Re: Disavowing Legal Liability

The P3P specification makes it quite clear
that compact policies cannot be used in cases where
mandatory extensions have been added to P3P. An extension
that essentially nullifies a P3P statement, is clearly mandatory.
In addition, several months ago we added to section 4.2 the
sentence "If an unrecognized token appears in a compact policy,
the compact policy has the same semantics as if that token was
not present."

----- Original Message -----
From: "Ben Wright" <Ben_Wright@compuserve.com>
To: <www-p3p-policy@w3.org>
Sent: Wednesday, September 19, 2001 10:39 AM
Subject: Re: Disavowing Legal Liability


> Regarding legal liability under P3P, I have posted a web site to air my
views at
> http://www.disavowp3p.com
>
> I fear that the P3P protocol is too dangerous and incomplete for any
corporation or
> institution to use in a legally meaningful way.  My web site offers ideas
on how
> web administrators can use "dummy" P3P tokens to trigger the intended
function of
> cookies under IE 6, while disavowing any legal or moral signficance to the
tokens.
>
> Comments welcome.
>
> --Ben
>
> Benjamin Wright
> Attorney and Founding Author,
>    The  Law of Electronic Commerce
> Dallas, Texas
> tel 214-403-6642
> ben_wright@compuserve.com
> http://www.disavowp3p.com
>
> -------------Forwarded Message-----------------
>
> >From: INTERNET:www-p3p-policy@w3.org, INTERNET:www-p3p-policy@w3.org
> >To: [unknown], INTERNET:www-p3p-policy@w3.org
> > "Ben Wright", Ben_Wright
> >
> >Date: 8/30/01 10:20 AM
> >
> >RE: Re: Disavowing Legal Liability
> >
> >
> >By default IE6 does not block all cookies that do not have compact
> >policies. Only third party cookies are blocked. See
> >http://support.microsoft.com/support/kb/articles/Q283/1/85.ASP
> >for more information.
> >
> >Regards,
> >
> >Lorrie Cranor
> >
> >
> >----- Original Message -----
> >From: "Ben Wright" <Ben_Wright@compuserve.com>
> >To: <www-p3p-policy@w3.org>
> >Sent: Thursday, August 30, 2001 10:56 AM
> >Subject: Re: Disavowing Legal Liability
> >
> >
> > My thanks to Lorrie Cranor for the comment below to the effect that the
> > definining of a new token would be a mandatory extension, and that the
> > Specification forbids full policies with mandatory extensions to be
> > expressed as compact policies.
> >
> > Please help me understand.  It appears that the P3P rules (as
implemented
> by
> > Internet Explorer 6) are a trap for web adminstrators.
> >
> > A mandatory extenstion, as I understand it, is a way to define a new
term.
> > If an honest web administrator feels she needs to use a mandatory
> extension
> > in order to express an honest and accurate privacy policy, then under
the
> > rules she is forbidden from representing that policy in compact form.
And
> > if she cannot make a compact policy, then IE 6 will block her cookies.
> >
> > Is my understanding correct?  If it is, then the adminstrator is
trapped,
> is
> > she not?  If she wants to save her cookies, it seems she is forced to
> > publish an inaccurate privacy policy.
> >
> > Is there any way for her to get out of the trap?
> >
> > Thank you
> >
> > --Ben Wright
> > http://ourworld.compuserve.com/homepages/Ben_Wright
> >
> > >Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com>
> > >From: "Lorrie Cranor" <lorrie@research.att.com>
> > >To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy"
> > <www-p3p-policy@w3.org>
> > >Date: Thu, 23 Aug 2001 20:39:25 -0400
> > >Subject: Re: Disavowing Legal Liability
> > >
> > >Section 4.5 of the specification says that full policies that
> > >include mandatory extensions must not be represented
> > >as compact policies. The DSA token you describe sounds
> > >like it would be a mandatory extension. Thus what you
> > >describe is a violation of the P3P specification.
> > >
> > >Regards,
> > >
> > >Lorrie Cranor
> > >P3P Specification Working Group Chair
> > >
> > >
> > >----- Original Message -----
> > >From: "Ben Wright" <Ben_Wright@compuserve.com>
> > >To: "P3P Policy" <www-p3p-policy@w3.org>
> > >Sent: Thursday, August 23, 2001 3:45 PM
> > >Subject: Disavowing Legal Liability
> > >
> > >
> > > P3P Policy List:
> > >
> > > I am a lawyer studying Internet Explorer 6's implementation of P3P.
> > >
> > > Web administrators will be reacting to IE 6's P3P implementation as
the
> > > browser is rolled out to the market.  I am concerned that
administrators
> > > will expose themselves to unwarranted legal liability through the
> > > statements they try to make in compact P3P policies.  I'm looking for
a
> > way
> > > to disclaim liability in compact policies.
> > >
> > > I'm thinking about suggesting that web administrators add the token
> "DSA"
> > > at the end of their compact policies.  DSA is not defined in the P3P
> > > specification, but it would be defined in full P3P policies and
> elsewhere
> > > as meaning that the web administrator disavows any legal liability
> > > associated with the compact policy.
> > >
> > > I see in the update for P3P specification section 4.2 that "If an
> > > unrecognized token appears in a compact policy, the compact policy has
> the
> > > same semantics as if that token was not present."
> > > http://www.w3.org/P3P/updates.html
> > >
> > > My question:  Suppose a user agent like IE 6 sees, with respect to a
> > > certain cookie, a compact policy that ends with the token "DSA". For
> > > purposes of the user agent's decision on how to handle the cookie,
will
> > the
> > > agent simply ignore the DSA token and treat the cookie as it otherwise
> > > would in the absence of the token?  It seems to me that the answer
> should
> > > be yes, but I'm not technically savvy enough to know for sure.
> > >
> > > Is anyone aware of someone doing something like this?
> > >
> > > I would be happy to hear other thoughts anyone wishes to share about
> this
> > > idea.
> > >
> > > --Ben Wright
> > > ben_wright@compuserve.com
> > > tel 214-403-6642
> > > http://ourworld.compuserve.com/homepages/Ben_Wright
> >
> >
>
>

Received on Thursday, 20 September 2001 10:29:00 UTC