W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: a positive "no thanks" to cookies?

From: Benjamin Franz <snowhare@netimages.com>
Date: Mon, 11 Aug 1997 05:56:15 -0700 (PDT)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.970811050240.13348A-100000@ns.viet.net>
On Mon, 11 Aug 1997, David W. Morris wrote:

> 
> 
> On Sun, 10 Aug 1997, Shel Kaphan wrote:
> 
> > Fact: some people hate cookies.  They keep telling their browsers not to
> > accept them.  
> 
> An alternative I proposed was that servers beable to stipulate that
> cookies are required for an application to function. I forget the
> details of what I suggested or the brief discussion thread.
> 
> But one must ask why users hate cookies and wonder what UI and/or server
> and hence perhaps protocol support might change that situation.

Users hate it because of _persistent_ cookies: Cookies that are requested
to remain valid for literally YEARS. I routinely refuse *ANY* cookie that
will not disappear when I shutdown the browser. You can solve the problem
by giving the users the options to protect their privacy by allowing them
to simply refuse persistent and third party cookies. 

To Netscape's credit they now have the option to silently turn off third
party cookies. To Microsoft's discredit they still do not allow silent
rejection of third party cookies and have implemented a mis-leading dialog
that can result in people turning ON cookies by default when what they
wanted to do was to turn them OFF silently.

But the fundamental privacy invasion is cookie persistence since it allows
profiles to be assembled over LONG periods of time without the informed
consent of the user.  UAs should be REQUIRED to provide ways for users to
say 'never accept a persistent cookie' and 'never accept a third party
cookie' with making the user get battered with 'Would you like to accept' 
dialogs. Better yet would be the ability to turn cookies permanently on or
off on a site by site basis.

I guess what I am trying to say is that cookie are easily abused in
privacy violating ways while providing the users very little control. Add
in NS's and Microsoft's public hostility to proposals for increasing user
privacy and the creation of user paranoia about cookies is an obvious
outcome. 

FYI: As an ISP we have blocked cookies in our HTTP proxies. I suspect more
than a few other ISPs have also done this. This is really the ultimate
response of ISPs to the browser makers' "we're not going to respect your
users' privacy and you can't make us" attitude. We can _and have_ in
effect removed *ALL* cookie functionality from their browsers.  I could
easily see European ISPs doing the same thing en mass to comply with
Europe's personal data privacy laws. Wouldn't it be so much simpler for
the browser makers' to simply do the _RIGHT_ thing and give users strong,
detailed and informed control of cookies?

  +-------------------------------------------------------------------+
  |                                                                   |
  | A server (billionclick.com) different than the one currently      |
  | being browsed (myserver.com) has requested a cookie               |
  | (ssdflskdjfs=sdsdf) that will persist until 12 December, 2010.    |
  |                                                                   |
  | The server states the following reason for the cookie request:    |
  |                                                                   |
  | "This cookie is used for tracking advertising exposure of banner  |
  |  advertisments and targeting banner ads to potential interest.    |
  |  No personal identifying information is being accumulated nor     |
  |  is the information being used in any other way."  [More Info]    |
  |                                                                   |
  | [x] Accept all future cookies from billionclick.com               | 
  |     [x] Allow cookies to persist after browser shutdown           |  
  |     [ ] Don't allow cookies to persist after browser shutdown     |      
  | [ ] Ask for all future cookies from billionclick.com              |
  |     [ ] Allow this cookie to persist after browser shutdown       |
  |     [ ] Don't allow this cookie to persist after browser shutdown |
  | [ ] Refuse all cookies from billionclick.com                      |
  |                                                                   |
  +-------------------------------------------------------------------+

-- 
Benjamin Franz
Received on Monday, 11 August 1997 05:57:54 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:51 EDT