- From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
- Date: Mon, 10 Feb 1997 11:31:24 -0800
- To: Martijn Koster <m.koster@webcrawler.com>, koen@win.tue.nl (Koen Holtman), ruby@name.net (Matthew Rubenstein), www-talk@w3.org
- Cc: jeremey@veriweb.com
On Feb 10, 9:27am, Martijn Koster wrote: > Saying "Servers have no business sharing information" is too easy -- > that forces the granularity pretty arbitrarily onto a domain name. I don't think "Servers have no business sharing information" is a fair representation of what the working group came to consensus on. I think a fair one would be: "A user's privacy should be maintained by insuring that a state retention mechanism is not used to reveal information that the user does not recognize is being revealed." The recommendations in the spec are designed to allow the state mechanisms to work properly while limiting the possibilities for loss of privacy. You may be right that using domain as the granularity has no technical basis, but it does have a basis in users' expectations of privacy. Users understand that if they interact with someone or some organization that that person or organization knows about the interaction. Allowing cookies to pass freely among organizations could seriously impact users' privacy without their being allowed to see the connections that are being made. That is what the spec tries to prevent. If you disagree with the goal, I'm sorry, but last call on this has past. If you believe that the design seriously impacts your ability to maintain state in web based applications, then please share your implementation experience with the working group--that we can and will consider in the moves along the standards track. > > Excite owns both excite.com and webcrawler.com -- would it be "sneakily > sharing" if I wanted to preserve preferences between these two sites? Glancing over the web sites of www.excite.com and www.webcrawler.com, I see nothing that would tell a first time visitor that the sites were connected in any way; there is no cross-linkage, no statement of ownership, nothing that would allow a user to know that excite owned webcrawler (in fact, since the webcrawler site is still listed as copyrighted by AOL, the user might easily conclude that AOL still owned webcrawler). Given that the users currently have no way of knowing the connections, I would say yes, it would be "sneakily sharing" to preserve preferences between the two sites. > If not, then why prevent a way to achieve this cleanly? If it is, then > why doesn't the same argument hold for different server under the same > domain, or even for different cgi-bin scripts on a server? If you can come up with a non-domain based way for sites to indicate their connection in a way that is easily recognized by the users, so that user visiting www.aaa.com has a reasonable expectation that www.bbb.com will know everything that happens, please share it with us. Having the user properly informed is the key to this privacy issue in a multi-domain context. > > Just my $.02 > > > -- Martijn > > Email: m.koster@webcrawler.com > WWW: http://info.webcrawler.com/mak/mak.html > >-- End of excerpt from Martijn Koster My opinion is no doubt worth less than two cents, but there it is. regards, Ted Hardie Disclaimer: I am not in this message speaking for NASA. My opinions of working group consensus are only my opinions. -- Ted Hardie
Received on Monday, 10 February 1997 14:30:27 UTC