- From: Rory Hewitt <rory.hewitt@gmail.com>
- Date: Mon, 26 Aug 2024 09:09:03 -0700
- To: André Cedik <andre.cedik@googlemail.com>
- Cc: Greg Wilkins <gregw@webtide.com>, joao@penteado.me, ietf-http-wg@w3.org
- Message-ID: <CAEmMwDzUjshJYQTcSkBA=YEUZMtWCZgEwV5D_yS=G2L3ZTD14A@mail.gmail.com>
This seems very similar to the DNT (Do Not Track) header - good actors will
either not use it or use it responsibly, bad actors will either not use it
or use it maliciously.
So it likely won't get used much at all, since that would require a lot of
rewriting of existing code. Maybe eventually it will become more widely
used, but by whom? How would I know to trust it? How would a less-technical
user even see its value let alone (again) know how to trust it?
If, to use the example that Greg added, a cookie can be used for both auth
and tracking, then the site owner is free from worries about authorities
cracking down ("It's a legitimate auth cookie") whilst getting the benefits
of tracking...
I fear that cookies, flawed as they are, are here to stay, and adding a
'purpose' to them won't improve things.
It should be noted that I'm speaking from the US - the authorities in e.g.
Europe may take a much dimmer view of dual-use cookies or 'malicious' use
of cookies. So while I think it's not going to work, they may be able to
use this as real leverage.
On Mon, Aug 26, 2024 at 1:31 AM André Cedik <andre.cedik@googlemail.com>
wrote:
> I agree that it doesn't hinder bad actors from misusing the attribute.
> There will always be bad actors and they will always try to circumvent
> legal actions.
> But having an attribute that states the purpose might be the first step to
> have jurisdiction step in. Yes, there need to be laws in place to ensure
> that the attribute is being used (in the correct way), but without the
> attribute, creating such laws wouldn't be possible, I guess.
>
> On Mon, Aug 26, 2024 at 2:05 AM Greg Wilkins <gregw@webtide.com> wrote:
>
>>
>>
>> On Sun, 25 Aug 2024 at 04:08, João Penteado <joao@penteado.me> wrote:
>>
>>> ...
>>
>> Of course, this proposal hinges on the assumption that servers would be
>>> willing
>>> to adopt this standard and honestly disclose a cookie's purpose. I
>>> believe this
>>> is a reasonable expectation for the following reasons:
>>>
>>> 1. Websites that implement cookie consent pop-ups are already disclosing
>>> the
>>> purpose of cookies, albeit with a suboptimal user experience.
>>> Misrepresentation
>>> could expose them to legal risks. The UX issues are not present in
>>> websites not
>>> implementing the pop-ups, so it wouldn't affect them anyway.
>>>
>>
>> There are indeed many websites that in good faith try to optimise the
>> cookie purpose conversation. However, there are also many other sites
>> that do not and deliberately adopt UX that makes accepting all easy and any
>> other form of consent difficult. Thus, I do not think that any proposal
>> can dismiss the existence of bad actors.
>>
>> So if a purpose is established to allow cookies to be set without an
>> intrusive UX, then what is to stop bad actors from abusing that? I.e.
>> having a cookie that is used for some minimal type of auth, but whose
>> primary purpose is tracking and/or marketing? Surely such a scheme will
>> only work if there is real legal sanction for misrepresenting the purpose
>> of a cookie, so can this be solved purely with technology/specification?
>>
>> regards
>>
>>
>>
>>
>> --
>> Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
>>
>
--
Rory Hewitt
https://www.linkedin.com/in/roryhewitt
Received on Monday, 26 August 2024 16:09:19 UTC