Goal: While accurate analysis of a cookie's impact on privacy is impossible without a full audit of the issuing company's data practices, this scoring procedure attempts to approximate the results. While objectivity is highly desired, a balance must be struck because many pieces of important information must be interpreted on a case by case basis, and true objectivity could only be obtained by ignoring these critical variables and sacrificing accuracy.
Scope: Only third party cookies received through a browser are candidates to be scored by this procedure. Cookies planted on a machine by a program other than a web browser should be treated as a file belonging to that program, which is to be scored using the standard PestPatrol Scorecard. All 1st party cookies received through a browser automatically pass the scorecard and are not detected.
Third party cookies without compact p3p policies automatically fail the scorecard and may be added to detections, although most major browsers would not allow them to be set anyway, so we may wish to establish a policy of not adding them.
Third party cookies with compact p3p policies comprise the majority of cookies which will be scored under this procedure.
Application of this procedure: For third party cookies with compact p3p policies our cookie scoring process is primarily an analysis of the p3p policy associated with that cookie. With one exception we follow the standard semantic/syntactical interpretation of the policy tags as given in the April 16th, 2002 version
The one exception mentioned is that we disregard the optional attributes 'a' and 'o', treating tags with them as though they were simply the base tag with no attributes. We do however recognize the 'i' optional attribute. A tag with the optional attribute 'i' is not to be considered as equivalent to its base tag.
A poorly formed p3p automatically fails - note that the presence of extra tags not specified in the policy does not prevent a p3p being well formed, as stated in the above-referenced document.
To apply the scorecard, a researcher should collect the compact p3p policy that arrives with the cookie in question, as well as the full p3p policy from the cookie's domain, and any human-readable policies linked to in the full p3p. Running down the following set of rules, the researcher keeps track of the presence/absence of any flags that cause a cookie to fail. If at the end of this document the failing flags that have not been mitigated exist, or the cookie has been failed based on lack of information (as per the conditions set out below) then the cookie has failed the scorecard and will be placed into detections.
Necessary Tags:
This tag must be in the policy. If it is not, then the cookie automatically fails with no chance for mitigation.
NID
Failing Tags - No mitigation:
The presence of these tags will cause a cookie to fail immediately, with no chance of redemption based on other tags.
CNT
CON
DEM
FIN
GOV
HEA
INT
IVA
IVD
LOC
ONL
POL
PHY
PRE
PSA
PSD
PUB
PUR
TEL
TST
UNI
UNR
Failing Tags - Mitigation Possible:
These tags will cause a cookie to fail unless other mitigating tags are present.
COM - Mitigation provided by a DEV tag.
CONi - Mitigation provided by an ALL tag.
IVAi - Mitigation provided by an ALL tag.
IVDi - Mitigation provided by an ALL tag.
NAV - Mitigation provided by a DEV tag.
TELi - Mitigation provided by an ALL tag.
Passing Tags Which Fail in Combination With Others:
These tags will not by themselves cause failure, but when combined with others may cause a cookie to fail.
IND - If ALL is not present, but one of the set [IVAi, IVDi, CONi, TELi, PHYi, ONLi, UNIi, PURi, FINi, INTi, DEMi, CNTi, POLi, HEAi, PREi, LOCi, GOVi, UNRi] is present, then failure occurs. At the researcher's discretion OTCi may also be treated as though it were in the set.
Mitigating Tags:
These tags can help an otherwise failing cookie pass, often at the discretion of the researcher.
ALL - Mitigates certain opt-in tags that would otherwise fail.
DSP - This combined with one of COR, MON, or LAW and the existence of an acceptable policy located at the URI indicated by the long-description element of the dispute section of the full p3p policy can, at the discretion of the researcher, mitigate a OUR or SAM tag which fails due to an unacceptable human-readable privacy policy.
COR - This is a secondary requirement, allowing DSP to be able to be taken into account mitigating failing privacy policies.
MON - This is a secondary requirement, allowing DSP to be able to be taken into account mitigating failing privacy policies.
LAW - This is a secondary requirement, allowing DSP to be able to be taken into account mitigating failing privacy policies.
Passing Tags That Should Not Be Mistaken For Failing ones:
Be careful not to interpret these tags as causing or contributing to failure.
