Microsoft User Prefs: are they weird or simple? from Christian Voelker on 2001-11-05 (www-p3p-policy@w3.org from November 2001)

From: Christian Voelker <christian.voelker@freenet-ag.de>
Date: Mon, 5 Nov 2001 20:41:00 +0100
To: www-p3p-policy@w3.org
Message-ID: <BDC37D9EAC71AE4DB09A7A0D422EEC663FCDB7@STAFFBOX>

Hello,

until now, I rejected to go through all
the rules written down in the XML file
for the medium setting of the IE 6 user
prefs. But as it didnt work out with
the headers I constructed so far, I had
to investigate on this side as well.

Now im through round about 150 rules
and have the strange feeling that MS did
not know themselves what theyre doing.

So this is just to those who have read
this file too. Is it true that the short
version of the third party section would
just be:

<thirdParty noPolicyDefault="reject"
            noRuleDefault="accept"
            alwaysAllowSession="no">
    <if expr="PHY" action="reject" /> 
    <if expr="ONL" action="reject" /> 
    <if expr="GOV" action="reject" /> 
    <if expr="FIN" action="reject" /> 
</thirdParty>

What leads me to this opinion is this:

<if expr="PHY,!CUR, !ADM, !DEV, !CUS,
              !TAI, !PSA, !PSD, !IVA,
              (...)"
    action="reject" />
(...)
<if expr="PHY,IVA" 
    action="reject" />

The same is true for the other three
categories of data. It just means that
the first rule rejects the cookie if
you gather physical data and dont do
an individual analysis on it; the se-
cond applies if you do. In either case,
your cookies are rejected.



As with adservers and the german counting
mechanism for page impressions, the "IVW-
Tag", it would be fairly simple then:

Just avoid to gather postal adress, tele-
phone (PHY), email adress (ONL) and any
account information (FIN) of the visitor
- stuff you propably dont store on your
adserver anyway. The GOV doesnt apply (so
far - beware of it) at all. Everything
else is just fine.

Am I right? Please tell me.

I hope, the list accepts appended files. 
I just took the user pref down from the MS
website, saved in UTF-8 (which is nothing 
different from normal as long as the file
contains ASCII only). You may find it your-
self by going there:

http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxm
l.asp

Then, scroll down to:

A Real Example: Microsoft's Medium Setting

Click "Show Example" to expand.

Cheers, Christian

Attachments

application/octet-stream attachment: UserPrefMedium.xml

Received on Monday, 5 November 2001 14:41:02 UTC