1996-07-17 - Cookie alternatives

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: a00bfcdd73599f886796692d9255deedb0815b3f36deb269a73d36941f226b87
Message ID: <199607161607.JAA08875@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1996-07-17 17:14:54 UTC
Raw Date: Thu, 18 Jul 1996 01:14:54 +0800

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Thu, 18 Jul 1996 01:14:54 +0800
To: cypherpunks@toad.com
Subject: Cookie alternatives
Message-ID: <199607161607.JAA08875@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain

There has been quite a bit of discussion recently about the "cookies"
used by Netscape Navigator and their effects on privacy of users.  Here
is some background and some thoughts on alternatives.

I think the term "cookie" goes back to the 1960's.  According to
legend, there was a virus-like program called "cookie monster" which
would occasionally pop up on people's terminals and say "gimme
cookie".  You then had to type the word "cookie" to satisfy the
program, and it would go away.  The program was hidden in the core
memory of the large, multi-user computer systems which were common in
those days.

I first heard "cookie" used similarly to its current context in the
1970's.  It referred to a data item which would be given by a service
to a client of that service, and which would be used on later
interactions.  I think the usage comes from the cookie monster, where
you imagine the client saying "gimme cookie" to the server.  The cookie
is an "opaque" data item, that is, its structure if any is not visible
or documented for the client.  It has meaning only to the service.

There is a similar concept in cryptography, the "nonce".  A nonce is a
random value which is generated by one party in a cryptographic
protocol and which is exchanged at later stages of the protocol.  The
purpose of the nonce is to prevent replay attacks and to maintain
continuity during the (possibly) many exchanges of data which make up
the protocol.  When the client sends a request to a service it includes
a nonce, and the return reply includes the same nonce.  This way the
client can make sure that this is a reply to its current request and
not something which is replayed from an earlier interaction.

Cookies seem a little more general than nonces, in that nonces are
pretty clearly supposed to be just random numbers, while cookies are
more general and could have internal structure which is known by one of
the parties, although it is usually opaque to the other.

However I think in current usage on the web cookies are most commonly
used basically as nonces, random values whose purpose is to maintain
continuity in a series of interactions.  When a server gives a cookie
to a web browser, that browser supplies the cookie on future
interactions with the server.  The cookie probably does not have any
specific data about the user or the interaction, but is used only to
link up the interactions which take place.  It is most probably used as
an index into a database maintained on the server itself.  Its only
requirements for this purpose are that it is unique and that it can
easily be used as such an index.

One typical usage would be to maintain a "shopping cart" while browsing
at a store.  If I am visiting an online clothing store, I may choose to
buy some pants, a shirt, and a jacket as I browse around.  Each time I
click on the "buy" button, my browser includes the cookie I received
when I first visited the site.  This indexes into a database on the
server which is keeping track of what I have bought.  With each new
item, the cookie allows the server to add it to the correct virtual
shopping cart.  Then when I "check out", again the cookie allows the
server to display everything I bought.

Given that cookies generally work this way it is clear that the notion
of editing cookies doesn't make much sense.  If cookies are opaque data
structures, changing them is just going to make them invalid.  You
might as well just delete them.  This also implies that you don't have
much control over what kinds of information the server is maintaining
in its database which is indexed by your cookie.  In the shopping cart
example, the cookie is sent on every transaction, not just when you
click to make a purchase.  This will allow the server to track your
progress through the site, see which if any ads you have seen, and
generally record many details about your interactions.  More generally,
cookies are used for this purpose even on sites which do not need them
for shopping carts.

As a user of the web, I would prefer to have more control over the kind
of information which servers gather about my browsing habits.  Of
course, since web interactions are voluntary, a server is free to put
whatever restrictions it wishes on clients in return for letting them
access its information.  It can require clients to accept cookies, to
register with their names and addresses, or to FedEx their firstborn
children to the store, for that matter.  Nevertheless to the extent
that I have bargaining clout in these interactions, I will prefer
systems which do not infringe so much upon my privacy.

It is interesting to consider how shopping carts might be done without
cookies and similar technologies which allow servers to get more
information about me than necessary.  I would prefer a system where the
list of things I have chosen to buy is saved on my own computer, in a
format I can clearly see, and without linking my purchase decisions to
other browsing I may have done on that site.

Consider a system where when I click on "buy", a dialog box pops up in
the corner of my screen which is my virtual shopping cart.  It holds a
list of the items I have selected for purchase, with each new item
appended to the list.  When I go to check out, the contents of this
dialog box are uploaded (with my permission) to the site, where payment
arrangements are made.  Since I can see what is being put into the
dialog box and what is being uploaded, I know that I am controlling
exactly what information is being revealed about me.  I don't have to
trust the server to protect my privacy by not recording excessive
information about my browsing.

(Given the difficulties in creating new protocols for this kind of
support, I think a step in the right direction would be to change the
user interface so that cookies are only sent upon user request.  Maybe
you have to shift-click or use some other key modifier to send a cookie.
Then shopping pages could ask you to shift-click the buy button to add
the item to your shopping cart.)

All this is in accord with the general principle that we support here,
of protecting privacy by limiting the collection of infringing data,
rather than trying to pass laws to restrict the dissemination and
sharing of such information.  We support ecash since it allows
transactions without identification, rather than using credit cards but
trying to put legal restrictions on what the CC companies can do with
their transaction data.  Cookies allow many kinds of privacy infringing
data to be collected.  I would prefer to see alternate mechanisms to
allow for the kinds of transactions that cookies are needed for, which
allow users to protect their own privacy.  Are there other uses of
cookies for which alternatives are needed?