DEV
PSAi
PSDi
PUBi
Discretionary Tags:
These tags require the researcher to interpret portions of either the full p3p policy, the human-readable privacy policy, or both. Their impact on the failure/passage of a cookie is left to the researcher on a case by case basis.
BUS - If a retention policy is not clearly referenced or defined in the site's human-readable policy this tag causes failure.
OTC - The Other Categories defined in the full p3p policy must be interpreted
OTP - The Other Purposes defined in the full p3p policy must be interpreted
OTR - The Other Recipients defined in the full p3p policy must be interpreted
OUR - The human-readable privacy policy must be interpreted
SAM - The human-readable privacy policy must be interpreted
Failure For Insufficient Information:
Since many tags are required only when NID is not present, and are otherwise optional, it is possible for a well-formed compact p3p policy to contain far too few tags to allow a researcher to make an informed judgment. In the case of a compact p3p policy not containing at least one CATEGORY tag and one PURPOSE tag (as defined in section 4 of the above referenced document), the associated cookie is to be failed based on insufficient information.
Appendix 1 - Tag Reference
Below are the W3C definitions from the standards document referenced in the cookie scoring procedure.
Please not that all tags may be modified by adding an i, which indicates that the tag so modified is opt-in only.
Tags (In alphabetical order):
ALL: All Identified Data: access is given to all identified data.
BUS: Determined by service provider's business practice: Information is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
CNT: The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.
COM: Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
CON: Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. This does not include a direct reply to a question or comment or customer service for a single transaction -- in those cases, <current/> would be used. In addition, this does not include marketing via customized Web content or banner advertisements embedded in sites the user is visiting -- these cases would be covered by the <tailoring/>, <pseudo-analysis/> and <pseudo-decision/> , or <individual-analysis/> and <individual-decision/> purposes.)
COR: Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
DEM: Data about an individual's characteristics -- such as gender, age, and income.
DEV: Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.
FIN: Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information. Information about a discrete purchase by an individual, as described in "Purchase Information," alone does not come under the definition of "Financial Information."
GOV: Identifiers issued by a government for purposes of consistently identifying the individual.
HEA: information about an individual's physical or mental health, sexual orientation, use or inquiry into health care services or products, and purchase of health care services or products.
INT: Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
IND: Information is retained for an indeterminate period of time. The absence of a retention policy would be reflected under this option. Where the recipient is a public fora, this is the appropriate retention policy.
IVA: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. For example, an online Web site for a physical store may wish to analyze how online shoppers make offline purchases.
IVD: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. For example, an online store suggests items a visitor may wish to purchase based on items he has purchased during previous visits to the Web site.
LAW: Remedies for breaches of the policy statement will be determined based on the law referenced in the human readable description.
LOC: Information that can be used to identify an individual's current physical location and track them as their location changes -- such as GPS position data.
MON: If the service provider violates its privacy policy it will pay the individual an amount specified in the human readable privacy policy or the amount of damages.
NAV: Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
ONL: Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network.
OTC: Other Category
OTP: Other Purpose
OTR: Other Recipient
OUR: [Recipients include] Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.
POL: Membership in or affiliation with groups such as religious organizations, trade unions, professional associations, political parties, etc.
PHY: Information that allows an individual to be contacted or located in the physical world -- such as telephone number or address.
PRE: Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
PSA: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.
PSD: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.
PUB: [Recipients include] Public fora such as bulletin boards, public directories, or commercial CD-ROM directories
PUR: Information actively generated by the purchase of a product or service, including information about the method of payment.
SAM: [Recipients include] Legal entities following our practices: Legal entities who use the data on their own behalf under equable practices. (e.g., consider a service provider that grants the user access to collected personal information, and also provides it to a partner who uses it once but discards it. Since the recipient, who has otherwise similar practices, cannot grant the user access to information that it discarded, they are considered to have equable practices.
TEL: Information may be used to contact the individual via a voice telephone call for promotion of a product or service. This does not include a direct reply to a question or comment or customer service for a single transaction
TST: The TEST element is used for testing purposes: the presence of TEST in a policy indicates that the policy is just an example, and as such, it MUST be ignored, and not be considered as a valid P3P policy.
UNI: Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
UNR: [Recipients include] Legal entities whose data usage practices are not known by the original service provider. The only controlled versions of PestPatrol documents are online.