to my inbox so I have to wonder how concerned they really are with privacy to begin with.
The majority of privacy advocates that are ranting against the implementation are measuring P3P against a yardstick that it wasn't designed to be tested against. A screwdriver doesn't drive nails effectively, but that doesn't make it any less effective at turning screws...
DG
P3P is essentially a set of questions about what information sites collect and how they use it. The sites' answers get translated into machine-readable code. Software then matches sites' practices with users' privacy preferences. It can warn users when a site collects or shares more data than they want.
Assuming ample budget resources and sophisticated web developers, it's probably feasible for that level of web sites. But for the majority of sites that are more grass-roots in scope and functionality, limited in budget allocations and developed by a different cadre of webmasters it would be an impossibility.
There's an army of "fair to middlin'" webmasters and do-it-yourselfers out there, and without question, to them the W3C's presentation of standards is incomprehensible geak-speak. If a lot were translated into language geared to the vast number of webmasters who are at a more limited level, imho it would accomplish a purpose it's now falling far short of.
Aunt Jane in Minnesota who wants to sell her beeswax on the internet will not be hiring a $10K web developer, she'll be downloading a free editor and with a little help from her friends will become an entrepreneuress with a web site. Sure, she'd be willing to put a good privacy policy on and anything else that'll make it a good web site. But she needs to be able to understand what that is in order to implement it.
If the purpose of W3C is to establish standards and encourage compliance, they'll have to make information about those standards a little more widely accessible.
"Do we have to?"
They won't if they don't know what it is to begin with. W3C has an accessibility problem.
I've had many people become P3P compliant following a few simple steps. There is no need for an expensive developer to make a site P3P compliant.
Those sites that serve up content in frames from more than one host or bridge many sites take more time, but usually have the developers capable of doing the job.
I've never been one for "dumbing down." That always gives rise to more problems.
Since I've seen more than one webmaster become compliant following a tutorial designed for the "average webmaster", your argument won't suffice. If Aunt Jane wants her site to be P3P compliant it can be. With no other expense than a small time investment.
DG
There's an army of "fair to middlin'" webmasters and do-it-yourselfers out there, and without question, to them the W3C's presentation of standards is incomprehensible geak-speak.
Probably true, but you can go to a wizard on microsoft.com and it asks you these questions in plain english (with drop down menu responses, I think). Anyone can do it, even Aunt Bea. The free editors can simply add this as a menu option.
And as far as I know, the only penalty for not having P3P is not being able to send cookies. I don't think the Aunt Bea's of the world will be using cookies... ;)
Same story here, not difficult at all. Downloaded the IBM P3P editor and also needed the Sun Java machine (also free) since ME does not come with one. Created the XML document in about 15 minutes. I do agree however, that if one is not accustomed to reading "geek" then the W3C over-kill explanation can be a bit much.
Also very hip: W3C will give you a link when you email them that your site passes their P3P validator and is in compliance.
The editor didn't come with a file I needed and there wasn't much at the time documenting the need for the JER.
The validator kicked out a few errors the first time and after fixing most of those the validator still kicked out a no link and no header error. There was nothing to indicate those errors were invalid so I wrote Kioche and that was when he explained that only one of three methods was required for validation.
I wasn't really happy with the W3C's info regarding the files needed, the validation errors and the terminology they used so I wrote a short tutorial and started using that link in my email to inquiries from people that wanted their sites to be P3P compliant.
IE6 does require a compact policy and there's been quite a bit of debate about that but relatively few problems with becoming compliant.
The exceptions are complex sites, sites with content or applications served in frames from more than one server and sites with one policy that are bridged to several sites.
The privacy advocates want to ask too much from the technology, as if somehow the policy can enforce itself. That was never the goal but that partuclar strawman is the banner for most of the opposition.
The gent from Classmates.com expressed a view that is troublesome and prevalent.
Michael Schutzler, chief executive of Classmates.com, worries that users will interpret any disclosure of cookies as evil -- even though they can be helpful in personalizing a user's experience.
So rather than educate the masses about cookies he proposes what? Keep them in the dark? The implied statement, '"surfers are stupid", is prevalent, and wrong. In any event, withholding information to protect surfers from themselves, (read- reduce my traffic and sales if surfers think the site is using evil cookies)is not the way to conduct business.
Some companies have questioned whether the brief privacy declarations will be so simple that they would be open to charges of deceptive practices.
Those businesses obviously haven't looked at a P3P implementation. The human readable policy is linked to from the View Privacy window. The human policy can be generated by the P3P editor, or written by the legal team or webmaster.
Many of those same privacy advocates that oppose P3P don't have a public PGP key on the server so I question if they are devoted to the issue, or their cause.
<advocacy>P3P</advocacy>
DG
