Re: Disavowing Legal Liability from Ben Wright on 2001-08-30 (www-p3p-policy@w3.org from August 2001)

From: Ben Wright <Ben_Wright@compuserve.com>
Date: Thu, 30 Aug 2001 09:56:54 -0500
To: <www-p3p-policy@w3.org>
Message-ID: <MABBKKBCEJDIMLBCNNBNIENECAAA.Ben_Wright@compuserve.com>
My thanks to Lorrie Cranor for the comment below to the effect that the
definining of a new token would be a mandatory extension, and that the
Specification forbids full policies with mandatory extensions to be
expressed as compact policies.

Please help me understand.  It appears that the P3P rules (as implemented by
Internet Explorer 6) are a trap for web adminstrators.

A mandatory extenstion, as I understand it, is a way to define a new term.
If an honest web administrator feels she needs to use a mandatory extension
in order to express an honest and accurate privacy policy, then under the
rules she is forbidden from representing that policy in compact form.  And
if she cannot make a compact policy, then IE 6 will block her cookies.

Is my understanding correct?  If it is, then the adminstrator is trapped, is
she not?  If she wants to save her cookies, it seems she is forced to
publish an inaccurate privacy policy.

Is there any way for her to get out of the trap?

Thank you

--Ben Wright
http://ourworld.compuserve.com/homepages/Ben_Wright

>Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com>
>From: "Lorrie Cranor" <lorrie@research.att.com>
>To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy"
<www-p3p-policy@w3.org>
>Date: Thu, 23 Aug 2001 20:39:25 -0400
>Subject: Re: Disavowing Legal Liability
>
>Section 4.5 of the specification says that full policies that
>include mandatory extensions must not be represented
>as compact policies. The DSA token you describe sounds
>like it would be a mandatory extension. Thus what you
>describe is a violation of the P3P specification.
>
>Regards,
>
>Lorrie Cranor
>P3P Specification Working Group Chair
>
>
>----- Original Message -----
>From: "Ben Wright" <Ben_Wright@compuserve.com>
>To: "P3P Policy" <www-p3p-policy@w3.org>
>Sent: Thursday, August 23, 2001 3:45 PM
>Subject: Disavowing Legal Liability
>
>
> P3P Policy List:
>
> I am a lawyer studying Internet Explorer 6's implementation of P3P.
>
> Web administrators will be reacting to IE 6's P3P implementation as the
> browser is rolled out to the market.  I am concerned that administrators
> will expose themselves to unwarranted legal liability through the
> statements they try to make in compact P3P policies.  I'm looking for a
way
> to disclaim liability in compact policies.
>
> I'm thinking about suggesting that web administrators add the token "DSA"
> at the end of their compact policies.  DSA is not defined in the P3P
> specification, but it would be defined in full P3P policies and elsewhere
> as meaning that the web administrator disavows any legal liability
> associated with the compact policy.
>
> I see in the update for P3P specification section 4.2 that "If an
> unrecognized token appears in a compact policy, the compact policy has the
> same semantics as if that token was not present."
> http://www.w3.org/P3P/updates.html
>
> My question:  Suppose a user agent like IE 6 sees, with respect to a
> certain cookie, a compact policy that ends with the token "DSA". For
> purposes of the user agent's decision on how to handle the cookie, will
the
> agent simply ignore the DSA token and treat the cookie as it otherwise
> would in the absence of the token?  It seems to me that the answer should
> be yes, but I'm not technically savvy enough to know for sure.
>
> Is anyone aware of someone doing something like this?
>
> I would be happy to hear other thoughts anyone wishes to share about this
> idea.
>
> --Ben Wright
> ben_wright@compuserve.com
> tel 214-403-6642
> http://ourworld.compuserve.com/homepages/Ben_Wright
Received on Thursday, 30 August 2001 10:57:05 UTC