Re: Cookies - Raising Awareness

Please do keep in mind that people are already concerned about the amount of
overhead that gets tacked on by cookies (in terms of bytes), which is why
many sites do compress these into a single cryptic value that has some
server-side meaning / mapping to a set of meaningful values...

On Wed, Jul 21, 2010 at 8:31 AM, SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com
> wrote:

> The investigation would be interesting, especially if someone could create
> a sandbox where we could experiment with any ideas on how to represent the
> information (hopefully using some cookie-spec compatible way), and to filter
> for it (probably first implemented in Javascript then moved into the browser
> chrome). Further, migrating the experiment to a real service would be
> needed, to ensure this does not "break the web".
>
> While cookies is a broader web privacy issue, it is related to the scope of
> the workshop (W3C Workshop on Privacy for Advanced Web APIs) in that
> information once shared with a web site / webapp server can be written back
> to the device in cookies. As long as the information stays within the
> confines of the domain (or more restrictive if needed, the specific webapp
> on the domain), it falls under "primary use".
>
> One type of information that it would be useful to disclose in cookies is
> under what "use category" (primary, secondary) is the information being set
> and used as a cookie.
>
> Another is the source of the information (e.g. to disclose if it has been
> shared, i.e. not directly obtained). That could be useful if the user wants
> to limit the migration of data between applications (once of the concepts
> presented at the workshop - limiting how far information can travel). For
> example, the user could say "I allow the use of my private information
> obtained from somewhere else, but I don't allow it to be further
> distributed".
>
> These indicators could be directly used in the filtering per the user's
> selected privacy ruleset (
> http://dev.w3.org/2009/dap/privacy-rulesets/#privacy-rulesets).
>
> Thanks,
> Bryan Sullivan | AT&T
>
>
> -----Original Message-----
> From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org]
> On Behalf Of Karl Dubost
> Sent: Wednesday, July 21, 2010 5:56 AM
> To: public-privacy@w3.org
> Subject: Cookies - Raising Awareness
>
> Among the discussions we had during the London workshop[1],
> We mentionned the cookies and the ability to block them.
> Basically, almost nobody blocks the cookies because some
> Web sites become quickly unusable. There is also the fact
> that most cookies are pretty much harmless.
>
> The UX (User Interaction) in browser for cookies if you
> have activated the feature "Accept cookies from sites, but
> ask me every time".
>
> 1. Reaching a pop-up window saying this site wants to set a
>   cookie, do you accept?
> 2. You can block or not.
> 3. If you blocked and you want to allow it, the access for
>   doing so is not obvious and only a knowledgeable geek
>   will be able to do it.
>
> Basically it doesn't work in terms of UX.
>
> The names of the cookies are cryptic, like mentioned in this
> blog post.
>
>   how would I know the meaning and consequences of
>   allowing Yahoo (of flickr, or any site in the Yahoo
>   ecosystem) to store a cookie that sets key T to
>   ...CAuNRMqKiCOsvekk....
>   --- How the Yahoo portal personalises User Experience [2]
>
> In "HTTP State Management Mechanism" RFC 2109 [3], aka the
> Cookies specification, there is an option to raise awareness
> about the content of cookies, Section 4.2.2 Set Cookie Syntax.
>
>   Comment=comment
>      Optional.  Because cookies can contain private
>      information about a user, the Cookie attribute
>      allows an origin server to document its intended
>      use of a cookie.  The user can inspect the
>      information to decide whether to initiate or
>      continue a session with this cookie.
>   --- "HTTP State Management Mechanism" RFC 2109 [3]
>
> I was wondering if the feature was used, I asked on #whatwg
> IRC channel because there have been people creating surveys
> on how HTML and HTTP are used on the Web.
>
>   <karlcow> I wonder how many sites are sending the
>             optional "Comment=comment" with cookies
>   <Philip`> karlcow: Very few
>   <Philip`> and half of them are Comment=Sun+ONE+
>             Application+Server+Session+Tracking+Cookie
>             and the other half are
>             Comment=1-800-Volunteer.org
>   --- IRC discussion [4]
>
> It would be interesting to have real data on how it is used.
> Maybe the Brian Wilson's survey, MAMA [5], could be pushed
> further into that direction. Something we could ask Opera.
>
>   Other fields like Content-Length, Etag, and Set-Cookie
>   produced so many unique random values that there was
>   no point in searching for trends.
>   --- MAMA: HTTP Headers, The other HTTP Header fields [6]
>
> Why is it interesting?
>
> It connects directly to Alissa Cooper's privacy rulesets [7]
> in which the user could decide that cookies which do not
> contain enough information will not be accepted. The issue
> being then what is "enough information".
>
> There are two states:
>
> 1. Is there a "Comment" attribute for this cookie?
> 2. What is the information inside this Comment attribute?
>
> The information can just be garbage and will not help users
> decide if they want to keep the cookie or not. If we want
> something more effective, we could propose to have a precise
> vocabulary in the Comment section such as:
>
> Comment= geolocation;shared; [etc.]
>
> Then with a precise vocab, we can create validation tools,
> we can create UI giving more information about the cookies
> usage. It could help on the side of Aza Raskin's privacy
> icons [8]. When there is a formal language it is easier to
> display or not the right icons.
>
>
> The drawback of this proposition is enforcing invalid syntax
> for the Comment section in the browser and finding the sweet
> spot where the providers will indeed set the comment because
> it becomes a benefit for them.
>
> Another issue: How many Web frameworks out there, do not have
> the optional Comment feature in their cookies libraries?
>
> There is a need for research.
>
>
> [1]: http://www.w3.org/2010/api-privacy-ws/
> [2]: http://lab.pheromone.ca/2010/07/19/yahoo-personalised-ux/
> [3]: http://www.ietf.org/rfc/rfc2109.txt
> [4]: http://krijnhoetmer.nl/irc-logs/whatwg/20100721#l-842
> [5]: http://dev.opera.com/articles/view/mama/
> [6]: http://dev.opera.com/articles/view/mama-http-headers/#other
> [7]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-12.html
> [8]: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-22.txt
>
> --
> Karl Dubost
> Montréal, QC, Canada
> http://www.la-grange.net/karl/
>
>
>
>