- From: Benjamin Franz <snowhare@netimages.com>
- Date: Mon, 11 Aug 1997 05:56:15 -0700 (PDT)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Mon, 11 Aug 1997, David W. Morris wrote: > > > On Sun, 10 Aug 1997, Shel Kaphan wrote: > > > Fact: some people hate cookies. They keep telling their browsers not to > > accept them. > > An alternative I proposed was that servers beable to stipulate that > cookies are required for an application to function. I forget the > details of what I suggested or the brief discussion thread. > > But one must ask why users hate cookies and wonder what UI and/or server > and hence perhaps protocol support might change that situation. Users hate it because of _persistent_ cookies: Cookies that are requested to remain valid for literally YEARS. I routinely refuse *ANY* cookie that will not disappear when I shutdown the browser. You can solve the problem by giving the users the options to protect their privacy by allowing them to simply refuse persistent and third party cookies. To Netscape's credit they now have the option to silently turn off third party cookies. To Microsoft's discredit they still do not allow silent rejection of third party cookies and have implemented a mis-leading dialog that can result in people turning ON cookies by default when what they wanted to do was to turn them OFF silently. But the fundamental privacy invasion is cookie persistence since it allows profiles to be assembled over LONG periods of time without the informed consent of the user. UAs should be REQUIRED to provide ways for users to say 'never accept a persistent cookie' and 'never accept a third party cookie' with making the user get battered with 'Would you like to accept' dialogs. Better yet would be the ability to turn cookies permanently on or off on a site by site basis. I guess what I am trying to say is that cookie are easily abused in privacy violating ways while providing the users very little control. Add in NS's and Microsoft's public hostility to proposals for increasing user privacy and the creation of user paranoia about cookies is an obvious outcome. FYI: As an ISP we have blocked cookies in our HTTP proxies. I suspect more than a few other ISPs have also done this. This is really the ultimate response of ISPs to the browser makers' "we're not going to respect your users' privacy and you can't make us" attitude. We can _and have_ in effect removed *ALL* cookie functionality from their browsers. I could easily see European ISPs doing the same thing en mass to comply with Europe's personal data privacy laws. Wouldn't it be so much simpler for the browser makers' to simply do the _RIGHT_ thing and give users strong, detailed and informed control of cookies? +-------------------------------------------------------------------+ | | | A server (billionclick.com) different than the one currently | | being browsed (myserver.com) has requested a cookie | | (ssdflskdjfs=sdsdf) that will persist until 12 December, 2010. | | | | The server states the following reason for the cookie request: | | | | "This cookie is used for tracking advertising exposure of banner | | advertisments and targeting banner ads to potential interest. | | No personal identifying information is being accumulated nor | | is the information being used in any other way." [More Info] | | | | [x] Accept all future cookies from billionclick.com | | [x] Allow cookies to persist after browser shutdown | | [ ] Don't allow cookies to persist after browser shutdown | | [ ] Ask for all future cookies from billionclick.com | | [ ] Allow this cookie to persist after browser shutdown | | [ ] Don't allow this cookie to persist after browser shutdown | | [ ] Refuse all cookies from billionclick.com | | | +-------------------------------------------------------------------+ -- Benjamin Franz
Received on Monday, 11 August 1997 05:57:54 UTC