back to article Better privacy policies can make money, finds P3P study

Ecommerce businesses could charge more for their wares if they implemented an established privacy technology, an academic report (pdf) has found. The study showed that online shoppers are prepared to pay more at sites that guarantee their privacy. Researchers at Carnegie Mellon University in the US armed a number of shoppers …


This topic is closed for new posts.
  1. Pascal Monett Silver badge


    So now the privacy I have a constitutional right to is something I am going to have to pay for to actually have in effect - that is, until some government decides it wants my details anyway, at which point a low-level cop will just wave his badge and expect all my details to be handed over.

    Something about the world, a destination and a handbasket comes to mind.

  2. Chris Cheale

    Odds are...

    ...that you'd not have to pay for it, P3P is just an XML standard and can be (or is) built into the web browser as a native component...

    However... it's also 95% totally useless


    The system then alerts the user in plain English about conflicts between the site's privacy policies and the user's preferences. Alternatively, the site simply rejects the website's cookie, the piece of code which stores information about the user.


    The cookie simply stores information about the user (generally their session id) on the user's machine... using a transparent session ID (passed around in the URI) means all that tracking potential is still in place, it just can't be passed from one session to another (although using transparent SIDs does leave the sessions open to hijacking unless you code something in to attempt to prevent it). The company that runs the site still has access to all that data and can do what they like with it.

    Hell, chuck some GeoIP software on the server, cross reference that against ISP IP allocation ranges and UserAgent strings and you could probably, even with cookies disabled on the user's PC, match up their current session to any previous ones (if you logged that session data).

    You'd not even have to get that complicated ... if a user visits your site and rejects your session cookie, just tell them that they can't use your site. It's a totally crap way of doing it, but hardly uncommon. Many user's will simply follow your nice helpful instructions on how to disable that annoying P3P software in Internet Explorer (as an example).

    P3P is NOT a privacy protection tool, it's a _marketing_ tool, nothing more.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022