W3C home > Mailing lists > Public > www-p3p-policy@w3.org > August 2001

Re: Disavowing Legal Liability

From: Andreas Färber <andreas.faerber@web.de>
Date: Thu, 30 Aug 2001 20:04:09 +0200
To: <www-p3p-policy@w3.org>
Message-ID: <OPEAKPHJMKEOHNJONGDGOELICDAA.andreas.faerber@web.de>
> I am a lawyer studying Internet Explorer 6's implementation of P3P.
> Web administrators will be reacting to IE 6's P3P implementation as the
> browser is rolled out to the market.  I am concerned that administrators
> will expose themselves to unwarranted legal liability through the
> statements they try to make in compact P3P policies.  I'm looking for a
> to disclaim liability in compact policies.

> If an honest web administrator feels she needs to use a mandatory
> extension
> in order to express an honest and accurate privacy policy, then under the
> rules she is forbidden from representing that policy in compact form.  And
> if she cannot make a compact policy, then IE 6 will block her cookies.
> Is my understanding correct?  If it is, then the adminstrator is
> trapped, is
> she not?  If she wants to save her cookies, it seems she is forced to
> publish an inaccurate privacy policy.
> Is there any way for her to get out of the trap?

Excuse me, but from my understanding (from over here in the European Union)
the whole purpose of P3P is to make webmasters make an honest statement
about their (ab)use of Cookies and personal information and to raise
awareness on the side of users that sadly not all websites are treating
their visitors' personal data in a trustworthy way. The point is to give
users more control over their personal information, for example by
automatically blocking cookies in IE6 that do not conform to some
user-specified criteria (e.g. APPEL) - which is a step in the right
direction and will hopefully be applied to the _whole_ P3P spec by following
implementations of Microsoft and other Internet browsers.
Instead of even raising the *idea* of making false statements about the use
of cookies (which interferes with the "honest and accurate" privacy policies
already deployed) you should simply make your client think about what
information her cookies carry and what information she requests on her
website. If she accurately states what she does on her website, then I don't
see any different between making the P3P statement and really doing it on
the website in form of setting the Cookies. After all, she's liable for the
website, too.
If her cookies are against the users' preferences, why not simply change the
cookies instead of making untrue statements about their contents in order to
make users accept them against their will?! Why does she use cookies if she
does not want to be liable for them?

Most of my sites don't use Cookies. Only one of them does, it lets visitors
tailor the appearance of the Portal to their needs - if they like. I don't
see any legal problem using P3P policies because I only state what I do and
do not do for which I am already liable if I do not use P3P policies - I
cannot write a disclaimer that disclaims legal liability for not handling
personal data in a trustworthy way according to our laws.


Andreas Färber

P.S. Even if a DSA token were included in the P3P recommendation, do you
think Microsoft would implement it in IE6 before it is released? I don't
think so. And if I'm right, a DSA token would not solve your client's
so-called "trap".
Received on Thursday, 30 August 2001 14:04:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:07 UTC