cookies and privacy

• To: www-security@ns2.rutgers.edu
• Subject: cookies and privacy
• From: dmk@allegra.att.com (Dave Kristol)
• Date: Mon, 15 Jul 96 17:09:30 EDT

There has been much backing-and-forthing on mailing lists (and even
broadcast media) lately about Netscape's cookies and privacy.  Perhaps
the following information will prove useful.  Lou Montulli (Netscape)
and I are co-authors of an Internet Draft (I-D),
http://ds.internic.net/internet-drafts/draft-ietf-http-state-mgmt-02.txt
(soon to be updated slightly), that describes the standards track
specification for cookies.

The basic mechanism works like this.  To begin (or continue) a session,
a server sends a Set-Cookie header to a client as part of a response to
an HTTP request.  The browser returns that information (and only that
information) in a Cookie header on a subsequent request to the same, or
a related (by DNS host name), server.

I make these observations about the I-D and the recent comments by various
people on the mailing lists:

1)  As has been mentioned by others, cookies can be used to create stateful
sessions in HTTP, which is otherwise stateless.  Such stateful sessions
have many uses, such as maintaining a "shopping basket".  Cookies were not
intended as a user clickstream tracking mechanism, although some sites have
used them that way.

2)  Privacy was an extremely important concern in the I-D.  We believe
that users should have the option of being alerted when a stateful
session begins.  Netscape's latest (3.0) browsers appear to implement
the required user notification under some circumstances.

3)  The rules in the I-D would disallow silently sending cookies to
third parties in ways similar to what DoubleClick does.  (In the jargon
of the I-D, this is an "unverifiable transaction.")

(I'm not certain how DoubleClick does its thing.  I understand that
there's a link in some pages to www.doubleclick.net to load an image,
in fact an advertising message.  I presume that DoubleClick can begin a
pseudo-session by handing your browser a Set-Cookie header.  It can
also tell which page had a link to it from the Referer: header in the
request to DoubleClick.  DoubleClick can, in its cookies, compile a
dossier of sites you've visited.)

4)  We acknowledge that the rules in the I-D can be circumvented.  But we
believe that users will, when they note them, call attention to violations,
just as they have commented unfavorably on DoubleClick.  We think such
policing by public exposure is the most effective deterrent.

Dave Kristol

• Re: cookies and privacy
• From: Jacob Rose <jacob@whiteshell.com>
• Re: cookies and privacy
• From: Paul Phillips <paulp@cerf.net>

• Previous: Security/Privacy of Certificates in Netscape 3.0
• Next: Re: Cookies??? May I take your e-mail address, too ?
• Index(es):
  • Index
  • Thread