"A key problem that occurs with the use of P3P is that there is a lack of enforcement." You can "promess" one thing through P3P, but do something different with the data you gather.

The only time I used P3P was to get around some restrictions with Internet Explorer.

Yup. Building a third party widget that operates via iframe on a customer's site but need access to get/set cookies on your side? P3P time.

CP="NOI ADM DEV COM NAV OUR STP"

You sure that policy is right? I don't understand the spec, nor how to read the P3P policy, but looking at http://www.w3.org/TR/P3P/ seems to indicate these might be problematic:

NOI = Web site does not collect identified data.

OUR = Recipient of the information is your company (only)

STP = The retained information will only ever be used the the currently stated purposes.

This is what I use for the same purpose (and I am sure it works), though I am not sure which item or min combo of items is required. Once I beat back the IE demons, I called it a day.

CP="CAO DSP COR CURa ADMa DEVa TAIo PSAo PSDo IVAo IVDo OUR BUS IND UNI COM NAV INT"

That's exactly my point. Everyone just Googles and puts random stuff in there until it works.

One day someone will get sued over it, because that policy is telling the browser what you say you will do with that data.

Imagine if financial reporting software worked like this: "Oh, we just tried outputting different values in the balance sheets until our stock went up".

> Imagine if financial reporting software worked like this: "Oh, we just tried outputting different values in the balance sheets until our stock went up".

You're making me wonder if they don't do some kind of A/B testing already....

Have you been reading the news the past 15 years? That's precisely what derivatives are used for. Derivatives, and bought-and-paid-for auditors who also provide "consulting services."

I've never invested in derivatives. Can't say that I plan to, either.

It would seem to me that P3P could legally be just as enforceable as a written privacy policy.

It would only take one lawsuit to prove it.

(And yes, I bet a lot of sites would break if they made their P3P policy actually match what they do with the information they collect. I think most developers just cut & paste the P3P values they find via a websearch without thinking about it)

Facebook has a decent explanation for why they do not use P3P in the headers for their Like buttons:

P3P CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p (URL redirects to http://www.facebook.com/help/?topic=p3p).

The key bit of that explanation:

"The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web"

Yeah, I'm sorry, but that's (mostly) bullshit.

IE does support P3P - perhaps not completely, but to some degree.

the P3P standard is now out of date and does not reflect technologies that are currently in use on the web"

Actually, reading it in conjunction with the new Mozilla privacy icons shows it has held up fairly well.

I'm just troubled by the idea that Mozilla seem to be re-inventing the wheel a bit here.

You have to use P3P if you want to set third party cookies (or set cookies from within an iframe) for IE or Safari.

When you do that, do you (or your lawyers) check that the P3P policy you use matches that on your site?

Why or why not? (This is a genuine question)

Thankfully I've never had to deal with this before, I just so happen to know that P3P is a necessary evil for these things.

I think p3p was just an attempt to f' over Google and other ad networks by breaking adsense, etc. It seems Internet Explorer always comes out with some new "feature" every version to try and break adsense. The only time I've ever been able to fully and consistantly crash ie8 was embedding Adsense in a web widget.