W3C home > Mailing lists > Public > public-html-comments@w3.org > July 2008

Re: 4.12.2.1: "paranoid user"

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 15 Jul 2008 12:18:57 +0000 (UTC)
To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
Cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.62.0807151210020.12994@hixie.dreamhostps.com>

On Tue, 15 Jul 2008, Frank Ellermann wrote:
> > 
> > IP addresses are, by and large, enough to perform pretty much all the 
> > tracking you might want
> 
> Depends.  Using the same small ISP dial-in users could end up with 
> getting similar IPs.  If they change ISPs or it's a big ISP their IPs 
> will differ.  Static IPs are of course another scenario.

Even with dynamic IPs from a large pool, it is reasonably easy to build 
user profiles over multiple sessions. The idea that you need cookies to do 
this is a fiction that paranoid users believe in order to get over their 
worry that people are following their every move.

Cookies make it mildly easier, but anyone who wants to do user tracking 
has to deal with such high levels of cookie churn (people resetting their 
cookies) that they almost certainly only use the cookies as just an extra 
signal, and not a key part of any tracking strategy.


> > sites can bypass third-party cookie blocking by doing first-party 
> > cookie transactions
> 
> They'd do a part of that with their own bandwidth.  Third party cookies 
> are not only a privacy issue, they are also about bandwidth.

Bandwidth for a redirect is essentially free in this day of massive 
multimedia content. Redirects are shunned due to their latency (which 
hurts the user), not their bandwidth usage. Cookies typically fit within 
the same packet as the request, so they have effectively no effect on 
network performance from the user's perspective.


> > blocking third-party cookies ends up breaking a surprising number of 
> > sites in subtle ways.
> 
> Their problem.  Third party cookies are known to be against the interest 
> of the users.

Actually, third-party cookies are used in opt-out schemes where a user has 
indicated a desire not to be tracked. Disabling third-party cookies in 
such cases actually goes against the user's wishes in such cases.

Fundamentally, though, if a site breaks the user stands more to lose than 
the site. This is why browsers go out of their way to avoid breaking 
sites. Saying it's the problem of the site rather than the user is a very 
naive attitude.


Anyway, going back to the original topic of this thread: all this is why 
the spec is written as it is. I think the current text is entirely 
accurate and I don't think making it more politically correct is a good 
idea here, as it would merely further this lie that blocking third-party 
cookies somehow protects user privacy.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 15 July 2008 12:33:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:13:59 GMT