Google is in good, or bad, company, depending on your point of view. More than 20 of the 100 most popular websites -- including Facebook, IMDB, AOL, and Hulu -- also blow off P3P, per the Times. In fact, more than 11,000 sites bypass P3P by issuing a bogus "compact policy" (CP) code, notes Carnegie Mellon University's Lorrie Cranor. She should know; Cranor was involved in the creation of P3P.
In September 2010, CMU analyzed 33,000 websites' privacy practices:
We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it's default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective.
If P3P is so lame, Cranor asks, why don't companies like Google and Facebook stop pretending they're complying and instead ask the World Wide Web Consortium (W3C) to declare it dead and move on? Her answer:
I suspect nobody wants to do that because it might call into question the effectiveness of industry self regulation on privacy. W3C is currently hard at work on a new privacy standard called Do Not Track (DNT) which the industry is currently rallying around. Once the spotlights are off and companies have to live with the standard they created and discover that it prevents them from doing what they want to do, will they declare it dead as well and feel justified in circumventing it too?
The problem: Nearly every privacy policy on the Web starts with the phrase "we value your privacy," but almost none of them actually mean it. Until they do, this kind of abuse, intentional or otherwise, is just going to continue. There need to be actual consequences when big companies violate users' trust, or soon there won't be any trust left to violate.
If the Internet giants can't or won't do it -- so far, they've failed miserably -- then our mutual Uncle needs to step in and do it for them.
I've asked it before and I'll ask it again: Do we need a national data privacy law? Cast your votes below or email me: cringe@infoworld.com.
This article, "Google doesn't need your stinking privacy rules," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.