RE: Cookies - Raising Awareness from David Rogers on 2010-07-21 (public-privacy@w3.org from July to September 2010)

From: David Rogers <david.rogers@wholesaleappcommunity.com>
Date: Wed, 21 Jul 2010 14:10:24 +0100
To: "Karl Dubost" <karl+w3c@la-grange.net>, <public-privacy@w3.org>
Message-ID: <47BAABBA0597BB46A5DC8085E0D7D50410CACD@exch-be37.exchange.local>
I tweeted this at the time from comedian Lee Mack, but it is really reflective on 99% of users:

Most users do not have a clue .In the words of Lee Mack:"Have you tried disabling cookies?""Well, I once bit the legs off a gingerbread man"

http://twitter.com/drogersuk/status/18347149194


-----Original Message-----
From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org] On Behalf Of Karl Dubost
Sent: 21 July 2010 13:56
To: public-privacy@w3.org
Subject: Cookies - Raising Awareness

Among the discussions we had during the London workshop[1], 
We mentionned the cookies and the ability to block them.
Basically, almost nobody blocks the cookies because some 
Web sites become quickly unusable. There is also the fact 
that most cookies are pretty much harmless. 

The UX (User Interaction) in browser for cookies if you 
have activated the feature "Accept cookies from sites, but 
ask me every time".

1. Reaching a pop-up window saying this site wants to set a 
   cookie, do you accept?
2. You can block or not. 
3. If you blocked and you want to allow it, the access for 
   doing so is not obvious and only a knowledgeable geek 
   will be able to do it.

Basically it doesn't work in terms of UX.

The names of the cookies are cryptic, like mentioned in this 
blog post.

   how would I know the meaning and consequences of 
   allowing Yahoo (of flickr, or any site in the Yahoo 
   ecosystem) to store a cookie that sets key T to 
   ...CAuNRMqKiCOsvekk....
   --- How the Yahoo portal personalises User Experience [2]

In "HTTP State Management Mechanism" RFC 2109 [3], aka the 
Cookies specification, there is an option to raise awareness 
about the content of cookies, Section 4.2.2 Set Cookie Syntax.

   Comment=comment
      Optional.  Because cookies can contain private 
      information about a user, the Cookie attribute 
      allows an origin server to document its intended 
      use of a cookie.  The user can inspect the 
      information to decide whether to initiate or 
      continue a session with this cookie.
   --- "HTTP State Management Mechanism" RFC 2109 [3]

I was wondering if the feature was used, I asked on #whatwg 
IRC channel because there have been people creating surveys 
on how HTML and HTTP are used on the Web.

   <karlcow> I wonder how many sites are sending the 
             optional "Comment=comment" with cookies
   <Philip`> karlcow: Very few
   <Philip`> and half of them are Comment=Sun+ONE+
             Application+Server+Session+Tracking+Cookie 
             and the other half are 
             Comment=1-800-Volunteer.org 
   --- IRC discussion [4]

It would be interesting to have real data on how it is used. 
Maybe the Brian Wilson's survey, MAMA [5], could be pushed 
further into that direction. Something we could ask Opera.

   Other fields like Content-Length, Etag, and Set-Cookie 
   produced so many unique random values that there was 
   no point in searching for trends.
   --- MAMA: HTTP Headers, The other HTTP Header fields [6]

Why is it interesting?

It connects directly to Alissa Cooper's privacy rulesets [7] 
in which the user could decide that cookies which do not 
contain enough information will not be accepted. The issue 
being then what is "enough information". 

There are two states:

1. Is there a "Comment" attribute for this cookie?
2. What is the information inside this Comment attribute?

The information can just be garbage and will not help users 
decide if they want to keep the cookie or not. If we want 
something more effective, we could propose to have a precise 
vocabulary in the Comment section such as:

Comment= geolocation;shared; [etc.]

Then with a precise vocab, we can create validation tools, 
we can create UI giving more information about the cookies 
usage. It could help on the side of Aza Raskin's privacy 
icons [8]. When there is a formal language it is easier to 
display or not the right icons.


The drawback of this proposition is enforcing invalid syntax 
for the Comment section in the browser and finding the sweet 
spot where the providers will indeed set the comment because 
it becomes a benefit for them. 

Another issue: How many Web frameworks out there, do not have 
the optional Comment feature in their cookies libraries?

There is a need for research.


[1]: http://www.w3.org/2010/api-privacy-ws/
[2]: http://lab.pheromone.ca/2010/07/19/yahoo-personalised-ux/
[3]: http://www.ietf.org/rfc/rfc2109.txt
[4]: http://krijnhoetmer.nl/irc-logs/whatwg/20100721#l-842
[5]: http://dev.opera.com/articles/view/mama/
[6]: http://dev.opera.com/articles/view/mama-http-headers/#other
[7]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-12.html
[8]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-22.txt

-- 
Karl Dubost
Montréal, QC, Canada
http://www.la-grange.net/karl/
Received on Wednesday, 21 July 2010 13:11:06 UTC