W3C home > Mailing lists > Public > public-p3p-spec@w3.org > October 2003

Compact Policies and information loss

From: Jeffrey A Edelen <jeffrey.a.edelen@aexp.com>
Date: Tue, 14 Oct 2003 18:46:08 -0700
To: public-p3p-spec@w3.org
Message-ID: <OFB7A5C69E.D84A5960-ON07256DBF.0082591A-07256DC0.0008C21B@ipc.us.aexp.com>


I'd like to describe in a bit more detail an issue raised during the 1 Oct 2003
spec call.  The discussion was captured in the minutes as follows:

      4/ Giles: cookie is like a database identifier
         Jeff: whether use is intended or not, one has to declare.
        GH: doesn't have to be unique ID. It has the purpose to select
        a bunch of records in a database.
         Jeff: cases are sites with single sign-on etc and scope is not
        always clear. Has to be clarified what happens with the
        information, e.g. purpose.
        Jeff: also when converting to compact policy, it looses
        semantics and sounds more that the actual collection is.

      Action: Giles: Write some paragraphs about linked data and

      Action: Jeff: Write some paragraphs describing the issue.

My observation was that is a common practice for sites to use a single sign-on
cookie that can be linked to all of the personally identifiable information
maintained about the user.  As I understand the spec, the associated cookie
policy must cover any data that is linked via the cookie.  For some
organizations, such a policy will likely contain many statements, to account
for the diversity of purposes, data categories, and recipients associated with
the various types of personally identifiable information being maintained.

As called out in section 4.5 of the spec, when transforming a full policy to a
compact policy, policy information may be lost.

   "The transformation of a P3P policy to a P3P compact policy may result in a
   loss of descriptive policy information -- the compact policy may not contain
   all of the policy information specified in the full P3P policy. The
   information from the full policy that is discarded when building a compact
   policy includes expiry, data group/data-schema elements, entity elements,
   consequences elements, and disputes elements are reduced."

In addition to the losses pointed out above, the information that organizes
purposes, categories, and recipients into meaningful statements is lost, as
well.  A full policy might disclose that online contact information may be
shared with other-recipients unless the user opts-out but that financial
information is only used internally.  Once transformed into a compact policy,
however, the tie between the data category and who the information is shared
with is lost.  Perhaps my financial information will be shared unless I
opt-out.  I don't suspect that I'm the first person to point this out, and
perhaps this isn't an issue, given the intended usage of compact policies.  If
a user agent is only going to employ relatively simple rules around cookie
handling (e.g., "any PII sharing without explicit consent is forbidden"), then
I suppose this level of granularity is sufficient.

Jeff Edelen

American Express made the following
 annotations on 10/14/2003 06:35:43 PM

     "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited.  If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments.  Thank you."


Received on Tuesday, 14 October 2003 21:36:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:02:18 UTC