No, he just said 5% had an invalid header, no claims were made about how many had valid headers. And unless he's actually audited any of the websites to see if what they're claiming in their P3P policies corresponds with how they actually use their cookies then how many sites have well formed headers is beside the point.
It's really unbelievable how this paper keeps getting cited as proof Microsoft is doing this too. Page 7 was cited on the other thread; you can read my response here: http://news.ycombinator.com/item?id=3615267
Re: Live doing it too. No, that is not what the paper says. From page 8:
"Only one of these websites, microsoft.com, displayed a full P3P policy."
"Websites under the msn:com domain exhibited a CP that includes the invalid CUSo token. Two other Microsoft owned sites, microsoft:com and windows:com use the same CP. These websites display the TRUSTe EU Safe Harbor Privacy seal. We believe that these websites are likely attempting to comply with P3P; however, they are not using P3P properly."
"The live.com CP does not include any ACCESS tokens. This CP suggests collection of PII, but does not provide any information about whether users can access their personal information."
Microsoft does not always fully comply with the letter of the law, but based on everything that I have read in that paper, they sure seem to be trying to comply with the spirit. It's ridiculous to claim that sending a deliberately misleading P3P header is the same as sending a P3P header that suggests PII is used but does not provide the access policy. One is designed to exploit a weakness in P3P and avoid blatantly lying to browsers in order to track users. The other indicates that PII is used, but does not fully specify how this is used. It seems fairly clear that one company is at least trying to support P3P, even if they are unable to completely reflect their privacy policy with these tokens. To claim these situations is analogous is fairly dishonest IMO.
(NOTE: Page numbers are based on the PDF document for quick access. Subtract 1 for the number printed on the bottom of the page.)
It's not really that unbelievable: Microsoft is berating Google for sending invalid P3P headers and this paper describes that Microsoft is sending invalid P3P headers.
Microsoft does not always fully comply with the letter of the law...
In this case what constitutes the letter of the law isn't really clear. As far as I can tell this is the latest specification for the P3P header:
This Internet-Draft will expire on August 6, 2002.
So it's at least arguable that there isn't a standard for the P3P header, and whatever anyone wants to put in it is just whatever they put in it, nothing is invalid and everyone is fine.
Only IE supports it anyway, and it's not like it prevents websites from doing things they've said in their P3P headers that they're not going to do. And the header is required to make IE accept 3rd party cookies (which are needed for lots of quite normal stuff on the web) you need to send it one of these headers.
Because if you don't allow people to bypass the privacy controls a significant chunk of the web stops working. For instance there's at least one well known WiFi hotspot service in the UK for which the block 3rd party cookies option in Firefox breaks the logon process for.
Firefox dropped support for P3P in Firefox 3 because "p3p isn't an effective way to establish trust with a site. it's a one-way system; anyone can say they're the good guy." See item b: https://bugzilla.mozilla.org/show_bug.cgi?id=417800#c11
I've had ICS on my Nexus S for a few months now and I've not seen issues like that. I'm just using the standard Google image (AFAIK, my brother did the upgrade for me - Android 4.0.3, kernel 3.0.8-gb55e9ac). I do see a lot of battery drain when I'm using the GPS, and I don't play games, but no crashes.
