W3C home > Mailing lists > Public > www-p3p-policy@w3.org > August 2005

Re: Question about P3P policies and cookies

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Wed, 24 Aug 2005 22:20:23 -0400 (EDT)
To: Eric Peterson <eric.peterson@gmail.com>
cc: www-p3p-policy@w3.org
Message-ID: <Pine.LNX.4.33L.0508242213260.22216-100000@ux14.sp.cs.cmu.edu>

If the tracking vendor is acting as an agent to the web site and following
the definition of agent at http://www.w3.org/TR/P3P/#RECPNT: "An agent in
this instance is defined as a third party that processes data only on
behalf of the service provider for the completion of the stated purposes.
(e.g., the service provider and its printing bureau which prints address
labels and does nothing further with the information.)" then there is no
problem. Repurposing tracking data in aggregate form is ok as long as it
truely is aggregate form. See section 3.3.1:

"Service providers often aggregate data they collect. Sometimes this
aggregate data may be used for different purposes than the original data,
shared more widely than the original data, or retained longer than the
original data. For example many sites publish or disclose to their
advertisers statistics such as number of visitors to their Web site,
percentage of visitors who fit into various demographic groups, etc. When
aggregate statistics are used or shared such that it would not be possible
to derive data for individual people or households based on these
statistics, no disclosures about these statistics are necessary in a P3P
policy. However, services MUST disclose the fact that the original data is
collected and declare any use that is made of the data before it is

See for example Scenario 3 in section 2.5 of the spec.


Lorrie Faith Cranor <http://lorrie.cranor.org/>
* Associate Research Professor, Computer Science and Engineering & Public
  Carnegie Mellon University
* P3P Specification Working Group Chair <http://www.w3.org/p3p/>
* Book: Web Privacy with P3P <http://p3pbook.com/>

On Wed, 24 Aug 2005, Eric Peterson wrote:

> Rigo,
> I got your email a few weeks back but have not had a chance to respond
> as of yet.  I am wondering if you folks have any opinion/information
> about the situation where companies are entering into contractual
> arrangements with third-parties to manage subdomains on their behalf
> for the purpose of tracking using cookies.
> E.g., Apple pays Omniture to create a tracking domain called
> metrics.apple.com, having an IP address owned by Omniture, not apple.
> Do you have any insight into how P3P should be constructed in
> situations like this?  Or, put another way, do you see inherent risk
> in companies doing this kind of thing?
> I ask because some of the tracking vendors then take aggregate data
> and repurpose that into widely viewable reports (e.g., Coremetrics
> LIVEmark, WebSideStory Statmarket, ...)  My suspicion is that this is
> in conflict with site's stated P3P policy.
> Any insight you have is greatly appreciated.  If you'd like to get on
> the phone that would be great.
> Thanks in advance,
> --
> Eric T. Peterson
> Author, Web Analytics Demystified and Web Site Measurement Hacks
> Senior Analyst, JupiterResearch
> www.webanalyticsdemystified.com
> Have you joined the Metrics Discussion Group?  Email
> webanalytics-subscribe@yahoogroups.com to join today!
Received on Thursday, 25 August 2005 02:21:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:09 UTC