W3C home > Mailing lists > Public > www-p3p-policy@w3.org > March 2002

Re: P3P Specification Ambiguity: Cookies

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 6 Mar 2002 09:25:29 -0500
Message-ID: <008e01c1c51a$c49e1300$3e06cf87@research.att.com>
To: "Chris Jensen" <cjensen@corp.classmates.com>, <www-p3p-policy@w3.org>
The intent behind the text about data linked via
a cookie is to make sure that sites disclose the data
practices enabled by a cookie. If the spec limited 
disclosures to just the data stored in a cookie, most
cookies would be labelled simply as storing a unique
identifier. This doesn't tell the user very much. The
important information is what this identifier gets linked
to, and the resulting actions that may be taken. 
For example, I may not mind if a site uses cookies
to monitor my browsing behavior and serve me
customized content or ads. But if the cookies that
are used to link to gether information about my
web browsing in turn get linked to a database with
my personally identifiable information, I might object,
because I don't want my browsing behavior linked
to my name. What data is contained in the cookie
vs. in the linked databases, and whether or not
any of it is encrypted does not matter from the
perspective of trying to figure out what the cookie
is actually enabling.

Does this help make things clearer?

Received on Wednesday, 6 March 2002 09:26:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:42:54 UTC