W3C home > Mailing lists > Public > www-p3p-dev@w3.org > January 2004

Re: IE6, p3p, cookies

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 16 Jan 2004 19:32:49 +0100
To: Curtis Lacy <cel1@ix.netcom.com>
Cc: www-p3p-dev@w3.org
Message-ID: <20040116183249.GG1764@accueil.w3.org>

What you're doing here is violating the specification and it is also
legally dangerous. You do declare the following in your full policy, so
I assume you're doing that:

> header('CP="NON DSP COR CUR ADMa DEVa OUR IND PHY ONL UNI FIN DEM"');

1/ You give no access to identified information
2/ There is a dispute resolution
3/ You correct errors if they appear
4/ You use info to complete the current request
5/ You use info collected for admin purposes
6/ You use info collected for Research and Development purposes
7/ You keep data indefinitely
8/ You collect information that allows an individual to be contacted or
located in the physical world -- such as telephone number or address.
(This is normally blocked in IE medium)
9/ You collect unique ID's 
10/ You collect financial information 
11/ You collect demographic data


Now, to make IE happy, you say
1/ You don't collect identified information
2/ You use info collected for admin purposes
3/ You use info collected for Research and Development purposes
4/ You use info to do to create or build a record of a particular
individual or computer that is tied to a pseudonymous identifier with
opt-in

5/ you collect the following info-categories:
a/computer information
b/navigation and click-stream data
c/ demographic information

6/ Recipients are
a/ yourself
b/ some other (unspecified) people (opt-out)

7/ You keep information
a/ for the stated purpose
b/ indefinitely
(here one can see that the compact format sometimes produces semanticly
interesting results *sigh*)


Those are not the same, so you're deliberatly misleading people. This
might be dangerous from a US-context, but also under european
legislation.

Anyway, there is a way out:
If you're doing your headers with PHP anyway, use the compact policy
including the PHY only on pages that actually collect physical
information or were information is added to this physical information.

Same counts for Financial information. 

Now the cookie should go through for the other pages, where you omit
stating PHY and FIN

But you should really think a bit deeper into organizing pages and
services in a privacy friendly way. 

Best, 
-- 
Rigo Wenning            W3C/ERCIM
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis



On Wed, Jan 14, 2004 at 04:35:55PM -0800, Curtis Lacy wrote:
> There is a workaround for the IE6.0 P3P/cookie problem stated in my
> earlier note.  [I had a policy built by the IBM P3P editor, put the
> reference file in the well-known location, had it checked by the
> validator, which said the policy was satisfactory for all levels of
> IE6.0 privacy, cookies wouldn't set.  Tried sending the compact policy
> as an HTTP header with the page which set the cookies; still no luck.]
> 
> The workaround is to send a 'bogus' compact policy which will satisfy
> IE 6.0, i.e.,  in PHP you can do
> 
> header('P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"'); 
> 
> This is not a satisfactory solution, since it may or may not bear any
> relation to your actual policy.  As it happens, our policy is to use
> info we collect strictly for tending to business on our website, and
> it goes no further.
> 
> Here's the compact policy generated by the editor, which said the
> policy was good for all privacy levels:
> 
> header('CP="NON DSP COR CUR ADMa DEVa OUR IND PHY ONL UNI FIN DEM"');
> 
> If anyone understands why IE 6.0 doesn't like this one, I'd be glad to
> learn about it.
> 
> Curtis Lacy
> cel1@ix.netcom.com
Received on Friday, 16 January 2004 13:35:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 00:12:47 GMT