
Facebook to Microsoft: P3P is outdated, what else ya got? - Slimy
http://www.zdnet.com/blog/facebook/facebook-to-microsoft-p3p-is-outdated-what-else-ya-got/9332
======
rlpb
It seems crazy to me for my browser to trust what a site declares about its
practices anyway. I don't mind having a whitelist. Expecting sites to add
themselves to my whitelist is just crazy, because the sites I trust the least
are the sites that are most likely to lie.

I don't have a problem with what Google and Facebook are doing here. By
choosing to use them I implicitly accept their policies anyway. If I chose not
to use them, I'm sure their public nature means that every privacy blocker out
there can blacklist them for me.

Surely the real problem is that IE by default believes malicious sites that
claim to respect my privacy?

~~~
stanleydrew
The real problem is that the standard requires a browser vendor to behave in
this way. Microsoft is implementing the standard, but arguably shouldn't since
it appears to be outdated and flawed to begin with.

~~~
dmethvin
I think the reasoning of P3P was that a site would declare what it uses the
information for, and if it was found otherwise the liars would be dealt with
by conventional legal means. Theoretically that should work well for
legitimate companies with a lot to lose, and not so much for malicious sites
with nothing to lose that work outside the law anyway. But what do you know,
big sites like Google and Facebook have circumvented these P3P rules and will
probably not suffer at all, even though they are clearly violating the
standard to force their cookies through. But "we need to get our cookies
through" is no excuse for circumvention.

About 10 years ago I worked on a site that put together a P3P policy, it was a
nightmare. Like many other sites, we needed multiple P3P policies. Your
ecommerce site probably has different things it stores compared to your
marketing pages, for example, and you certainly don't want your marketing or
blog pages saying that you are storing name/address/credit-card and scaring
the crap out of people wondering how you are even getting that info off their
system.

You can still find the decade-old tools over at p3ptoolbox.org that help you
build a P3P policy, God forbid you try to build it by reading the spec. It
also seems ironic that p3ptoolbox.org doesn't have a P3P policy and hasn't
been updated since 2005.

------
PaulHoule
Wow, Back in the early 00's I couldn't write a P3P policy that described what
I did with user data...

------
voidr
Google can't track you unless I put Google's code on my site to make money,
otherwise I wouldn't have my site and you would have nothing to read.

I have a fine idea: why not block a whole site if it offers a 3rd party
cookie? I mean if the site offers evil tracking cookies than the site must be
evil right? Or maybe this whole thing is just part of Microsoft's smear
campaign.

------
yanw
How come Facebook wasn't included in Microsoft's PR-agency announced P3P
"revelation"?

~~~
CurtHagenlocher
I'm sure it has nothing to do with Microsoft's investment in Facebook.

Is this a rhetorical question?

