Re: cookies and privacy

• To: dmk@allegra.att.com
• Subject: Re: cookies and privacy
• From: Hal <hfinney@shell.portal.com>
• Date: Tue, 16 Jul 1996 10:57:42 -0700
• Cc: www-security@ns2.rutgers.edu

From: dmk@allegra.att.com (Dave Kristol)
> Hal Finney wrote:
>   > Consider changing the user interface so that we are not so much warned
>   > when cookies are received by the client, as given control over when they
>   > are sent.  Don't send cookies automatically on every interaction.  Only
>   > send them explicitly upon user request.  For example, perhaps a shift
>   > click or some other modifier or mouse button is needed to send a cookie.
> 
> That would create a rather different mechanism from cookies.  The
> automatic response part of cookies is essential behavior for the kinds
> of applications for which they were intended.

There isn't a lot in the I-D about what applications they are intended to
support.  It says:

: [T]he proposed technique allows clients and servers that wish to
: exchange state information to place HTTP requests and responses within a
: larger context, which we term a ``session.''  This context might be used
: to create, for example, a "shopping cart", in which user selections can
: be aggregated before purchase, or a magazine browsing system, in which a
: user's previous reading affects which offerings are presented.

My suggestion was intended to address the shopping cart example, where
I can see that state is useful.  However I do not agree that the
automatic response is essential for this application, as I suggested in
my earlier mail.

The magazine browsing system is more borderline in my opinion because
any such system is structurally the same as one which tracks everywhere
I go on a web server to see how I am responding to their ads.  So
somehow when I go to a site I have to determine whether an offered
cookie is one which will be beneficial or harmful to me.  And it is not
at all clear that I will have enough information to make that
determination (or that a site will be honest about what exactly it is
going to do with the information it gathers about me).

I would really prefer cookies to be rare on the web, used only for
specific, well defined purposes, made visible to users, and with enough
documentation associated with the cookie offer that users can make
informed consent.  I am afraid that with both current Netscape
implementations and the proposed I-D, cookies will instead become
ubiquitous, invisible, and used primarily for purposes which are harmful
to the user's privacy.

Hal

• Previous: Re: cookies and privacy
• Next: Re: cookies and privacy
• Index(es):
  • Index
  • Thread