[2414] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Jacob Rose)
Tue Jul 16 17:47:35 1996
Date: Tue, 16 Jul 1996 15:54:11 -0400 (EDT)
From: Jacob Rose <jacob@whiteshell.com>
To: Joe Andrieu <andrieu@association.org>
Cc: Dave Kristol <dmk@allegra.att.com>, www-security@ns2.rutgers.edu
In-Reply-To: <31EBE00F.4271@association.org>
Errors-To: owner-www-security@ns2.rutgers.edu
> > Why not limit Netscape such that it will only send cookies to the user's
> > "apparent site" - the one in the URL? That way, inline imagery that is
> > "off-site" won't be able to trigger cookies, and the user will know who
> > is receiving them; it wouldn't prevent people from collecting personal
> > data about users, but it would definitely make it hard to correlate.
> >
> > This seems to me rather an obvious solution; are there any legitimate
> > quibbles with it?
>
> This wouldn't actually stop anyone from collecting the data if they so
> choose. If Clickstream's client's machines do the logging and then send it
> to Clickstream, it is functionally identical to the cookie going directly to
> Clickstream. Of course, this could be done by any agency looking to create
> value from aggregating traffic usage patterns.
No, it could not; cookies are "shown" to hosts you return to based on the
system's address. Thus, if you went to a.com and got a cookie, then
visited a.com a second time, a.com could only tell that it was the same
person visiting again. If you then went to b.com and got a cookie, that
cookie would be "shown" to b.com each time you visited, but it would not
be shown to a.com or any other site you might visit. In other words, for
each combination of user (for various meanings of "user") and host, you
get exactly one cookie, a cookie that would only be displayed by that user
visiting that host. Thus, nobody would be able to correlate the data from
the various hosts except by the use of IP addresses (which aren't at all
user-dependant - generally they only reveal what organization the user
uses to connect to the net).
> Alternate personae would solve that problem. Especially if it was as easy to
> switch from one to another by pushing a button on my browser.
That's really something unrelated, but I think that anonymity is something
that should be an option for Internet users - but only while they're
communicating by consent. By "consent" I mean that the recipient of
their messages wants to receive them, or at least has control of whether
he or she continues to receive them. So, in other words, anonymity makes
sense in any kind of "group" communication where anyone may leave or be
removed from the group at any time, but not in private e-mail or other
venues in which users can be victimized by abusive communication.
Jacob Rose "The truth is where the sculptor's
jacob@whiteshell.com chisel chipped away the lie."
