Re: Single compact policy and diverse cookie usages - are we exposed? from Lorrie Cranor on 2002-09-17 (www-p3p-policy@w3.org from September 2002)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 17 Sep 2002 09:41:01 -0400
To: <www-p3p-policy@w3.org>
Message-ID: <005401c25e4f$dd3fd2d0$9816cf87@barbaloot>

There is no legal risk for erring on the side of thoroughness.
You can interpret P3P statements as meaning something like
"we reserve the right to do FOO" -- you may never actually do
FOO, but the statement is still accurate. The main downside
to this strategy is that if someone has configured their browser
to block cookies that are used for FOO, then all your cookies will
be blocked, where as if you used different compact policies for
each cookie, only the ones that actually did FOO would be blocked.
Using a single compact policy is a good idea because you avoid
errors that may be caused when someone puts the wrong policy on
a cookie. Also, cookies often get logged in the same log file and
then become linkable.

Lorrie

--
Lorrie Faith Cranor - http://lorrie.cranor.org/
P3P Specification Working Group Chair - http://www.w3.org/p3p/
New book: Web Privacy with P3P - http://p3pbook.com/



----- Original Message -----
From: "charles watty" <acwatty@hotmail.com>
Sent: Monday, September 16, 2002 7:49 PM
Subject: Single compact policy and diverse cookie usages - are we exposed?


> Hello,
>
> I've read several documents that recommend that a single compact policy be
> used and served with outgoing files.
>
> My question is:
> What is the risk to the issuing site if not all compact policies are
> specific to the cooke to which they are attached. For example, suppose I
> have 16 cookies, and 10 relate to minor things like site color preferences
> while 6 are related to account information and contain details such as
> address, ship-to location, country of residence etc. Now, I create a
single
> policy that describes all of these uses and send it out with every file
> (cookies incl. of course).
>
> The compact policy is not actually accurate in that it will overstate how
> each cookie uses personal information. It will err on the side of
> thoroughness, but it will err nonetheless. Is this an issue, or can we be
> sure that it is a legally acceptable interpretation of P3P compliance?
>
> Thanks,
> Charles
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>

Received on Tuesday, 17 September 2002 09:51:18 UTC