W3C home > Mailing lists > Public > public-p3p-spec@w3.org > March 2004

Re: linked

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Mon, 8 Mar 2004 22:18:22 -0500
Message-Id: <6B8606FF-7178-11D8-A3D6-000A95DA3F5A@cs.cmu.edu>
To: 'public-p3p-spec' <public-p3p-spec@w3.org>

Here is a complete proposal based on discussion on the mailing list and 
last call. Please send any more comments. Let's try to get this wrapped 
up this week if possible.

Lorrie

---

I propose that we remove the last 3 paragraphs of 1.3.2 that pertain
to "linked" data and change the title of that section to
"Non-identifiable" Data. Then add a new section 1.3.4 as follows:


1.3.4 Linked and Linkable Data

<p>Cookies often store a unique number or database key that links to a
database record, rather than storing the complete database record. Web
sites that use P3P must disclose not only the types of data stored
directly in a cookie, but also all data linked to a cookie. A large
amount of data may be "linkable" to a cookie without actually being
"linked" to that cookie. </p>

<p>A piece of data X is said to be <i>linkable</i> to a cookie Y if a
key stored in cookie Y can be used to retrieve X either directly or
indirectly. A direct retrieval might happen, for example, if the key
is associated with a database record in which X is stored. An indirect
retrieval might happen, for example, if the key is associated with a
database record that contains a piece of data that may be used, in
turn, as a key to retrieve a record in a second database, and X is
stored in the second database. Furthermore, if cookie Y is stored in a
server log file, the log file may facilitate further linking. For
example, when cookie Y is replayed, it may be accompanied by a referer
field that includes additional identifiable information or even
another key. Alternatively, imagine a web site that sets two cookies,
Y and Z. Cookies Y and Z may get replayed in the same HTTP request and
subsequently recorded side-by-side in the server log file. Thus all
data associated with cookie Y are also linkable to cookie Z. Indeed,
unless precautions are taken to minimize server log files and severely
restrict the use of identifiable data, almost all data an entity
stores about an individual are likely to be linkable to any cookies
they have set on that individual's computer.</p>

<p>A piece of data X is said to be <i>linked</i> to a cookie Y if at
least one of the following activities may take place as a result of
cookie Y being replayed, immediately upon cookie replay or at some
future time (perhaps as a result of retrospective analysis or
processing of server logs):</p>

<ul>
<li>A cookie containing X is set or reset.</li>

<li>X is retrieved from a persistent data store or archival media.</li>

<li>Information identifiable with the user -- including but not
limited to data entered into forms, IP address, clickstream data, and
client events -- is retrieved from a record, data structure, or file 
(other
than a log file) in which X is stored. </li>
</ul>

<p>Entities should consider their data collection and storage
architectures carefully to determine what data may be linkable to
their cookies and what data will actually be linked to each cookie. If
data is linkable but does not actually get linked to a particular
cookie, it does not have to be disclosed in a P3P statement concerning
that cookie. However, should the entity associated with that P3P
policy ever link the data for any reason other than to comply with law
enforcement demands, they would be in violation of their stated
policy. </p>
Received on Monday, 8 March 2004 22:17:37 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:30 EST