W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Unverifiable Transactions / Cookie draft

From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
Date: Fri, 14 Mar 1997 16:07:44 -0800
Message-Id: <9703141607.ZM19584@thornhill.arc.nasa.gov>
To: "Jaye, Dan" <DJaye@engagetech.com>, 'Yaron Goland' <yarong@microsoft.com>, "'hedlund@best.com\ '" <hedlund@best.com>, http-wg@cuckoo.hpl.hp.com
Cc: "'dmerriman@doubleclick.net'" <dmerriman@doubleclick.net>
On Mar 14,  6:39pm, Jaye, Dan wrote:
> Subject: RE: Unverifiable Transactions / Cookie draft
> It is clear that the current cookie standard provides the potential of
> abuse and
> could be used to violate an individual's right to privacy.
>
> However,  the number of web sites and applications that make use of
> "unverifiable transactions" for legitimate, non-privacy invading uses is
> significant and growing.

I would be interested in seeing how you define non-privacy
invading uses.  I ask this because I suspect that there may
be a fundamentally different set of assumptions in play
among different parties to this discussion.  Making those
assumptions explicit may help us make progress.



> EVERY Fortune 500 customer that we have spoken to has multiple domains.
> How do they measure the effectiveness of this channel if they cannot
> aggregate ANONYMOUS log data into visits and visitors?

As I said to Martijn Koster recently, it is important to the users
to understand who may have access to the information they provide
(a clicktrail being part of that information).  A fortune 500
company which maintains seperate subdomains under a
well-known domain can deal with the spec easily; a conglomerate
which has different domains for different companies or
products may have more trouble.  That trouble mirrors, however,
the difficulty a user would have in understanding the relationship
between the sites.  If Procter and Gamble chooses to register
a domain for each product,  how can the user know of their
relationship and the likelihood that the data on the domains
will be aggregated?  As it stood when this spec was written, the
domain was the only clearly identifiable piece of the puzzle that
we knew was in UAs and being displayed to users; I have seen
various other things since, but they are neither standard nor
ubiquitous.   The domain remains ubiquitous and easily verified.


>
> If possible, we should modify the standards to prevent violations of
> privacy.  At the same time, let's not impose restrictions that will
> obstruct development.  In the end, if we want the media to grow and
> provide lots of free or low-cost content, commercial organizations are
> going to pay a significant portion of the costs.  They will only do this
> if they see that it is an effective place to spend their money.
> Measurement is important.  Effective targeting of information, content,
> and yes, advertising is important.  There are at least a hundred small
> to medium web content sites who depend on advertising networks to
> generate revenue and traffic.
>

You may have to go beyond your current implementation to make
this work, but I believe it is possible to continue to use advertising
networks under the current spec.  It is simply difficult to do so
without the user knowing that the advertising network has become
involved.  That is the intention of the current design.  There are
still ways around it (granting the advertising network's host a record
in the domain of the content site's domain, for example), but these
have other consequences for reponsibility that accomplish much the
same goals.

> RECOMMENDATION:
> I would like to suggest that we provide a mechanism, similar to a
> Certificate Authority, that would allow for a "unverifiable transaction"
> to be verified against a list of valid site certificates.  These
> certificates could be assigned levels, perhaps using the E-TRUST
> trustmarks, and users could select their privacy level according to
> those trustmarks.  The default behavior could be for the cookies to be
> rejected from all non-verifiable transactions except for ETrust Level 3
> (i.e., anonymous) site certificates.

The deployment of such a mechanism presents problems far
beyond those of the current spec.  It also completely ignores
the problem of legacy browsers without this capability.
If we are going to write all current and legacy user agents
out of the problem statement, we have of lot of other possible
solutions.


		regards,
			Ted Hardie
			NASA NIC

NB: I am not in this message speaking for NASA.

-- 
Received on Friday, 14 March 1997 16:10:17 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT