[Previous] [Next] [Index]
[Thread]
Re: cookies and privacy
From: "David W. Morris" <dwm@shell.portal.com>
> The problem with your suggestion is that it makes creation of a pseudo
> session impossible where the cookie is used to carry the identification
> of the session. The current generation of WEB authentication mechanisms
> are quite lacking when it comes to integration of a login concept to
> an interaction and then tracking the logical session which has been
> logged in.
I am not acquainted with all the things people want to do with logical
sessions across the web. My main objection is when the user finds
himself part of a logical session without his consent, where the site is
tracking the patterns of his access. In the case you describe, where the
user is requesting some special access to the site, and providing
authentication, then he is voluntarily giving up his privacy and it
follows that the site will have knowledge of which pages he visits. So
in that case it would be OK to go into a mode where cookies are sent
automatically. But it should not be the default and should not be used
routinely, in my opinion.
(BTW it should be noted that due to the way the web works it would be
possible to have multiple "virtual sessions" going on at once. I may be
shopping at a site, go elsewhere, and later come back and finish my
shopping.)
> The restriction someone else proposed about only returning cookies to the
> 'base' URL host site but not for images might work into a good solution.
This is essentially one of the things proposed in the Internet Draft
that Dave Kristol is writing and posted about. I think this is a good
step and would eliminate some of the worst abuses, but I still feel that
cookies will be a privacy threat.
However I think most of my concerns are more with user interface issues
and not matters of protocol, so probably the right forum for me to push
these ideas is somewhere that Netscape and Microsoft are present.
Hal Finney
Follow-Ups: