Well, actually, since this web stuff is sort of my profession, I thought I should play around with P3P as a learning exercise.
P3P is a privacy protocol being developed by W3. Since it’s under the auspice of W3, it is likely to be the standard. If it becomes a widely adopted standard, I’m going to need to know. And I already know a few major corporations are adopting it.
Of course, I wonder how many users will want to see these nag warnings all the time? I can’t imagine too many users now have their browsers set to warn them when a site is setting a cookie.
On the other hand, that won’t be the only way users can take advantage of P3P.
To get started with P3P, I went the W3 site for the issue. Read the top of the specification, skimmed the rest and surfed around the rest of the site. Yeah, so far I haven’t dug into all of the documentation.
I was more eager to actually try creating a P3P policy, so I downloaded one of the P3P editors — in this case, the one from IBM.
IBM’s editor does make creating a policy pretty easy. It allows you to identify and define the policy topics applicable to your site, and then it generates an HTML file and an XML file for publication. And who would want to manually create such an XML file? That part is cool.
But the IBM package made no allowance for this complete disconnect from user data and the cookies. There was no way to write a policy that was both truthful and could avoid this warning:
Unsatisfactory policy: this compact policy is considered unsatisfactory according to the rules defined by Internet Explorer 6. The behavior of Internet Explorer 6 regarding cookies set under this compact policy is as follows:
In detail, the warning says:
A policy which is considered unsatisfactory by Internet Explorer 6 contains certain categories of data which are used or shared in a particular manner. This policy is placed in the unsatisfactory category, because the following categories of data are associated with this policy’s cookies:
In addition, the data is used in the following manner, marking the policy as unsatisfactory:
- Physical contact information is collected.
- Online contact information is collected.
Note that allowing an opt-out will make this policy acceptable under the Low and Medium settings, and under Medium High for first-party cookie usage. At the High setting, and at the Medium High setting for third-party cookies, all of these data uses must be opt-in for the policy to be considered satisfactory.
- The data is used for other purposes.
- The data is given to other organizations with different privacy practices.
- The data is made public.
Here is my human-readable policy, and her is my XML policy.
UPDATE: I just remembered, on the comments I allow users to set cookies to remember who they are, so the form is automatically populated with their info when they comment on the next visit. Yuk, now I’ll have to review my policy and see if it changes anything. I think the P3P editor might just gagged on this bit of info.