Re: P3P Specification Ambiguity: Cookies

 "Chris Jensen" <cjensen@corp.classmates.com> wrote:
 
> First suggestion.  Think this through a little more and
> be very careful how you phrase things.  Incorporate a
> slightly better explanation into your draft spec.  You
> need to really be clear in telling people why the spec
> requires what it requires, or they won't adopt P3P.

We've been working on trying to document this type of
information in a P3P "implementation guide", a draft 
of which will be posted shortly.

> 2nd; You need to make sure that you're not confusing the
> potential for a practice with the actual practice.  If
> I use a cookie as a state preservation mechanism and I
> do not, in practice, link that to user data in order to
> track individual user behavior, then I should not be
> required to disclose that the cookie could potentially
> be used for that purpose.  If we disclose all potential
> uses for a cookie, web clients will be making decisions
> that are based on potential uses and not actual uses,
> and pretty much every site that uses cookies as a state
> preservation mechanism will take issue with that.

This is an important issue, and one that was discussed
repeatedly during the 5+ years that I worked on this
project. Note especially the use of the terms
"identified" and "identifiable" data in the spec to distinguish
the case where data is used to identify someone from
the case where it might be possible to use the data to identify
someone. In the case of cookie linking, the feeling was that
cookies make it very easy to link together pieces of data,
and that if cookies are used in a way that allows that, they
should be disclosed as such. We are seeing two approaches
that sites are taking to this. Some sites are simply declaring
the same policy for their cookies as for the rest of their site --
everything we do with data, we also might do with cookies.
The other approach is to be careful about limiting the
application of cookies on your site, avoiding domain level
cookies, etc., and possibly purging your server logs to
avoid retaining cookie information.

> 3rd; You need to write something into the spec that will
> regulate how P3P is intended to be used in clients like
> IE 6.  It seems obvious that they are using it too early
> and in a way that doesn't jibe well with the intent of
> the specification.  They are making basic assumptions
> about whether cookies are 'satisfactory' or not which
> could be detrimental to web sites that use cookies, and
> they are using your specification draft recommendation
> as justification for their actions.

The P3P guiding principles explain how we intend
P3P to be used by user agents and web sites.
While there are certainly areas of the IE6 implementation
that I would like to see improved, I don't think that IE6
is using P3P too early. We have been encouraging
P3P implementation so that we can get more experience
with P3P.  The judgements IE6 makes  about
cookies being satisfactory or not are a valid interpretation
of the specification. 

> 4th; If you don't have a team of lawyers working on your
> specification, you need to get some.  P3P touches deeply
> on legal matters, and poses a liability danger to anyone
> who adopts it in practice.  The more work you do to really
> clarify the language used and the rationale behind parts
> of the specification now, the less work companies will
> have to do in order to adopt P3P.  I'm looking at P3P now
> and thinking it would take a team of lawyers working with
> a team of software engineers for months to draft a really
> compliant P3P policy for a large existing web site that
> will not create an immediate legal liability.  That is an
> incredible barrier to adoption in time, money, and the
> potential for litigation based on varying interpretations
> of P3P and the policies that are created using it.
>
> I'm assuming that your goal is to get companies to
> voluntarily adopt P3P and you aren't going to rely on
> companies that produce web clients to force companies
> that offer web services to adopt P3P.  That would be
> very bad for the industry.
> 
> What are you doing to address these issues?

Yes, we have many lawyers who have worked on the
P3P specification. I have also been in touch with the
lawyers from a number of large companies who have
contacted us with questions about the specification
and suggestions for clarifications of legal issues. We
have been talking with some of the industry associations
about this as well. The general consensus seems to
be that the key issue for web sites is to make sure
that their P3P policies are consistent with their human-readable
privacy policies. The human-readable privacy policies
can be relied on for more detailed information than
can be expressed in the P3P policy. Some companies
may make explicit statements to that effect in their
human-readable privacy policies.

> What are the milestones for your specification?  How
> far along do you think you are?

W3C official began this project in 1997. We have issued
many public working drafts and had several official
public comment periods. The latest draft of the 
specfication was submitted
to the W3C membership for a vote on January 28.
The W3C Director is currently reviewing the comments
that came in. I expect we are very near the end of the
process for P3P version 1. However, there is already
talk about considering a P3P version 2.

> How closely are you working with Microsoft regarding
> issues with Internet Explorer's use of P3P?

Microsoft representatives have participated actively
in the P3P working groups. The working group has discussed
the degree to which IE6 complies with the P3P
specification with the Microsoft representatives. The
choices Microsoft made about their user interface design,
cookie filtering, etc, however, are outside the scope of the P3P 
working groups. Individuals or companies that have comments on
the IE6 P3P design should discuss them with Microsoft
directly.

Lorrie

Received on Friday, 8 March 2002 18:40:01 UTC