Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (1/4)
Web Privacy with P3P, Chapter 5: Overview and Options
[The following is a continuation of our series of excerpts from the O'Reilly title, Web Privacy with P3P. -Ed.]
Cookies (introduced in Chapter 2) can be used either to store data directly or as a key that allows data collected on separate occasions to be linked together. Several ways that cookies that do not actually contain personally identifiable information may be linked to such information are explained below. To understand how this linkage occurs, it is important to keep in mind some basic information about how cookies work. Cookies are set by a web site by including a
Set-Cookie header in an HTTP response. This header indicates not only the name and value of the cookie, but also when it expires and a domain and path. Web browsers automatically check to see whether they have any cookies with matching domains and paths before they make a request. If they find a matching cookie, they replay that cookie by adding to the request a header with the cookie's name and value.
Web sites that keep personally identifiable customer data set cookies that contain unique identifiers. These cookies generally contain long strings of numbers and letters that are meaningless to the user but that the web site can use to look up a customer's records. In some cases, the site may add information about a user's use of the web site each time he visits. Because this information gets linked to personally identifiable information via a cookie containing a unique identifier, the P3P policy for the cookie must declare the unique identifier, the personally identifiable information, and the site usage information.
Created: December 30, 2002
Revised: December 30, 2002