The P3P specification makes it quite clear that compact policies cannot be used in cases where mandatory extensions have been added to P3P. An extension that essentially nullifies a P3P statement, is clearly mandatory. In addition, several months ago we added to section 4.2 the sentence "If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present." ----- Original Message ----- From: "Ben Wright" <Ben_Wright@compuserve.com> To: <www-p3p-policy@w3.org> Sent: Wednesday, September 19, 2001 10:39 AM Subject: Re: Disavowing Legal Liability > Regarding legal liability under P3P, I have posted a web site to air my views at > http://www.disavowp3p.com > > I fear that the P3P protocol is too dangerous and incomplete for any corporation or > institution to use in a legally meaningful way. My web site offers ideas on how > web administrators can use "dummy" P3P tokens to trigger the intended function of > cookies under IE 6, while disavowing any legal or moral signficance to the tokens. > > Comments welcome. > > --Ben > > Benjamin Wright > Attorney and Founding Author, > The Law of Electronic Commerce > Dallas, Texas > tel 214-403-6642 > ben_wright@compuserve.com > http://www.disavowp3p.com > > -------------Forwarded Message----------------- > > >From: INTERNET:www-p3p-policy@w3.org, INTERNET:www-p3p-policy@w3.org > >To: [unknown], INTERNET:www-p3p-policy@w3.org > > "Ben Wright", Ben_Wright > > > >Date: 8/30/01 10:20 AM > > > >RE: Re: Disavowing Legal Liability > > > > > >By default IE6 does not block all cookies that do not have compact > >policies. Only third party cookies are blocked. See > >http://support.microsoft.com/support/kb/articles/Q283/1/85.ASP > >for more information. > > > >Regards, > > > >Lorrie Cranor > > > > > >----- Original Message ----- > >From: "Ben Wright" <Ben_Wright@compuserve.com> > >To: <www-p3p-policy@w3.org> > >Sent: Thursday, August 30, 2001 10:56 AM > >Subject: Re: Disavowing Legal Liability > > > > > > My thanks to Lorrie Cranor for the comment below to the effect that the > > definining of a new token would be a mandatory extension, and that the > > Specification forbids full policies with mandatory extensions to be > > expressed as compact policies. > > > > Please help me understand. It appears that the P3P rules (as implemented > by > > Internet Explorer 6) are a trap for web adminstrators. > > > > A mandatory extenstion, as I understand it, is a way to define a new term. > > If an honest web administrator feels she needs to use a mandatory > extension > > in order to express an honest and accurate privacy policy, then under the > > rules she is forbidden from representing that policy in compact form. And > > if she cannot make a compact policy, then IE 6 will block her cookies. > > > > Is my understanding correct? If it is, then the adminstrator is trapped, > is > > she not? If she wants to save her cookies, it seems she is forced to > > publish an inaccurate privacy policy. > > > > Is there any way for her to get out of the trap? > > > > Thank you > > > > --Ben Wright > > http://ourworld.compuserve.com/homepages/Ben_Wright > > > > >Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com> > > >From: "Lorrie Cranor" <lorrie@research.att.com> > > >To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy" > > <www-p3p-policy@w3.org> > > >Date: Thu, 23 Aug 2001 20:39:25 -0400 > > >Subject: Re: Disavowing Legal Liability > > > > > >Section 4.5 of the specification says that full policies that > > >include mandatory extensions must not be represented > > >as compact policies. The DSA token you describe sounds > > >like it would be a mandatory extension. Thus what you > > >describe is a violation of the P3P specification. > > > > > >Regards, > > > > > >Lorrie Cranor > > >P3P Specification Working Group Chair > > > > > > > > >----- Original Message ----- > > >From: "Ben Wright" <Ben_Wright@compuserve.com> > > >To: "P3P Policy" <www-p3p-policy@w3.org> > > >Sent: Thursday, August 23, 2001 3:45 PM > > >Subject: Disavowing Legal Liability > > > > > > > > > P3P Policy List: > > > > > > I am a lawyer studying Internet Explorer 6's implementation of P3P. > > > > > > Web administrators will be reacting to IE 6's P3P implementation as the > > > browser is rolled out to the market. I am concerned that administrators > > > will expose themselves to unwarranted legal liability through the > > > statements they try to make in compact P3P policies. I'm looking for a > > way > > > to disclaim liability in compact policies. > > > > > > I'm thinking about suggesting that web administrators add the token > "DSA" > > > at the end of their compact policies. DSA is not defined in the P3P > > > specification, but it would be defined in full P3P policies and > elsewhere > > > as meaning that the web administrator disavows any legal liability > > > associated with the compact policy. > > > > > > I see in the update for P3P specification section 4.2 that "If an > > > unrecognized token appears in a compact policy, the compact policy has > the > > > same semantics as if that token was not present." > > > http://www.w3.org/P3P/updates.html > > > > > > My question: Suppose a user agent like IE 6 sees, with respect to a > > > certain cookie, a compact policy that ends with the token "DSA". For > > > purposes of the user agent's decision on how to handle the cookie, will > > the > > > agent simply ignore the DSA token and treat the cookie as it otherwise > > > would in the absence of the token? It seems to me that the answer > should > > > be yes, but I'm not technically savvy enough to know for sure. > > > > > > Is anyone aware of someone doing something like this? > > > > > > I would be happy to hear other thoughts anyone wishes to share about > this > > > idea. > > > > > > --Ben Wright > > > ben_wright@compuserve.com > > > tel 214-403-6642 > > > http://ourworld.compuserve.com/homepages/Ben_Wright > > > > > >Received on Thursday, 20 September 2001 10:29:00 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.30 : Monday, 4 July 2005 12:06:45 GMT