- From: Ben Wright <Ben_Wright@compuserve.com>
- Date: Tue, 5 Mar 2002 19:24:28 -0500
- To: "INTERNET:www-p3p-policy@w3.org" <www-p3p-policy@w3.org>
I agree that P3P is legally dangerous. It is so incompetent for handling legal obligations that I have suggested companies disavow P3P altogether. See http://www.disavowp3p.com --Ben Benjamin Wright Attorney and Founding Author, The Law of Electronic Commerce Dallas, Texas tel 214-403-6642 ben_wright@compuserve.com http://wright.safeshopper.com -------------Forwarded Message----------------- From: INTERNET:www-p3p-policy@w3.org, INTERNET:www-p3p-policy@w3.org To: , INTERNET:www-p3p-policy@w3.org Date: 3/5/02 4:15 PM RE: P3P Specification Ambiguity: Cookies Why doesn't the P3P specification detail the reasoning behind the requirements for compliance? Companies that implement P3P policies will incur legal liability by stating their privacy policies to the high level of detail required by the P3P specification. But the wording of parts of the P3P specification seems very ambiguous, and the reasoning behind some requirements is not stated. Given what is being asked of those who adopt P3P, shouldn't more work be done to ensure that the P3P specification is well-defined and water-tight? Specifically, in section 2.3.2.7 on Cookie-Include and Cookie-Exclue, the terms 'linked via' and 'enabled by' are used. Where are those terms defined? They could mean any number of things, and the ambiguity of this section could lead to legal disputes against adopters of P3P. Simply providing one or two examples of use does not cover all possible meanings of those terms. For example, how many levels of depth does the term 'linked by' imply? If a unique identifier in a cookie is used as a primary key in a database, which has a foreign key to a table in another database, does all the possible uses of the information in that database also apply to the cookie? That's an example of maybe two degrees of separation, using a database analogy. Other examples could be brought forward that show a much higher degree of separation. Where are the boundaries defined in the specification? This leads me to question the requirement that all uses of data 'linked via' a cookie be disclosed. I can't find any part of the specification that states _why_ this is required, only that it is. What is the rationale behind this requirement? The cookie itself doesn't gather any information, it is simply a storage mechanism. I can see how P3P will apply to forms where a user inputs data, but this does not make sense in the scope of cookies unless you are talking only about the data stored in the cookie, and not the data 'linked via' the cookie. Also, how does the P3P specification deal with cookies that are encrypted? If the data in the cookie can only be decrypted and used by the authoring domain, how does that change the application of the 'linked via' clause? Who does the 'linked via' clause apply to? Who is the one following the link? The entity that set the cookie or the entity that replays the cookie? Or some as yet undefined third party entity that gains access to the cookie by accident or with malicous intent? Please explain. This section of the P3P specification is particularly ambiguous and potentially very dangerous, and with Microsoft as an early adopter of P3P in its latest releases of Internet Explorer, it is now being imposed on all web sites that utilize cookies. -Chris Jensen Classmates.com
Received on Tuesday, 5 March 2002 19:25:28 UTC