Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (2/4)
Web Privacy with P3P, Chapter 5: Overview and Options
Sites often use more than one cookie. Some of these cookies may contain or be linked to personally identifiable information, while others may not. Imagine, for example, a site that sets a cookie containing a unique identifier (linked to personally identifiable information) and an anonymous cookie that stores only information about a user's preferences at that web site. If a web browser replays both cookies as part of the same HTTP request, the unique ID cookie can be linked to the anonymous cookie. This, in turn, allows the anonymous cookie to be linked to personally identifiable information. This linking is possible because most web servers store in their server logs information about all the cookies replayed with a request. Thus, the two cookies are recorded together in the server logs. If you want to declare in your P3P policy that your cookies are not linked to identifiable data, you need to make sure that they are never replayed in the same request as cookies that are linked to identifiable data or form submissions that contain identifiable data. Alternatively, you can take precautions to make sure such cookies are not logged in your server log files or otherwise recorded together.
TIP: Do you really need to declare data that is theoretically linked to cookies even if you do not make use of the linked data? A good rule of thumb is that if your web site architecture looks the same as it would look if you were making use of the linked data, you should declare the linked data, regardless of whether you actually use it. If you want to be able to claim that the data is not linked, you will need to take steps to make sure it doesn't get linked.
Ensuring that anonymous cookies are never replayed with cookies linked to identifiable data can be difficult, especially for a site that is distributed over many servers or administered by many individuals. This can be even more difficult if your domain includes servers that are administered for your company by a third party. To understand what data might be linked to a particular cookie, you must be aware of the set of URLs to which that cookie might be replayed and of all of the cookies that might be replayed to that set of URLs.
Identifying the set of URLs to which a cookie might be replayed is straightforward--it is determined by the
path attributes of the
Set-Cookie header. To minimize unexpected problems, you should restrict the cookie as much as possible, ideally to the URLs directly related to a single application. If the cookie is replayed to URLs that you do not administer, you may not be able to control the kinds of data to which it might be linked or the ways that it might be used. However, the commitments you make in your P3P policy apply wherever that cookie might be replayed--even if it is replayed to servers that are not P3P-enabled.
Identifying the other cookies that might also be replayed to the URLs to which a particular cookie can be replayed can be a difficult problem. Anyone who is posting content on a web server may create applications that set cookies that can be replayed to every URL on that server. Even worse, anyone who is posting content on any web server in your domain may create applications that set cookies that can be replayed to every server in your domain. Thus, preventing other cookies from being replayed with a particular cookie requires constant vigilance and good communication between all web site administrators in a domain. You should consider using automated tools, such as one of the web site monitoring programs mentioned in the last section, which can produce alerts when new cookies are detected.
Created: December 30, 2002
Revised: December 30, 2002