W3C home > Mailing lists > Public > www-p3p-policy@w3.org > August 2001

Re: Disavowing Legal Liability

From: Lorrie Cranor <lorrie@research.att.com>
Date: Thu, 30 Aug 2001 11:08:35 -0400
Message-ID: <002f01c13165$c1d00d20$9816cf87@barbaloot>
To: "Ben Wright" <Ben_Wright@compuserve.com>, <www-p3p-policy@w3.org>
By default IE6 does not block all cookies that do not have compact
policies. Only third party cookies are blocked. See
http://support.microsoft.com/support/kb/articles/Q283/1/85.ASP
for more information.

Regards,

Lorrie Cranor


----- Original Message -----
From: "Ben Wright" <Ben_Wright@compuserve.com>
To: <www-p3p-policy@w3.org>
Sent: Thursday, August 30, 2001 10:56 AM
Subject: Re: Disavowing Legal Liability


> My thanks to Lorrie Cranor for the comment below to the effect that the
> definining of a new token would be a mandatory extension, and that the
> Specification forbids full policies with mandatory extensions to be
> expressed as compact policies.
>
> Please help me understand.  It appears that the P3P rules (as implemented
by
> Internet Explorer 6) are a trap for web adminstrators.
>
> A mandatory extenstion, as I understand it, is a way to define a new term.
> If an honest web administrator feels she needs to use a mandatory
extension
> in order to express an honest and accurate privacy policy, then under the
> rules she is forbidden from representing that policy in compact form.  And
> if she cannot make a compact policy, then IE 6 will block her cookies.
>
> Is my understanding correct?  If it is, then the adminstrator is trapped,
is
> she not?  If she wants to save her cookies, it seems she is forced to
> publish an inaccurate privacy policy.
>
> Is there any way for her to get out of the trap?
>
> Thank you
>
> --Ben Wright
> http://ourworld.compuserve.com/homepages/Ben_Wright
>
> >Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com>
> >From: "Lorrie Cranor" <lorrie@research.att.com>
> >To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy"
> <www-p3p-policy@w3.org>
> >Date: Thu, 23 Aug 2001 20:39:25 -0400
> >Subject: Re: Disavowing Legal Liability
> >
> >Section 4.5 of the specification says that full policies that
> >include mandatory extensions must not be represented
> >as compact policies. The DSA token you describe sounds
> >like it would be a mandatory extension. Thus what you
> >describe is a violation of the P3P specification.
> >
> >Regards,
> >
> >Lorrie Cranor
> >P3P Specification Working Group Chair
> >
> >
> >----- Original Message -----
> >From: "Ben Wright" <Ben_Wright@compuserve.com>
> >To: "P3P Policy" <www-p3p-policy@w3.org>
> >Sent: Thursday, August 23, 2001 3:45 PM
> >Subject: Disavowing Legal Liability
> >
> >
> > P3P Policy List:
> >
> > I am a lawyer studying Internet Explorer 6's implementation of P3P.
> >
> > Web administrators will be reacting to IE 6's P3P implementation as the
> > browser is rolled out to the market.  I am concerned that administrators
> > will expose themselves to unwarranted legal liability through the
> > statements they try to make in compact P3P policies.  I'm looking for a
> way
> > to disclaim liability in compact policies.
> >
> > I'm thinking about suggesting that web administrators add the token
"DSA"
> > at the end of their compact policies.  DSA is not defined in the P3P
> > specification, but it would be defined in full P3P policies and
elsewhere
> > as meaning that the web administrator disavows any legal liability
> > associated with the compact policy.
> >
> > I see in the update for P3P specification section 4.2 that "If an
> > unrecognized token appears in a compact policy, the compact policy has
the
> > same semantics as if that token was not present."
> > http://www.w3.org/P3P/updates.html
> >
> > My question:  Suppose a user agent like IE 6 sees, with respect to a
> > certain cookie, a compact policy that ends with the token "DSA". For
> > purposes of the user agent's decision on how to handle the cookie, will
> the
> > agent simply ignore the DSA token and treat the cookie as it otherwise
> > would in the absence of the token?  It seems to me that the answer
should
> > be yes, but I'm not technically savvy enough to know for sure.
> >
> > Is anyone aware of someone doing something like this?
> >
> > I would be happy to hear other thoughts anyone wishes to share about
this
> > idea.
> >
> > --Ben Wright
> > ben_wright@compuserve.com
> > tel 214-403-6642
> > http://ourworld.compuserve.com/homepages/Ben_Wright
>
>
Received on Thursday, 30 August 2001 11:14:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:10 GMT