Re: draft-ietf-http-state-mgmt-03.txt

On Wed, 31 Jul 1996, Bill Sommerfeld wrote:

> The "security considerations" section of the draft does not include
> any text regarding privacy concerns.
> 
> Here's some suggested text:
> 
> PRIVACY CONCERNS:
> 
> The protocol described in this draft can be used to keep track of the
> browsing habits of a user without the user's knowledge or permission.
> Many people consider this to be an unethical invasion of privacy.
> 
> Any HTTP client implementing this protocol MUST provide at least three
> options for the user:
> 	1) disable cookies entirely.
> 	2) ask the user before setting a cookie.
> 	3) set cookies without asking the user.
> 
> The default "out of the box" behavior of the client MUST NOT be #3.
> 
> Any HTTP client should provide a way for the user to know which
> cookies are associated with a given page.

Implementation issue and *IMPOSSIBLE* to enforce. It clearly is not a
protocal item and so is beyond the scope of the workgroup. I can't imagine
a MUST NOT statement like that getting by the IETF. It is like specifying
that newsreaders MUST NOT present Usenet articles unthreaded by default. 
You are treading on the toes of the implementers. While it is certainly *a
good idea* not to do 3 by default - it is not something that can be
written into the protocal as a MUST NOT: SHOULD NOT, perhaps.

You are also running head on into a issue regarding privacy that I have
already shown is long out of the bag. Even *without* any kind of HTTP
level cookie, I can already, to a quite high degree of accuracy, track
individual users.  Even between seperate cooperating sites, without
letting them know I am doing so, if I so desire. Cookies raise no new
privacy concerns in that regard. It is, and has been, a red herring for a
long time. 

-- 
Benjamin Franz

Received on Wednesday, 31 July 1996 16:38:55 UTC