W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

RE: Unverifiable Transactions / Cookie draft

From: Yaron Goland <yarong@microsoft.com>
Date: Tue, 18 Mar 1997 01:41:58 -0800
Message-Id: <11352BDEEB92CF119F3F00805F14F485025666B2@RED-44-MSG.dns.microsoft.com>
To: 'http working group' <http-wg@cuckoo.hpl.hp.com>
BTW I should clarify that I meant that implementers will generally not
feel bound by sections of a wire protocol which specify UI, not that an
entire protocol would be ignored because it provides UI requirements.

	Yaron

> -----Original Message-----
> From:	Yaron Goland 
> Sent:	Tuesday, March 18, 1997 1:17 AM
> To:	http working group
> Subject:	RE: Unverifiable Transactions / Cookie draft
> 
> There is an interesting assumption being made that protocols have the
> right to dictate user interface to software makers. Am I the only one
> who finds this development disturbing? Not because I am overly
> concerned about protocols dictating UI, the protocol will be roundly
> ignored and compliance will be coincidental at best, but rather that
> by dictating requirements in areas clearly beyond the scope of a wire
> protocol, the authority of the protocol group is lessened.
> 
> 		Yaron
> 
> 	-----Original Message-----
> 	From:	Brian Behlendorf [SMTP:brian@organic.com]
> 	Sent:	Tuesday, March 18, 1997 12:19 AM
> 	To:	David W. Morris
> 	Cc:	http working group
> 	Subject:	Re: Unverifiable Transactions / Cookie draft
> 
> 	On Mon, 17 Mar 1997, David W. Morris wrote:
> 	> In the single very limited involvement I had with advertising,
> the revenue
> 	> was associated with the click thru on the banner ad, not the
> bannner ad.
> 	> That would, as I understand the DoubleCLick model would be a
> click to 
> 	> the DoubleClick site from which a set-cookie wouldn't be
> considered an
> 	> unverifiable transaction.
> 	> 
> 	> If I were advertising, knowing when a user actually asked to
> see more of
> 	> my message would have tremendous value compared with having my
> ad
> 	> where they might have seen it.
> 
> 	For some models this makes sense - I even know ad models where
> content sites
> 	are compensated only as a percentage of online sales generated!
> But there is a
> 	compelling argument that compensation models based on
> clickthroughs or more are
> 	flawed because it encourages the content developer to focus
> exclusively on
> 	pushing people through the ad, rather than actually providing
> useful content.
> 	I'm sure many content sites would refuse to partake in this.  
> 
> 	> The bottom line is that WWW advertising is based on a business
> model which
> 	> didn't even exist a couple of years ago. It is based on
> leveraging
> 	> technology which is new and evolving. I am confident that it
> will evolve
> 	> in response to improvements to the technology..
> 
> 	The business model of sponsored content has been around forever.
> So have these
> 	privacy issues - how do you know that donation you made to the
> Sierra Club last
> 	year didn't lead to that Democratic National Committee
> soliciation you got
> 	yesterday?  Looking to technology for a solution to the privacy
> problems is
> 	as misguided as blaming technology for causing them.  
> 
> 	I have come to believe over the last year that this is not a
> problem for which
> 	technology can provide a complete solution.  Intent is
> everything - and even
> 	browsers that obey this spec and folks who don't use cookies are
> still ripe for
> 	abuse by parties with intent.  Fortunately abuse is not a
> requirement to make a
> 	profit in this model - doubleclick doesn't have to be able to do
> a credit check
> 	on you or know your email address to do what they do.
> 
> 	Two companies which have similar privacy issues - FireFly and
> Narrowline -
> 	backed up their claims of consumer protection by paying Coopers
> & Lybrand
> 	(one of the Big 6 accounting firms) to perform a personal
> information security
> 	audit.  Perhaps DoubleClick should do the same.
> 
> 	I think in the long run a solution like one suggested by
> 	"Jaye, Dan" <DJaye@engagetech.com> in 
> 
> <c=US%a=_%p=CMG%l=ANDEXC01-970314233918Z-22988@wilexc01.cmgi.com>
> 	is the one which most closely semantically matches what's going
> on here.  The
> 	issue is one of trust - and trust brokered by a certificate
> authority (be it
> 	Coopers&Lybrand, ETrust, Better Business Bureau, an organization
> of the EC,
> 	whatever) makes sense.
> 
> 	But in the short term... let's not kid ourselves.  This will not
> significantly
> 	increase the privacy of users on the web.  This is not similar
> to the
> 	"opt-in/opt-out" debate amongst direct marketers - of which I am
> firmly in the
> 	land of "opt-in".  This is a small hurdle - even just using the
> IP number and
> 	User-Agent as the key to the profiling database would be
> sufficient for many
> 	uses, and slightly more elaborate schemes can be used to make it
> much more
> 	precise. That it is a small hurdle to work around is *not* a
> justification for
> 	putting it in the spec. 
> 
> 	I am somewhat loath to enter this conversation as I was
> periphery to the
> 	discussions early on which led to this, and I now have a
> slightly different
> 	opinion, and we know this RFC has been in development for a long
> time.  The
> 	fact that my opinion can be different today suggests it may be
> too early to try
> 	and coerce the protocols into implementing policy... just a
> thought.
> 
> 	I think Dwight's proposal might be a little overcomplicated -
> something like
> 	the below might address most concerns out there?
> 
> 	1) By default, user agents are configured to prompt for
> confirmation on 
> 	     receipt of all cookies - unlike today's defaults which is
> to accept
> 	     all cookies.
> 	2) Upon receipt of a cookie, UI must have the options:
> 	     Accept this cookie
> 	     Do not accept this cookie
> 	     Accept all cookies from this domain
> 	     Never accept cookies from this domain
> 	3) UI allows for some indication of pages with content inlined
> from other
> 	     servers.  Perhaps specially flag cookie requests for
> inlined content too.
> 	4) Remove the restriction on unverified transactions.
> 
> 	Show me this leads to /less/ privacy, particularly in
> combination with all the
> 	other existing provisions of the current spec.
> 
> 	I really wish this was a more clear-cut situation - that cookies
> really did
> 	make the difference between being "database-able" or not.  It
> doesn't. 
> 
> 		Brian
> 
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=--
> 	brian@organic.com  www.apache.org  hyperreal.com
> http://www.organic.com/JOBS
> 
Received on Tuesday, 18 March 1997 01:43:43 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT