Full Disclosure

[Joel Harrison]

On Mon, Apr 28, 2008 at 8:07 AM, James Firth <james2@jfirth.net> wrote:
> Joel Harriwon wrote:
> > On Thu, Apr 24, 2008 at 2:49 PM, Ian Batten <igb@batten.eu.org> wrote:
> >>  Yes, the web server that captured the pairs has been a bad boy morally,
> >> although it's hard to see what they've done wrong legally: they took a
> >> cookie that's legitimately in their domain and published the contents,
> >> contents that they're assured aren't personally identifiable.
> >
> > I don't agree.  If I've correctly understood Richard's explanation of
> > how the Phorm system works, the webwise cookie in the web server's
> > domain is clearly distinguishable from other cookies genuinely placed
> > by the web server in its own domain (i.e. it is tagged as being
> > associated with webwise).  So, in your example, the web server is
> > deliberately accessing a cookie that it 'knows' has been placed there
> > by a third party
>
> Apart from the fact that ALL cookies belonging to the domain being
> accessed are automatically sent to the website with the GET request.  Some
> [poorly written] sites use loops to read all cookie values in their
> domain, and would perhaps be thrown by additional cookies, and hence
> publish an error "** Exception** Found cookie name webwise with value
> 37508921750".

I understand that, but it doesn't change the analysis, in particular
in relation to PECR reg. 6, if the webserver is deliberately accessing
the value of the webwise cookie, which is the scenario that Ian
described.  I realise that the webserver receives the webwise cookie
in any event; by "accessing", I mean that the webserver performs some
kind of processing in relation to the webwise cookie that it receives,
rather than just ignoring it.

Nobody is ever going to be liable for inadvertently reading the value
of a webwise cookie in walking through all the cookies in his own
domain.  Whether that is what is going on is a question of fact in
each case.

Joel