Re: FW: Proposed amendment to RFC2109 from Steve Reiss on 1997-04-15 (ietf-http-wg@w3.org from April to June 1997)

From: Steve Reiss <sreiss@flycast.com>
Date: Tue, 15 Apr 1997 10:19:27 -0700
To: stark@commerce.net
Cc: Ted Hardie <hardie@thornhill.arc.nasa.gov>, DJaye@engagetech.com, http-wg@cuckoo.hpl.hp.com, ahyde@focalink.com, rodger@worldnet.atg.net
Message-Id: <3353B89F.7420@flycast.com>
Jonathan Stark wrote:
> 
<text Deleted>
> 
> As I understand it, the real problem with allowing cookies
> from EVERYWHERE is that it allows the collection of data about individuals

Here is one of the problems which seems to show up too much.  Issuers of
indirect (I like this term better than unverifiable) transactions are
not collecting data about individuals.  We do not have any method other
than direct registration on our site or another site sharing the
information, to understand "who" a viewer is.  We set cookies in
user-agents.  We do not know the individual!  Part of the fear of
privacy violation is that we can track someone down, get their phone
number, etc. and this is not true.  So, we collect data about the
behavior of people who use and potentially share a web browser, but we
do NOT know who that person is. In no cases have we ever found a web
site who is willing to share information about registered users.  One of
the big issues is what do the sites who issue verifiable transaction
cookies do with their information.  If they were to provide us with
their registered users' data and the IDs of the issued cookies, we could
completely skirt the issue of unverifiable transactions (with some
work).  So, there are ways around this. 

> without their knowledge or consent, and once collected, the user
> has no idea what it's going to be used for, or by whom it will be used.
> The proposal provides a mechanism of informing users of business and
> data relationships other than just the ones dictated by a particular domain,
> and a mechanism that allows them to weigh the benefits and hazards of
> accepting cookies from entities.
> 
 <text deleted>

> Conversely, tripleclick may actually collect names and phone numbers

How...tripleclick does not have access to names and phonenumbers unless
someone gives it to them.  This
kind of information cannot be extrapolated from IP address.

> and sell that information as targeted mailing lists based upon
> user's preferences on the adds they sent, or they may work with
> "Company B" to compare logs with Copmany B and link the preferences
> that tripleclick collected with user names that Company B collects.  In
> that case, the third party CA may issue them a "class 3" certificate
> that says that tripleclick actively trades personally identifiable
> information with other groups.  Under certain circumstances, the
> user may want to accept class 3 certificates for the added value
> of getting more information about things they are interested in.  In
> most cases, however, they are likely to not want to accept these cookies.
> The point is that the user should have the choice of accepting the
> cookies and the information policies that they want.  Informed consent
> prior to divulging information is much better than arbitrarily limiting
> the use of cookies by domains.  The use of cookies and the whole
> issue of trust and privacy change from company to company, situation
> to situation, and the user should be able to make informed decisions
> about what they want to do in any particular set of situations.

I honestly believe that once again the big issue is for people to
understand exactly what are the potential breaches of privacy and how
they can occur. Let's face it, the Ad networks are interested in
tracking user behavior, no secret there....however, there are limits to
what we can and would do with this information.  

It is our policy to completely disclose how we use cookie data (and this
will show up on our web site in the near future). I also believe that
other Ad networks disclose this information. 

I personally would accept the certification process if this is the only
alternative.  One issue with this is how fast can sites be certified,
what are the criteria, and how much will it cost?  

I would prefer an easier solution which I assume has been discussed
(please excuse my late entrance into this mailing list and my potential
ignorance of history) which is to make the default for user-agents to
accept all cookies with the ability to turn off unverifiable
transactions if desired. 

Can anyone from the companies providing browsers give a company position
on what they intend to do with respect to RFC 2109 and the default of
turning off unverifiable transactions. 

> 
> Jonathan
> 
> ===============================================================
> Jonathan Stark                             (415) 858 1930 x217
> eTRUST Technical Director                  stark@eTRUST.org

-- 
Steve Reiss				
FlyCast Communications		email sreiss@flycast.com
123 Townsend St.		Phone 415-975-5373
Suite 226			Fax   415-977-1009
San Francisco, CA 94107
Received on Tuesday, 15 April 1997 10:22:32 UTC