[2410] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Hal)
Tue Jul 16 14:30:00 1996
Date: Tue, 16 Jul 1996 09:13:09 -0700
From: Hal <hfinney@shell.portal.com>
To: dmk@allegra.att.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I have another idea for how this could be improved. A lot of the problem
with cookies is that users are not aware of what is happening. Even
being given a warning about when you get a cookie doesn't tell you much.
You may be on a shopping site and you need a cookie so it can maintain
your virtual shopping cart. But the problem is that same cookie also
allows the server to track everything you do on that site, which you may
not want.
Consider changing the user interface so that we are not so much warned
when cookies are received by the client, as given control over when they
are sent. Don't send cookies automatically on every interaction. Only
send them explicitly upon user request. For example, perhaps a shift
click or some other modifier or mouse button is needed to send a cookie.
Then sites which are using them to distinguish your shopping cart from
others can ask you to shift-click when you choose the "buy" button so
that your cookie will be sent and it can add it to your list as
distinguished from everyone else's. But when you are just browsing
around, your privacy is protected because no cookies are sent.
I think this would put control over the whole cookie situation back into
user's hands. I don't think there are many legitimate situations where
cookies have to be sent all the time like they are now. Too much is
going on behind the user's back. Let's make it more visible and put it
under his control.
Hal Finney
