W3C home > Mailing lists > Public > public-p3p-spec@w3.org > February 2004

RE: Art 10: Issue 3 - cookies

From: Giles Hogben <giles.hogben@jrc.it>
Date: Wed, 18 Feb 2004 10:22:07 +0100
To: "'Lorrie Cranor'" <lorrie@cs.cmu.edu>
Cc: "'public-p3p-spec'" <public-p3p-spec@w3.org>
Message-ID: <000001c3f600$ae1d1400$362abf8b@cs.jrc.it>


>**>>> Here are the latest suggested changes (the guidelines text has
>**>> changed
>**>>> quite
>**>>> a lot so please check):
>**>>>
>**>>> Text for 2.3.2.7.
>**>>> -----------------
>**>>> Add:
>**>>> User agents evaluating cookies SHOULD apply the results of a
>**>> preference> match on the cookie's policy before setting 
>**the cookie.
>**>>
>**>> How about
>**>>
>**>> User agents that evaluate cookie polices SHOULD perform this 
>**>> evaluation before setting a cookie.
>**>
>**> This does not convey the advice. that the cookie should 
>**not be saved 
>**> if it doesn't match the user's preferences.
>**
>**I'm not sure we want to say that. A user might specify, for example, 
>**that cookies that don't match their preferences should be 
>**converted to 
>**session cookies rather than deleted altogether. Also, I 
>**could imagine a 
>**user agent that gives users the option of storing rejected 
>**cookies in a 
>**separate place for later analysis or inspection. So I think 
>**we should 
>**make the point that cookies should be evaluated before set time. But 
>**I'm not sure we want to specify what should happen as a 
>**result of that 
>**evaluation. We could say:
>**
>**User agents that evaluate cookie policies SHOULD perform this 
>**evaluation before setting a cookie so that the cookie can be 
>**discarded 
>**without being set if that is what is dictated by the user's 
>**preferences.

I think that the crucial point is that whatever behavior is dictated by the
evaluation should be carried out setting the cookie.
So how about:

User agents that evaluate cookie policies SHOULD perform this evaluation
*and its resultant behavior* before setting a cookie so that the cookie can
be discarded without being set if that is what is dictated by the user's
preferences.


>**>>
>**>>>
>**>>> Text for guidelines
>**>>> -------------------
>**>>> Certain jurisdictions view the storage of cookies on a user's
>**>> hard
>**>>> drive as
>**>>> an act of data processing. In such jurisdictions (e.g. the EU), 
>**>>> policies should always be evaluated before a cookie is set and 
>**>>> cookies
>**>> should
>**>>> not be
>**>>> stored unless the cookie's policy is found to comply with the
>**> user's
>**>>> preferences.
>**>>
>**>> In my mail on Issue 1 I had suggested a section called "Timing of 
>**>> Notices to Users"... now I'm thinking the section should 
>**be "Timing 
>**>> of Policy Evaluation and Notice to Users" ... then we can include
>**>> this
>**>> paragraph at the end of that section.
>**>>
>**>>
>**>>
>**>>>
>**>>> -------------------------------------
>**>>> Giles Hogben
>**>>> European Commission Joint Research Centre
>**>>> Institute for the Protection and Security of the Citizen
>**>> Cybersecurity> New technologies for Combatting Fraud Unit
>**>>> TP 267
>**>>> Via Enrico Fermi 1
>**>>> Ispra
>**>>> 21020 VA
>**>>> Italy
>**>>>
>**>>> giles.hogben@jrc.it
>**>>> tel:+390332789187
>**>>> fax:+390332789576
>**>>>
>**>>>
>**>>
>**>>
>**>
>**
>**
Received on Wednesday, 18 February 2004 04:21:46 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:30 EST