W3C home > Mailing lists > Public > public-p3p-spec@w3.org > February 2004

linked

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Sun, 15 Feb 2004 17:51:41 -0500
Message-Id: <851455F5-6009-11D8-935B-000A95DA3F5A@cs.cmu.edu>
To: 'public-p3p-spec' <public-p3p-spec@w3.org>

we discussed bugzilla 172 
http://www.w3.org/Bugs/Public/show_bug.cgi?id=172 on last week's call 
and I proposed a possible way of differentiating linked and linkable. 
The following is my proposal for text for the spec to document this. 
Please send your comments and let me know if this idea even makes any 
sense.

Lorrie


I propose that we remove the last 3 paragraphs of 1.3.2 that pertain
to "linked" data and change the title of that section to
"Non-identifiable" Data. Then add a new section 1.3.4 as follows:


1.3.4 Linked and Linkable Data

<p>Cookies often store a unique number or database key that links to a
database record, rather than storing the complete database record. Web
sites that use P3P must disclose not only the types of data stored
directly in a cookie, but also all data linked to a cookie. A large
amount of data may be "linkable" to a cookie without actually being
"linked" to that cookie. </p>

<p>A piece of data X is said to be <i>linkable</i> to a cookie Y if a
key stored in cookie Y can be used to retrieve X either directly or
indirectly. A direct retrieval might happen, for example, if the key
is associated with a database record in which X is stored. An indirect
retrieval might happen, for example, if the key is associated with a
database record that contains a piece of data that may be used, in
turn, as a key to retrieve a record in a second database, and X is
stored in the second database. Furthermore, if cookie Y is stored in a
server log file, the log file may facilitate further linking. For
example, imagine a web site that sets two cookies, Y and Z. Cookies Y
and Z may get replayed in the same HTTP request and subsequently
recorded side-by-side in the server log file. Thus all data associated
with cookie Y are also linkable to cookie Z. Indeed, unless
precautions are taken to minimize server log files and severely restrict
the use of identifiable data, almost all data an entity stores about
an individual are likely to be linkable to any cookies they have set
on that individual's computer.</p>

<p>A piece of data X is said to be <i>linked</i> to a cookie Y if at
least one of the following activities may take place as a result of
cookie Y being replayed:</p>

<ul>

<li>X is retrieved from a database.</li>

<li>Information collected about the user during the current session --
including data entered into forms, IP address, clickstream data,
client events, or other data associated with the user's visit to the
web site -- is added to a record in which X is stored.</li>

</ul>

<p>
If either of these activities happen immediately upon cookie replay or
at some future time (perhaps as a result of retrospective analysis of
server logs), then the piece of data X is considered linked to cookie Y.
</p>

<p>Entities should consider their data collection and storage
architectures carefully to determine what data may be linkable to
their cookies and what data will actually be linked to each cookie. If
data is linkable but does not actually get linked to a particular
cookie, it does not have to be disclosed in a P3P statement concerning
that cookie. However, should the entity associated with that P3P
policy ever link the data for any reason other than to comply with law
enforcement demands, they would be in violation of their stated
policy. </p>
Received on Sunday, 15 February 2004 17:51:23 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:30 EST