Re: Proposal: Optional "Purpose" Attribute for Set-Cookie Header

I agree that it doesn't hinder bad actors from misusing the attribute.
There will always be bad actors and they will always try to circumvent
legal actions.
But having an attribute that states the purpose might be the first step to
have jurisdiction step in. Yes, there need to be laws in place to ensure
that the attribute is being used (in the correct way), but without the
attribute, creating such laws wouldn't be possible, I guess.

On Mon, Aug 26, 2024 at 2:05 AM Greg Wilkins <gregw@webtide.com> wrote:

>
>
> On Sun, 25 Aug 2024 at 04:08, João Penteado <joao@penteado.me> wrote:
>
>> ...
>
> Of course, this proposal hinges on the assumption that servers would be
>> willing
>> to adopt this standard and honestly disclose a cookie's purpose. I
>> believe this
>> is a reasonable expectation for the following reasons:
>>
>> 1. Websites that implement cookie consent pop-ups are already disclosing
>> the
>> purpose of cookies, albeit with a suboptimal user experience.
>> Misrepresentation
>> could expose them to legal risks. The UX issues are not present in
>> websites not
>> implementing the pop-ups, so it wouldn't affect them anyway.
>>
>
> There are indeed many websites that in good faith try to optimise the
> cookie purpose conversation.    However, there are also many other sites
> that do not and deliberately adopt UX that makes accepting all easy and any
> other form of consent difficult.    Thus, I do not think that any proposal
> can dismiss the existence of bad actors.
>
> So if a purpose is established to allow cookies to be set without an
> intrusive UX, then what is to stop bad actors from abusing that?  I.e.
> having a cookie that is used for some minimal type of auth, but whose
> primary purpose is tracking and/or marketing?   Surely such a scheme will
> only work if there is real legal sanction for misrepresenting the purpose
> of a cookie, so can this be solved purely with technology/specification?
>
> regards
>
>
>
>
> --
> Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
>

Received on Monday, 26 August 2024 08:26:36 UTC