W3C home > Mailing lists > Public > www-p3p-policy@w3.org > March 2002

Re: P3P Specification Ambiguity: Cookies

From: Chris Jensen <cjensen@corp.classmates.com>
Date: Wed, 06 Mar 2002 10:24:02 -0800
Message-ID: <3C865EC2.8070407@corp.classmates.com>
To: Lorrie Cranor <lorrie@research.att.com>
CC: www-p3p-policy@w3.org

First suggestion.  Think this through a little more and
be very careful how you phrase things.  Incorporate a
slightly better explanation into your draft spec.  You
need to really be clear in telling people why the spec
requires what it requires, or they won't adopt P3P.

2nd; You need to make sure that you're not confusing the
potential for a practice with the actual practice.  If
I use a cookie as a state preservation mechanism and I
do not, in practice, link that to user data in order to
track individual user behavior, then I should not be
required to disclose that the cookie could potentially
be used for that purpose.  If we disclose all potential
uses for a cookie, web clients will be making decisions
that are based on potential uses and not actual uses,
and pretty much every site that uses cookies as a state
preservation mechanism will take issue with that.

3rd; You need to write something into the spec that will
regulate how P3P is intended to be used in clients like
IE 6.  It seems obvious that they are using it too early
and in a way that doesn't jibe well with the intent of
the specification.  They are making basic assumptions
about whether cookies are 'satisfactory' or not which
could be detrimental to web sites that use cookies, and
they are using your specification draft recommendation
as justification for their actions.

4th; If you don't have a team of lawyers working on your
specification, you need to get some.  P3P touches deeply
on legal matters, and poses a liability danger to anyone
who adopts it in practice.  The more work you do to really
clarify the language used and the rationale behind parts
of the specification now, the less work companies will
have to do in order to adopt P3P.  I'm looking at P3P now
and thinking it would take a team of lawyers working with
a team of software engineers for months to draft a really
compliant P3P policy for a large existing web site that
will not create an immediate legal liability.  That is an
incredible barrier to adoption in time, money, and the
potential for litigation based on varying interpretations
of P3P and the policies that are created using it.

I'm assuming that your goal is to get companies to
voluntarily adopt P3P and you aren't going to rely on
companies that produce web clients to force companies
that offer web services to adopt P3P.  That would be
very bad for the industry.

What are you doing to address these issues?

What are the milestones for your specification?  How
far along do you think you are?

How closely are you working with Microsoft regarding
issues with Internet Explorer's use of P3P?

-Chris



Lorrie Cranor wrote:
> The intent behind the 2.3.2.7 text about data linked via
> a cookie is to make sure that sites disclose the data
> practices enabled by a cookie. If the spec limited 
> disclosures to just the data stored in a cookie, most
> cookies would be labelled simply as storing a unique
> identifier. This doesn't tell the user very much. The
> important information is what this identifier gets linked
> to, and the resulting actions that may be taken. 
> For example, I may not mind if a site uses cookies
> to monitor my browsing behavior and serve me
> customized content or ads. But if the cookies that
> are used to link to gether information about my
> web browsing in turn get linked to a database with
> my personally identifiable information, I might object,
> because I don't want my browsing behavior linked
> to my name. What data is contained in the cookie
> vs. in the linked databases, and whether or not
> any of it is encrypted does not matter from the
> perspective of trying to figure out what the cookie
> is actually enabling.
> 
> Does this help make things clearer?
> 
> Lorrie
> 
> 
Received on Wednesday, 6 March 2002 13:24:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:10 GMT