- From: Ben Wright <Ben_Wright@compuserve.com>
- Date: Wed, 19 Sep 2001 10:39:58 -0400
- To: "INTERNET:www-p3p-policy@w3.org" <www-p3p-policy@w3.org>
Regarding legal liability under P3P, I have posted a web site to air my views at http://www.disavowp3p.com I fear that the P3P protocol is too dangerous and incomplete for any corporation or institution to use in a legally meaningful way. My web site offers ideas on how web administrators can use "dummy" P3P tokens to trigger the intended function of cookies under IE 6, while disavowing any legal or moral signficance to the tokens. Comments welcome. --Ben Benjamin Wright Attorney and Founding Author, The Law of Electronic Commerce Dallas, Texas tel 214-403-6642 ben_wright@compuserve.com http://www.disavowp3p.com -------------Forwarded Message----------------- >From: INTERNET:www-p3p-policy@w3.org, INTERNET:www-p3p-policy@w3.org >To: [unknown], INTERNET:www-p3p-policy@w3.org > "Ben Wright", Ben_Wright > >Date: 8/30/01 10:20 AM > >RE: Re: Disavowing Legal Liability > > >By default IE6 does not block all cookies that do not have compact >policies. Only third party cookies are blocked. See >http://support.microsoft.com/support/kb/articles/Q283/1/85.ASP >for more information. > >Regards, > >Lorrie Cranor > > >----- Original Message ----- >From: "Ben Wright" <Ben_Wright@compuserve.com> >To: <www-p3p-policy@w3.org> >Sent: Thursday, August 30, 2001 10:56 AM >Subject: Re: Disavowing Legal Liability > > > My thanks to Lorrie Cranor for the comment below to the effect that the > definining of a new token would be a mandatory extension, and that the > Specification forbids full policies with mandatory extensions to be > expressed as compact policies. > > Please help me understand. It appears that the P3P rules (as implemented by > Internet Explorer 6) are a trap for web adminstrators. > > A mandatory extenstion, as I understand it, is a way to define a new term. > If an honest web administrator feels she needs to use a mandatory extension > in order to express an honest and accurate privacy policy, then under the > rules she is forbidden from representing that policy in compact form. And > if she cannot make a compact policy, then IE 6 will block her cookies. > > Is my understanding correct? If it is, then the adminstrator is trapped, is > she not? If she wants to save her cookies, it seems she is forced to > publish an inaccurate privacy policy. > > Is there any way for her to get out of the trap? > > Thank you > > --Ben Wright > http://ourworld.compuserve.com/homepages/Ben_Wright > > >Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com> > >From: "Lorrie Cranor" <lorrie@research.att.com> > >To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy" > <www-p3p-policy@w3.org> > >Date: Thu, 23 Aug 2001 20:39:25 -0400 > >Subject: Re: Disavowing Legal Liability > > > >Section 4.5 of the specification says that full policies that > >include mandatory extensions must not be represented > >as compact policies. The DSA token you describe sounds > >like it would be a mandatory extension. Thus what you > >describe is a violation of the P3P specification. > > > >Regards, > > > >Lorrie Cranor > >P3P Specification Working Group Chair > > > > > >----- Original Message ----- > >From: "Ben Wright" <Ben_Wright@compuserve.com> > >To: "P3P Policy" <www-p3p-policy@w3.org> > >Sent: Thursday, August 23, 2001 3:45 PM > >Subject: Disavowing Legal Liability > > > > > > P3P Policy List: > > > > I am a lawyer studying Internet Explorer 6's implementation of P3P. > > > > Web administrators will be reacting to IE 6's P3P implementation as the > > browser is rolled out to the market. I am concerned that administrators > > will expose themselves to unwarranted legal liability through the > > statements they try to make in compact P3P policies. I'm looking for a > way > > to disclaim liability in compact policies. > > > > I'm thinking about suggesting that web administrators add the token "DSA" > > at the end of their compact policies. DSA is not defined in the P3P > > specification, but it would be defined in full P3P policies and elsewhere > > as meaning that the web administrator disavows any legal liability > > associated with the compact policy. > > > > I see in the update for P3P specification section 4.2 that "If an > > unrecognized token appears in a compact policy, the compact policy has the > > same semantics as if that token was not present." > > http://www.w3.org/P3P/updates.html > > > > My question: Suppose a user agent like IE 6 sees, with respect to a > > certain cookie, a compact policy that ends with the token "DSA". For > > purposes of the user agent's decision on how to handle the cookie, will > the > > agent simply ignore the DSA token and treat the cookie as it otherwise > > would in the absence of the token? It seems to me that the answer should > > be yes, but I'm not technically savvy enough to know for sure. > > > > Is anyone aware of someone doing something like this? > > > > I would be happy to hear other thoughts anyone wishes to share about this > > idea. > > > > --Ben Wright > > ben_wright@compuserve.com > > tel 214-403-6642 > > http://ourworld.compuserve.com/homepages/Ben_Wright > >
Received on Wednesday, 19 September 2001 10:41:00 UTC