- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Mon, 8 Mar 2004 22:18:22 -0500
- To: 'public-p3p-spec' <public-p3p-spec@w3.org>
Here is a complete proposal based on discussion on the mailing list and last call. Please send any more comments. Let's try to get this wrapped up this week if possible. Lorrie --- I propose that we remove the last 3 paragraphs of 1.3.2 that pertain to "linked" data and change the title of that section to "Non-identifiable" Data. Then add a new section 1.3.4 as follows: 1.3.4 Linked and Linkable Data <p>Cookies often store a unique number or database key that links to a database record, rather than storing the complete database record. Web sites that use P3P must disclose not only the types of data stored directly in a cookie, but also all data linked to a cookie. A large amount of data may be "linkable" to a cookie without actually being "linked" to that cookie. </p> <p>A piece of data X is said to be <i>linkable</i> to a cookie Y if a key stored in cookie Y can be used to retrieve X either directly or indirectly. A direct retrieval might happen, for example, if the key is associated with a database record in which X is stored. An indirect retrieval might happen, for example, if the key is associated with a database record that contains a piece of data that may be used, in turn, as a key to retrieve a record in a second database, and X is stored in the second database. Furthermore, if cookie Y is stored in a server log file, the log file may facilitate further linking. For example, when cookie Y is replayed, it may be accompanied by a referer field that includes additional identifiable information or even another key. Alternatively, imagine a web site that sets two cookies, Y and Z. Cookies Y and Z may get replayed in the same HTTP request and subsequently recorded side-by-side in the server log file. Thus all data associated with cookie Y are also linkable to cookie Z. Indeed, unless precautions are taken to minimize server log files and severely restrict the use of identifiable data, almost all data an entity stores about an individual are likely to be linkable to any cookies they have set on that individual's computer.</p> <p>A piece of data X is said to be <i>linked</i> to a cookie Y if at least one of the following activities may take place as a result of cookie Y being replayed, immediately upon cookie replay or at some future time (perhaps as a result of retrospective analysis or processing of server logs):</p> <ul> <li>A cookie containing X is set or reset.</li> <li>X is retrieved from a persistent data store or archival media.</li> <li>Information identifiable with the user -- including but not limited to data entered into forms, IP address, clickstream data, and client events -- is retrieved from a record, data structure, or file (other than a log file) in which X is stored. </li> </ul> <p>Entities should consider their data collection and storage architectures carefully to determine what data may be linkable to their cookies and what data will actually be linked to each cookie. If data is linkable but does not actually get linked to a particular cookie, it does not have to be disclosed in a P3P statement concerning that cookie. However, should the entity associated with that P3P policy ever link the data for any reason other than to comply with law enforcement demands, they would be in violation of their stated policy. </p>
Received on Monday, 8 March 2004 22:17:37 UTC