W3C home > Mailing lists > Public > public-p3p-spec@w3.org > May 2003

RE: potential requirement/guidelines on acceptable Purpose / Cate g ory combinations

From: Humphrey, Jack <JHumphrey@coremetrics.com>
Date: Tue, 20 May 2003 07:35:18 -0500
Message-ID: <85063BBE668FD411944400D0B744267A025184AF@ausmail.core.coremetrics.com>
To: "'public-p3p-spec@w3.org '" <public-p3p-spec@w3.org>

I think I understand now. I always think about the cookie policy declaring
what data is being collected for what purposes (maybe because that's how
user agents tend to express it), but it also has to declare what other data
will be used for those purposes.

Let's say that my user agent allows me to express that:
1. I don't want to accept or send cookies containing sensitive personal
information.
2. I don't want to accept or send any cookies whose purpose is to enable
someone to contact me by phone or email for marketing purposes.

In the example I gave, if a site sets a cookie containing a loyalty number
(UNI) and declares that it is for indiv. analysis (IVA), then as I
understand it now it should also declare purchase (PUR) since that's what
the the loyalty # will be used to look up for the analysis. The fact that
the company could also look up my phone number and email address is not
relevant since that's not the purpose of this cookie, right? Okay, that
makes sense, and the user agent implementation might allow that cookie if it
didn't map UNI and PUR to "sensitive personal information."

But I don't think the user agent could allow you to express #1 but not #2
(say you don't mind telemarketing and online contact). Then if the loyalty #
was being collected for telemarketing, the policy would have to include PHY
in addition to UNI and TEL, and the user agent couldn't allow the cookie,
even though it doesn't violate the expressed preferences, because it
couldn't distinguish that the cookie doesn't contain a phone number. That
troubles me, but it's something of an orthogonal issue to the points you
raise.

Jack

-----Original Message-----
From: Rigo Wenning
To: public-p3p-spec@w3.org
Sent: 5/20/2003 5:06 AM
Subject: Re: potential requirement/guidelines on acceptable Purpose / Cate
g ory combinations


On Mon, May 19, 2003 at 02:25:42PM -0400, Dobbs, Brooks wrote:
> What this all boils down to is, if the data collector declares a
purpose
> that requires identity, then they obviously HAVE the identity.  If you
claim
> that you are going to telemarket to me, you have my phone number.  I
think
> that it is now generally understood that the actual phone number won't
be
> stored as the clear text value within the cookie but rather referenced
> through a UNI value of the cookie.  To the data subject it doesn't
matter if
> you reference using phone #, loyalty #, credit card # or a SSN so long
as
> the intent or the data construct is to use the value to reference
other data
> (though clearly for some these you may need to go past simply UNI even
for
> the reference string itself).

http://www.w3.org/TR/P3P/#cookies

I think we specified that already by saying in 2.3.2.7 The
COOKIE-INCLUDE and COOKIE-EXCLUDE elements:

A cookie policy MUST cover any data (within the scope of P3P) that is
stored in that cookie or linked via that cookie. It MUST also reference
all purposes associated with data stored in that cookie or enabled by
that cookie. In addition, any data/purpose stored or linked via a cookie
MUST also be put in the cookie policy. In addition, if that linked data
is collected by HTTP, then the policy that covers that GET/POST/whatever
request must cover that data collection.

Best, 

Rigo
Received on Tuesday, 20 May 2003 08:35:26 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:24 EST