P3P Specification Ambiguity: Cookies from Chris Jensen on 2002-03-05 (www-p3p-policy@w3.org from March 2002)

From: Chris Jensen <cjensen@corp.classmates.com>
Date: Tue, 05 Mar 2002 13:58:34 -0800
To: www-p3p-policy@w3.org
Message-ID: <3C853F8A.40108@corp.classmates.com>

Why doesn't the P3P specification detail the reasoning
behind the requirements for compliance?

Companies that implement P3P policies will incur legal
liability by stating their privacy policies to the high
level of detail required by the P3P specification.  But
the wording of parts of the P3P specification seems very
ambiguous, and the reasoning behind some requirements is
not stated.  Given what is being asked of those who adopt
P3P, shouldn't more work be done to ensure that the P3P
specification is well-defined and water-tight?

Specifically, in section 2.3.2.7 on Cookie-Include and
Cookie-Exclue, the terms 'linked via' and 'enabled by'
are used.  Where are those terms defined?  They could
mean any number of things, and the ambiguity of this
section could lead to legal disputes against adopters
of P3P.  Simply providing one or two examples of use
does not cover all possible meanings of those terms.

For example, how many levels of depth does the term
'linked by' imply?  If a unique identifier in a cookie
is used as a primary key in a database, which has a
foreign key to a table in another database, does all
the possible uses of the information in that database
also apply to the cookie?  That's an example of maybe
two degrees of separation, using a database analogy.
Other examples could be brought forward that show a
much higher degree of separation.  Where are the
boundaries defined in the specification?

This leads me to question the requirement that all
uses of data 'linked via' a cookie be disclosed.  I
can't find any part of the specification that states
_why_ this is required, only that it is.  What is the
rationale behind this requirement?

The cookie itself doesn't gather any information, it
is simply a storage mechanism.  I can see how P3P will
apply to forms where a user inputs data, but this does
not make sense in the scope of cookies unless you are
talking only about the data stored in the cookie, and
not the data 'linked via' the cookie.

Also, how does the P3P specification deal with cookies
that are encrypted?  If the data in the cookie can only
be decrypted and used by the authoring domain, how does
that change the application of the 'linked via' clause?
Who does the 'linked via' clause apply to?  Who is the
one following the link?  The entity that set the cookie
or the entity that replays the cookie?  Or some as yet
undefined third party entity that gains access to the
cookie by accident or with malicous intent?

Please explain.  This section of the P3P specification
is particularly ambiguous and potentially very dangerous,
and with Microsoft as an early adopter of P3P in its
latest releases of Internet Explorer, it is now being
imposed on all web sites that utilize cookies.


-Chris Jensen
  Classmates.com

Received on Tuesday, 5 March 2002 16:58:41 UTC