W3C home > Mailing lists > Public > public-p3p-spec@w3.org > October 2003

Cookie Linking

From: Giles Hogben <giles.hogben@jrc.it>
Date: Wed, 15 Oct 2003 14:34:52 +0200
To: <public-p3p-spec@w3.org>
Message-ID: <010201c39318$bb3cad80$362abf8b@cs.jrc.it>

Linked data and cookies (action item)

Cookies can contain a maximum of 4kb of data and must be transmitted across
the network twice before they can be used. For this reason, cookies tend to
store only a number which links to a value in a database. Data about a user
is stored in a database and that record is given a number (a unique key).
Only this number is stored in the cookie on the user's computer. When the
user revisits the site which set the cookie, that site can immediately have
access to a potentially unlimited amount of information about the user
simply by looking up the number in the database in which the number is a
key. Linkability may be direct or indirect. For example a key stored in a
cookie may not link to a record giving the user's name, but the record may
contain the user's IP address, which, can potentially be linked to another
database to discover the user's name. 

With enough effort, data mining techniques may be applied to link even
seemingly highly anonymised data with a cookie value. P3P applies the
principle of proportionality to such linkability.  The specification of the
data and purposes covered by cookie should be thought of in terms of the
analysis which might reasonably be carried out on such a cookie to achieve
the stated purpose. For example if a cookie is set to track criminals'
personal data then it is reasonable that a considerable effort might be put
into database analysis. The cookie should therefore be said applying to
personally identifiable data even if the data is actually hashed in the
database. If on the other hand, the cookie is set in order to track a
session and data is stored in the database but anonymised by hashing, then
there is no need to state that the data is identifiable. This type of
anonymization is in theory not secure because hashes have a 1-1
correspondence with ip addresses for example so by hashing all possible ip
addresses, you can trace the original ip address. However extending the
definition of linkability to this extent is neither practical nor
reasonable.
Received on Wednesday, 15 October 2003 08:37:49 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:28 EST