Re: Evercookie: Indestructible cookies from Bjoern Hoehrmann on 2010-09-25 (www-tag@w3.org from September 2010)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 25 Sep 2010 19:24:55 +0200
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <ut4s96l9kqs6l1io0l3s8mqn6rvplokjf3@hive.bjoern.hoehrmann.de>

* Noah Mendelsohn wrote:
>Maybe the "private browsing" modes of user agents should address some of 
>these, e.g. by clearing DNS caches, or perhaps selectively obscuring the 
>availability certain fonts, etc.
>
>Yes, it's an arms race, but that seems to be a business that "private 
>browsing" is already in?

Well, "private browsing" is perhaps more about some of the sites you
visit not showing up in the address bar or other places when somebody
else uses your computer or is looking over your shoulder.

It seems to me, if you consider for instance targeted advertising, that
there are some people who prefer getting "more relevant" ads, which does
require knowing a thing or two about them, and people who prefer to get
the ads everybody else is getting, which does not require that. But it
is not possible to tell these groups apart, other than using so-called
opt-out cookies which don't really work (too complicated to use, lack
of trust, and consequently somewhat self-defeating).

In the case here, what's there to say resurrecting cookies is not le-
gitimate? Maybe you deliberately cleared your cookies, or maybe you've
just visited too many sites with too many cookies and the browser had
to delete the cookie to save space, there is no way to tell.

That is something that could be changed, make a HTTP header and a Java-
script property and an equivalent for plugins that if set means the site
is to minimize things that are not very much necessary (the definition
would have to be more elaborate than that); that would allow whoever is
interested in doing the right thing to do so, and would allow to tell
who is not so interested in doing the right thing. From there on society
has non-technical means to deal with the problem.

Of course we live in a world where vendors feel they are innovating in
the area of improving user privacy protection when they set the cookie
expiration date to two years after your browser made the last HTTP
request to their site, for whatever reason it did that, and people ce-
lebrate the news.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Saturday, 25 September 2010 17:52:13 UTC