This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 172 - clarify what we mean by data linked to a cookie
Summary: clarify what we mean by data linked to a cookie
Alias: None
Product: P3P
Classification: Unclassified
Component: Clarifications needed (show other bugs)
Version: unspecified
Hardware: Other other
: P2 normal
Target Milestone: P3P1.1
Assignee: Rigo Wenning
QA Contact:
Depends on: 167
Blocks: 174
  Show dependency treegraph
Reported: 2003-03-10 21:42 UTC by Lorrie Cranor
Modified: 2008-12-02 22:41 UTC (History)
1 user (show)

See Also:


Description Lorrie Cranor 2003-03-10 21:42:45 UTC
The spec requires sites to disclose in their cookie policies the data linked to a cookie. 
However, it is not entirely clear what we mean. We need further explanation and perhaps 
some examples to be added to the spec.
Comment 1 Rigo Wenning 2004-01-19 14:52:50 UTC
See proposed wording from Giles, which is not yet agreed:
Comment 2 Lorrie Cranor 2004-02-15 17:52:12 UTC
See Lorrie's proposal at
Comment 3 Lorrie Cranor 2004-03-10 13:22:08 UTC
The WG agreed to  the following on March 10:

Remove the last 3 paragraphs of 1.3.2 that pertain
to "linked" data and change the title of that section to
"Non-identifiable" Data. Then add a new section 1.3.4 as follows:

1.3.4 Linked and Linkable Data

<p>Cookies often store a unique number or database key that links to a
database record, rather than storing the complete database record. Web
sites that use P3P must disclose not only the types of data stored
directly in a cookie, but also all data linked to a cookie. A large
amount of data may be "linkable" to a cookie without actually being
"linked" to that cookie. </p>

<p>A piece of data X is said to be <i>linkable</i> to a cookie Y if a
key stored in cookie Y can be used to retrieve X either directly or
indirectly. A direct retrieval might happen, for example, if the key
is associated with a database record in which X is stored. An indirect
retrieval might happen, for example, if the key is associated with a
database record that contains a piece of data that may be used, in
turn, as a key to retrieve a record in a second database, and X is
stored in the second database. Furthermore, if cookie Y is stored in a
server log file, the log file may facilitate further linking. For
example, when cookie Y is replayed, it may be accompanied by a referer
field that includes additional identifiable information or even
another key. Alternatively, imagine a web site that sets two cookies,
Y and Z. Cookies Y and Z may get replayed in the same HTTP request and
subsequently recorded side-by-side in the server log file. Thus all
data associated with cookie Y are also linkable to cookie Z. Indeed,
unless precautions are taken to minimize server log files and severely
restrict the use of identifiable data, almost all data an entity
stores about an individual are likely to be linkable to any cookies
they have set on that individual's computer.</p>

<p>A piece of data X is said to be <i>linked</i> to a cookie Y if at
least one of the following activities may take place as a result of
cookie Y being replayed, immediately upon cookie replay or at some
future time (perhaps as a result of retrospective analysis or
processing of server logs):</p>

<li>A cookie containing X is set or reset.</li>

<li>X is retrieved from a persistent data store or archival media.</li> 

<li>Information identifiable with the user -- including but not
limited to data entered into forms, IP address, clickstream data, and
client events -- is retrieved from a record, data structure, or file (other
than a log file) in which X is stored. </li>

<p>Entities should consider their data collection and storage
architectures carefully to determine what data may be linkable to
their cookies and what data will actually be linked to each cookie. If
data is linkable but not linked to a particular cookie, it does not
have to be disclosed in a P3P statement concerning that
cookie. However, should the entity associated with that P3P policy
ever link the data for any reason other than to comply with law
enforcement demands, they would be in violation of their stated
policy. </p>

Comment 4 Rigo Wenning 2004-04-19 11:22:45 UTC
Integrated into the new