W3C home > Mailing lists > Public > www-talk@w3.org > January to February 1997

Re: errata for cookie spec

From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
Date: Mon, 10 Feb 1997 11:31:24 -0800
Message-Id: <9702101131.ZM5465@thornhill.arc.nasa.gov>
To: Martijn Koster <m.koster@webcrawler.com>, koen@win.tue.nl (Koen Holtman), ruby@name.net (Matthew Rubenstein), www-talk@w3.org
Cc: jeremey@veriweb.com
On Feb 10,  9:27am, Martijn Koster wrote:
> Saying "Servers have no business sharing information" is too easy --
> that forces the granularity pretty arbitrarily onto a domain name.

I don't think "Servers have no business sharing information" is
a fair representation of what the working group came to consensus on.
I think  a fair one would be: "A user's privacy should be maintained
by insuring that a state retention mechanism is not used to reveal information
that the user does not recognize is being revealed."  The recommendations
 in the spec are designed to allow the state mechanisms to work properly
while limiting the possibilities for loss of privacy.  You may be
right that using domain as the granularity has no technical basis,
but it does have a basis in users' expectations of privacy.  Users
understand that if they interact with someone or some organization
that that person or organization knows about the interaction.  Allowing
cookies to pass freely among organizations could seriously impact
users' privacy without their being allowed to see the connections that
are being made.  That is what the spec tries to prevent.

If you disagree with the goal, I'm sorry, but last call on this has past.
If you believe that the design seriously impacts your ability to maintain state
in web based applications, then please share your implementation experience
with the working group--that we can and will consider in the moves along
the standards track.

> Excite owns both excite.com and webcrawler.com -- would it be "sneakily
> sharing" if I wanted to preserve preferences between these two sites?

Glancing over the web sites of www.excite.com and www.webcrawler.com,
I see nothing that would tell a first time visitor that the sites were
in any way; there is no cross-linkage, no statement of ownership, nothing
that would allow a user to know that excite owned webcrawler (in fact,
since the webcrawler site is still listed as copyrighted by AOL, the user
might easily conclude that AOL still owned webcrawler).  Given that the
users currently have no way of knowing the connections, I would say
yes, it would be "sneakily sharing" to preserve preferences between the two

> If not, then why prevent a way to achieve this cleanly? If it is, then
> why doesn't the same argument hold for different server under the same
> domain, or even for different cgi-bin scripts on a server?

If you can come up with a non-domain based way for sites to indicate their
connection in a way that is easily recognized by the users, so that user
www.aaa.com has a reasonable expectation that www.bbb.com will know
everything that happens, please share it with us.  Having the user properly
informed is the key to this privacy issue in a multi-domain context.

> Just my $.02
> -- Martijn
> Email: m.koster@webcrawler.com
> WWW: http://info.webcrawler.com/mak/mak.html
>-- End of excerpt from Martijn Koster

My opinion is no doubt worth less than two cents, but there it is.
			Ted Hardie

Disclaimer:  I am not in this message speaking for NASA.  My opinions
of working group consensus are only my opinions.

Ted Hardie
Received on Monday, 10 February 1997 14:30:27 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:21 UTC