- From: Giles Hogben <giles.hogben@jrc.it>
- Date: Wed, 15 Oct 2003 15:13:24 +0200
- To: <public-p3p-spec@w3.org>
Here is an updated version based on some comments I received Linked data and cookies (action item) Cookies can contain a maximum of 4kb of data and must be transmitted across the network twice before they can be used. For this reason, cookies tend to store only a number (or unique key) which links to a value in a database. Data about a user is stored in a database and that record is given a number (a unique key). Only this number is stored in the cookie on the user's computer. When the user revisits the site which set the cookie, that site can immediately have access to a potentially unlimited amount of information about the user simply by looking up the number in the database in which the number is a key. Linkability may be direct or indirect. For example a key stored in one cookie may not link directly to a user's name. Suppose a site sets two cookies. One cookie might link to a record of the user's street name and number and the other to the user's home town. By using the referrer IP, these two cookies be linked together to give a unique address and through another database, the user's name. With enough effort, data mining techniques may be applied to link even seemingly highly anonymised data with a cookie value. P3P applies the principle of proportionality to such linkability. The specification of the data and purposes covered by cookie should be thought of in terms of the analysis which might reasonably be carried out on such a cookie to achieve the stated purpose. For example if a cookie is set to track criminals' personal data then it is reasonable that a considerable effort might be put into database analysis. The cookie should therefore be said applying to personally identifiable data even if the data is actually hashed in the database. If on the other hand, the cookie is set in order to track a session and data is stored in the database but anonymised by hashing, then there is no need to state that the data is identifiable. This type of anonymization is in theory not secure because hashes have a 1-1 correspondence with ip addresses for example so by hashing all possible ip addresses, you can trace the original ip address. However extending the definition of linkability to this extent is neither practical nor reasonable. Third party cookies are cookies which are set by a domain other than the page being viewed. This is done through embedded images and can even occur in emails and applications which use web services, such as music players. While normally the information stored in one domain's cookie cannot be accessed by another domain, third party cookies bypass this mechanism by placing the same third party image in different domain's pages. This allows tracking of users across different domains. The intention to carry out such tracking activities through linking cookie keys across different domains should also be declared
Received on Wednesday, 15 October 2003 09:14:37 UTC