W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

RE: Unverifiable Transactions / Cookie draft

From: Phillip M. Hallam-Baker <hallam@ai.mit.edu>
Date: Tue, 18 Mar 1997 14:30:52 -0500
Message-Id: <01BC33AB.E742CC30@crecy.ai.mit.edu>
To: "'hedlund@best.com'" <hedlund@best.com>, Steve Madere <madere@dejanews.com>
Cc: "http-wg@cuckoo.hpl.hp.com" <http-wg@cuckoo.hpl.hp.com>
>On Tue, 18 Mar 1997, Steve Madere wrote:
>> if you take away the auto-cookie capability, sites will be forced to 
>> require users to register and "login" to get this kind of control.

>Absolutely not.  I refuse to write a first draft business plan for the
>other methods that would prevent this from being true, but others have
>already provided the general idea.  Your assertion is not supportable.

I propose that we do away with auto cookies altogether. The idea is
both obnoxious and unnecessary. They are a very unsatisfatory solution
to the demographics problem in any case. The advertisers latched onto
them because that was all they had.

I proposed an alternative mechanism over two years ago, an limited
linkability session identifier which would permit a site administrator
to track users within a particular site but not across sites.

I believe that this is the best compromise between personal privacy and 
site administration. The disconnect between each page download
is an artifact of the HTTP protocol. There are many legitimate reasons
why a server needs to be able to track a user - generation of personalised
content being one.

The privacy question could be settled in extremis by allowing the user
to select which sites to send session IDs to and which to not send them 
to.

Note that the implementation of the session ID requires no more than fifty
lines of code if you are already using MD5 or SHA.

I know that the vendors have wedged themselves into another idea but the
fact we can't agree on it indicates to my view that it was a lousy idea in
the first place. But as with most IETF ideas the argument keeps being
repeated "you should have brought this up months before". I did, I
was fobbed off with the response "we are only a few months from 
agrement". Two years later I see no prospect of consensus. Let us
face it cookies are a busted flush. They are considered so obnoxious 
that one country (Germany) has passed privacy legislation in response 
to them. How anyone could imagine that a working group could
reach consensus in this situation is beyone me.

Proposed: The cookie draft is written to reflect the privacy issues 
irrespective of the desires of demographic tracking companies.

The session ID draft is at:

http://www.w3.org/pub/WWW/TR/WD-session-id.html

I *REALLY* will be pissed if people again try to claim that the light is
at the end of the tunnel and that its too late to change. The train has
crashed inside the tunnel and its too damn late to bore another. Lets
at least consider taking the alternative route.

	Phill
Received on Tuesday, 18 March 1997 11:51:34 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT