Re: Some half-baked thoughts about cookies. from Poul-Henning Kamp on 2018-08-27 (ietf-http-wg@w3.org from July to September 2018)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 27 Aug 2018 11:20:55 +0000
To: Mike West <mkwst@google.com>
cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, rigo@w3.org, squid3@treenet.co.nz, rigo@w3c.org, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <58614.1535368855@critter.freebsd.dk>

--------
In message <CAKXHy=f9BZ4RVJVwvt1m8GeQ1D04x3Dz1PL8i8yjt4cLgyvVhA@mail.gmail.com>
, Mike West writes:

>On Mon, Aug 27, 2018 at 12:02 PM Poul-Henning Kamp <phk@phk.freebsd.dk>
>wrote:

>> >My impression is that folks are generally happier sending no identifier at
>> >all when opting-out of advertisers' tracking (or an explicit "0" in the
>> >case of platform-level advertising identifiers like we see on iOS and
>> >Android), but randomizing on every hit is certainly something we could
>> >consider doing.
>>
>> This is where I take the servers side.
>>
>> I want it to be random to give the server-sandwich has something
>> to route on, and I want to mark it ephemeral so that servers can
>> avoid storing session state that will never be reused.
>>
>> Ideally the server would prefer the client to say "I'm leaving,
>> you'll never see this session again", but I doubt that would be
>> reliable enough.
>
>
>I see. You're not suggesting that the identifier would be changed on every
>request, but after some period of time (e.g. after the user's private
>browsing session ended), and that the ephemerality signal is a nice way to
>let servers know that they can drop the session information after some
>reasonable period of time.

I'm sure there is a browser-world word for this, but I don't know it,
so you will have to suffer a long-form description:

I would expect an ephemeral ID to be forgotten when:

A)  I close the browser or tab

B)  Enter a new URL

C)  Go to a bookmark

D)  In any other way indicate that I'm done with this site.

>I'm not sure user agents would want to advertise to servers that users are
>in such a mode, as it seems like there would be consequences to doing so
>(e.g. "We've noticed that you're visiting us ephemerally. How unfortunate!
>Please opt back into persistence to read the next page."). Is there an
>advantage to the user in this situation?

Valid point.

But we are not seing this with DNT or private browsing mode, are we ?

I would expect it to be preferable to show "unoptimized" ads or make
a sale, rather than reject users at the front door with no economic
benefit ?


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Monday, 27 August 2018 11:21:22 UTC