- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Tue, 9 Jul 2002 15:53:35 -0400
- To: <www-p3p-policy@w3.org>
- Cc: "ivan hoeeee" <tornrapt@hotmail.com>
From: "ivan hoeeee" <tornrapt@hotmail.com> > A number of questions follow. Thank you in advance for your assistance. > > 1. Assume that a family of web sites has multiple domains: > www.website.com > www.website.ca ... > > > 2. Cookies and other file types are shared across these domains: > > www.website.ca may call / receive cookies and images from www.website.com > > Would we have to include compact policies in the header of all cookies and > images etc to ensure that they are not flagged by the browser and that > functionality is not interrupted? You should P3P enable all of your web sites by posting a P3P policy and a policy reference file on each site. If they all share the same privacy policy, the simplest thing to do is to post one policy file, and then post a policy reference file on each site -- all the policy reference files can point to the same policy file. Unless you have a good reason not to, you should post your policy reference file at the "well-known location" on each site. Then, after you have P3P-enabled your sites, you should configure your servers to send compact policies whenever cookies are set. Compact policies apply only to cookies, so it is not necessary to include them with any other requests (although there is no harm in sending them with requests that don't set cookies if it makes server configuration easier). Compact policies are not required for P3P compliance, but they are what IE6 uses to make cookie blocking decisions. > 3. Majority of pages are dynamically generated such that the page is > specified in a query string and the root URL is the same across the site: > > www.website.com/some-cgi/bigdll.dll?complexvariablestring&... > > How would one specify the page where particular data collection occurs given > that 90% of the site is actually the same page, just different variables > passed to the dll? > > For example: > > www.website.com/some-cgi/bigdll.dll?color&... > > might ask the user to input the color they want their background to be while > > www.website.com/some-cgi/bigdll.dll?creditcard&... > > might ask the user to input billing information. How can one specify that > different policies apply to these URLs given that the differntiation occurs > in the query sring? In your policy reference file you can use the <INCLUDE> and <EXCLUDE> tags to indicate what parts of your site a policy applies to. As long as you can enumerate all of your different URLs (or use the * wildcard appropriatly) you can assign as many different policies as you like. A P3P user agent should take an entire URL into consideration (including the part after the ?) when figuring out which policy applies to a particular page. > If one created a single policy for all such strings and > some were asking for personally identifiable information what would be > risked? Note, only cookies and images are shared across the domains, pages > are not called across domains. As long as your single policy covers a superset of the data collected at all the URLs it applies to, then this is fine. This is, in fact, what most web sites are doing because it makes website management much easier. The downside is that users who are only interested in parts of a site that don't collect much information see privacy information that suggests a lot more information might be collected (and cookie blocking decisions, etc. might get made accordingly). > 4. Where can one find a definition of Personally Identifiable Information? > > Clearly this includes name, address etc. as well as userIDs where such > apply. Is it any information that can be "mapped" back to an individual, or > is that too specific? There are many definitions of PII. P3P policies require you to disclose all information you collect from a user on your web site (either through forms or through clickstream data). You can enumerate individual data elements or just disclose what categories of data you collect. Most sites are disclosing categories of data. You may find the P3P implementation guide at http://p3ptoolbox.org/guide/ helpful. Regards, Lorrie Cranor
Received on Tuesday, 9 July 2002 16:02:27 UTC