W3C home > Mailing lists > Public > public-p3p-spec@w3.org > February 2004

RE: linked

From: Giles Hogben <giles.hogben@jrc.it>
Date: Mon, 16 Feb 2004 10:59:09 +0100
To: "'Lorrie Cranor'" <lorrie@cs.cmu.edu>, "'public-p3p-spec'" <public-p3p-spec@w3.org>
Message-ID: <000001c3f473$85bd7bf0$362abf8b@cs.jrc.it>

Some comments:
1. I don't think the requirement that it be stored as a particular database
record is valid. I think that linkability should be described independently
of the technical architecture used. This is why I tried to describe it in
terms of the intentions and proportionality.
2. You do not mention the use of referers to link cookies together.
3. I think the examples given are simpler than those I gave.

>**I propose that we remove the last 3 paragraphs of 1.3.2 that 
>**pertain to "linked" data and change the title of that 
>**section to "Non-identifiable" Data. Then add a new section 
>**1.3.4 as follows:
>**1.3.4 Linked and Linkable Data
>**<p>Cookies often store a unique number or database key that 
>**links to a database record, rather than storing the complete 
>**database record. Web sites that use P3P must disclose not 
>**only the types of data stored directly in a cookie, but also 
>**all data linked to a cookie. A large amount of data may be 
>**"linkable" to a cookie without actually being "linked" to 
>**that cookie. </p>
>**<p>A piece of data X is said to be <i>linkable</i> to a 
>**cookie Y if a key stored in cookie Y can be used to retrieve 
>**X either directly or indirectly. A direct retrieval might 
>**happen, for example, if the key is associated with a 
>**database record in which X is stored. An indirect retrieval 
>**might happen, for example, if the key is associated with a 
>**database record that contains a piece of data that may be 
>**used, in turn, as a key to retrieve a record in a second 
>**database, and X is stored in the second database. 
>**Furthermore, if cookie Y is stored in a server log file, the 
>**log file may facilitate further linking. For example, 
>**imagine a web site that sets two cookies, Y and Z. Cookies Y 
>**and Z may get replayed in the same HTTP request and 
>**subsequently recorded side-by-side in the server log file. 
>**Thus all data associated with cookie Y are also linkable to 
>**cookie Z. Indeed, unless precautions are taken to minimize 
>**server log files and severely restrict the use of 
>**identifiable data, almost all data an entity stores about an 
>**individual are likely to be linkable to any cookies they 
>**have set on that individual's computer.</p>
>**<p>A piece of data X is said to be <i>linked</i> to a cookie 
>**Y if at least one of the following activities may take place 
>**as a result of cookie Y being replayed:</p>
>**<li>X is retrieved from a database.</li>
>**<li>Information collected about the user during the current 
>**session -- including data entered into forms, IP address, 
>**clickstream data, client events, or other data associated 
>**with the user's visit to the web site -- is added to a 
>**record in which X is stored.</li>
>**If either of these activities happen immediately upon cookie 
>**replay or at some future time (perhaps as a result of 
>**retrospective analysis of server logs), then the piece of 
>**data X is considered linked to cookie Y. </p>
>**<p>Entities should consider their data collection and 
>**storage architectures carefully to determine what data may 
>**be linkable to their cookies and what data will actually be 
>**linked to each cookie. If data is linkable but does not 
>**actually get linked to a particular cookie, it does not have 
>**to be disclosed in a P3P statement concerning that cookie. 
>**However, should the entity associated with that P3P policy 
>**ever link the data for any reason other than to comply with 
>**law enforcement demands, they would be in violation of their 
>**stated policy. </p>
Received on Monday, 16 February 2004 04:59:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:02:18 UTC