W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

RE: Unverifiable Transactions / Cookie draft

From: Jaye, Dan <DJaye@engagetech.com>
Date: Fri, 14 Mar 1997 18:39:18 -0500
Message-Id: <c=US%a=_%p=CMG%l=ANDEXC01-970314233918Z-22988@wilexc01.cmgi.com>
To: 'Yaron Goland' <yarong@microsoft.com>, "'hedlund@best.com'" <hedlund@best.com>
Cc: "'dmerriman@doubleclick.net'" <dmerriman@doubleclick.net>, "'http-wg@cuckoo.hpl.hp.com'" <http-wg@cuckoo.hpl.hp.com>
It is clear that the current cookie standard provides the potential of
abuse and
could be used to violate an individual's right to privacy.

However,  the number of web sites and applications that make use of
"unverifiable transactions" for legitimate, non-privacy invading uses is
significant and growing.  

Content providers are assimilating many different technologies to
provide rich, meaningful content to visitors. An easy was to do this is
to employ multiple web servers and use redirection to route the user
between different applications (a search engine, a personal news
delivery service, a registration system,etc.) In these type of
installations, cookies are used as a means of maintaining state across
the servers, which may or not be under the same domain if content is
being aggregated from many providers.

EVERY Fortune 500 customer that we have spoken to has multiple domains.
How do they measure the effectiveness of this channel if they cannot
aggregate ANONYMOUS log data into visits and visitors?

If possible, we should modify the standards to prevent violations of
privacy.  At the same time, let's not impose restrictions that will
obstruct development.  In the end, if we want the media to grow and
provide lots of free or low-cost content, commercial organizations are
going to pay a significant portion of the costs.  They will only do this
if they see that it is an effective place to spend their money.
Measurement is important.  Effective targeting of information, content,
and yes, advertising is important.  There are at least a hundred small
to medium web content sites who depend on advertising networks to
generate revenue and traffic.

One of the great opportunities of this media is the ability to provide
relevant information to a visitor WITHOUT KNOWING WHO THEY ARE.  At
Engage we believe that it is possible to use the Web as an effective
marketing vehicle without violating an individual's privacy.

RECOMMENDATION:
I would like to suggest that we provide a mechanism, similar to a
Certificate Authority, that would allow for a "unverifiable transaction"
to be verified against a list of valid site certificates.  These
certificates could be assigned levels, perhaps using the E-TRUST
trustmarks, and users could select their privacy level according to
those trustmarks.  The default behavior could be for the cookies to be
rejected from all non-verifiable transactions except for ETrust Level 3
(i.e., anonymous) site certificates.

This is an attempt to find a solution that protects privacy and
anonymity.

>----------
>From: 	M. Hedlund[SMTP:hedlund@best.com]
>Sent: 	Friday, March 14, 1997 5:40 PM
>To: 	Yaron Goland
>Cc: 	'dmerriman@doubleclick.net'; http-wg@cuckoo.hpl.hp.com
>Subject: 	RE: Unverifiable Transactions / Cookie draft
>
>
>On Fri, 14 Mar 1997, Yaron Goland wrote:
>> Rather my point is that I do not believe that you have helped protect
>> user privacy [...]
>
>Okay, well we disagree on this.  Besides, if you are right and there is no
privacy protection, then why make any changes?  Doubleclick can simply
>use something other than cookies!  If we afford no privacy protection in this
>draft, then we do no harm to Doubleclick (and any other similar
>businesses).
>
>> [...]  but I do believe that you have hurt a lot of smaller web
>> sites who are trying to make a living on the web and thus contributed to
>> the reduction of diversity on the web. I believe that the outcome is
>> undesirable.
>
>I suspect that the number of businesses who have based their whole revenue
>model on cookie sharing is extremely low, and that no such outcome will
>occur.
>
>M. hedlund <hedlund@best.com>
>
>
>
Received on Friday, 14 March 1997 15:40:46 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT