- From: Phillip M. Hallam-Baker <hallam@ai.mit.edu>
- Date: Tue, 18 Mar 1997 14:30:52 -0500
- To: "'hedlund@best.com'" <hedlund@best.com>, Steve Madere <madere@dejanews.com>
- Cc: "http-wg@cuckoo.hpl.hp.com" <http-wg@cuckoo.hpl.hp.com>
>On Tue, 18 Mar 1997, Steve Madere wrote: >> if you take away the auto-cookie capability, sites will be forced to >> require users to register and "login" to get this kind of control. >Absolutely not. I refuse to write a first draft business plan for the >other methods that would prevent this from being true, but others have >already provided the general idea. Your assertion is not supportable. I propose that we do away with auto cookies altogether. The idea is both obnoxious and unnecessary. They are a very unsatisfatory solution to the demographics problem in any case. The advertisers latched onto them because that was all they had. I proposed an alternative mechanism over two years ago, an limited linkability session identifier which would permit a site administrator to track users within a particular site but not across sites. I believe that this is the best compromise between personal privacy and site administration. The disconnect between each page download is an artifact of the HTTP protocol. There are many legitimate reasons why a server needs to be able to track a user - generation of personalised content being one. The privacy question could be settled in extremis by allowing the user to select which sites to send session IDs to and which to not send them to. Note that the implementation of the session ID requires no more than fifty lines of code if you are already using MD5 or SHA. I know that the vendors have wedged themselves into another idea but the fact we can't agree on it indicates to my view that it was a lousy idea in the first place. But as with most IETF ideas the argument keeps being repeated "you should have brought this up months before". I did, I was fobbed off with the response "we are only a few months from agrement". Two years later I see no prospect of consensus. Let us face it cookies are a busted flush. They are considered so obnoxious that one country (Germany) has passed privacy legislation in response to them. How anyone could imagine that a working group could reach consensus in this situation is beyone me. Proposed: The cookie draft is written to reflect the privacy issues irrespective of the desires of demographic tracking companies. The session ID draft is at: http://www.w3.org/pub/WWW/TR/WD-session-id.html I *REALLY* will be pissed if people again try to claim that the light is at the end of the tunnel and that its too late to change. The train has crashed inside the tunnel and its too damn late to bore another. Lets at least consider taking the alternative route. Phill
Received on Tuesday, 18 March 1997 11:51:34 UTC