W3C home > Mailing lists > Public > public-p3p-spec@w3.org > October 2003

Cookie linking v2

From: Giles Hogben <giles.hogben@jrc.it>
Date: Wed, 15 Oct 2003 15:13:24 +0200
To: <public-p3p-spec@w3.org>
Message-ID: <010d01c3931e$1d4be180$362abf8b@cs.jrc.it>

Here is an updated version based on some comments I received

Linked data and cookies (action item)

Cookies can contain a maximum of 4kb of data and must be transmitted across
the network twice before they can be used. For this reason, cookies tend to
store only a number (or unique key) which links to a value in a database.
Data about a user is stored in a database and that record is given a number
(a unique key). Only this number is stored in the cookie on the user's
computer. When the user revisits the site which set the cookie, that site
can immediately have access to a potentially unlimited amount of information
about the user simply by looking up the number in the database in which the
number is a key. Linkability may be direct or indirect. For example a key
stored in one cookie may not link directly to a user's name. Suppose a site
sets two cookies. One cookie might link to a record of the user's street
name and number and the other to the user's home town. By using the referrer
IP, these two cookies be linked together to give a unique address and
through another database, the user's name.

With enough effort, data mining techniques may be applied to link even
seemingly highly anonymised data with a cookie value. P3P applies the
principle of proportionality to such linkability.  The specification of the
data and purposes covered by cookie should be thought of in terms of the
analysis which might reasonably be carried out on such a cookie to achieve
the stated purpose. For example if a cookie is set to track criminals'
personal data then it is reasonable that a considerable effort might be put
into database analysis. The cookie should therefore be said applying to
personally identifiable data even if the data is actually hashed in the
database. If on the other hand, the cookie is set in order to track a
session and data is stored in the database but anonymised by hashing, then
there is no need to state that the data is identifiable. This type of
anonymization is in theory not secure because hashes have a 1-1
correspondence with ip addresses for example so by hashing all possible ip
addresses, you can trace the original ip address. However extending the
definition of linkability to this extent is neither practical nor
reasonable.

Third party cookies are cookies which are set by a domain other than the
page being viewed. This is done through embedded images and can even occur
in emails and applications which use web services, such as music players.
While normally the information stored in one domain's cookie cannot be
accessed by another domain, third party cookies bypass this mechanism by
placing the same third party image in different domain's pages. This allows
tracking of users across different domains. The intention to carry out such
tracking activities through linking cookie keys across different domains
should also be declared
Received on Wednesday, 15 October 2003 09:14:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:28 EST