- From: Karl Dubost <karl+w3c@la-grange.net>
- Date: Wed, 21 Jul 2010 08:56:10 -0400
- To: public-privacy@w3.org
Among the discussions we had during the London workshop[1], We mentionned the cookies and the ability to block them. Basically, almost nobody blocks the cookies because some Web sites become quickly unusable. There is also the fact that most cookies are pretty much harmless. The UX (User Interaction) in browser for cookies if you have activated the feature "Accept cookies from sites, but ask me every time". 1. Reaching a pop-up window saying this site wants to set a cookie, do you accept? 2. You can block or not. 3. If you blocked and you want to allow it, the access for doing so is not obvious and only a knowledgeable geek will be able to do it. Basically it doesn't work in terms of UX. The names of the cookies are cryptic, like mentioned in this blog post. how would I know the meaning and consequences of allowing Yahoo (of flickr, or any site in the Yahoo ecosystem) to store a cookie that sets key T to …CAuNRMqKiCOsvekk…. --- How the Yahoo portal personalises User Experience [2] In "HTTP State Management Mechanism" RFC 2109 [3], aka the Cookies specification, there is an option to raise awareness about the content of cookies, Section 4.2.2 Set Cookie Syntax. Comment=comment Optional. Because cookies can contain private information about a user, the Cookie attribute allows an origin server to document its intended use of a cookie. The user can inspect the information to decide whether to initiate or continue a session with this cookie. --- "HTTP State Management Mechanism" RFC 2109 [3] I was wondering if the feature was used, I asked on #whatwg IRC channel because there have been people creating surveys on how HTML and HTTP are used on the Web. <karlcow> I wonder how many sites are sending the optional "Comment=comment" with cookies <Philip`> karlcow: Very few <Philip`> and half of them are Comment=Sun+ONE+ Application+Server+Session+Tracking+Cookie and the other half are Comment=1-800-Volunteer.org --- IRC discussion [4] It would be interesting to have real data on how it is used. Maybe the Brian Wilson's survey, MAMA [5], could be pushed further into that direction. Something we could ask Opera. Other fields like Content-Length, Etag, and Set-Cookie produced so many unique random values that there was no point in searching for trends. --- MAMA: HTTP Headers, The other HTTP Header fields [6] Why is it interesting? It connects directly to Alissa Cooper's privacy rulesets [7] in which the user could decide that cookies which do not contain enough information will not be accepted. The issue being then what is "enough information". There are two states: 1. Is there a "Comment" attribute for this cookie? 2. What is the information inside this Comment attribute? The information can just be garbage and will not help users decide if they want to keep the cookie or not. If we want something more effective, we could propose to have a precise vocabulary in the Comment section such as: Comment= geolocation;shared; [etc.] Then with a precise vocab, we can create validation tools, we can create UI giving more information about the cookies usage. It could help on the side of Aza Raskin's privacy icons [8]. When there is a formal language it is easier to display or not the right icons. The drawback of this proposition is enforcing invalid syntax for the Comment section in the browser and finding the sweet spot where the providers will indeed set the comment because it becomes a benefit for them. Another issue: How many Web frameworks out there, do not have the optional Comment feature in their cookies libraries? There is a need for research. [1]: http://www.w3.org/2010/api-privacy-ws/ [2]: http://lab.pheromone.ca/2010/07/19/yahoo-personalised-ux/ [3]: http://www.ietf.org/rfc/rfc2109.txt [4]: http://krijnhoetmer.nl/irc-logs/whatwg/20100721#l-842 [5]: http://dev.opera.com/articles/view/mama/ [6]: http://dev.opera.com/articles/view/mama-http-headers/#other [7]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-12.html [8]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-22.txt -- Karl Dubost Montréal, QC, Canada http://www.la-grange.net/karl/
Received on Wednesday, 21 July 2010 12:56:24 UTC