1996-07-18 - Re: Cookie alternatives

Header Data

From: Jeff Barber <jeffb@issl.atl.hp.com>
To: hfinney@shell.portal.com (Hal)
Message Hash: a1b6ad9e40fa2e7ab5e0851f03ff98dc9acf06fdf07557d46829c6e7972614fd
Message ID: <199607172056.QAA15431@jafar.issl.atl.hp.com>
Reply To: <199607161607.JAA08875@jobe.shell.portal.com>
UTC Datetime: 1996-07-18 08:35:44 UTC
Raw Date: Thu, 18 Jul 1996 16:35:44 +0800

Raw message

From: Jeff Barber <jeffb@issl.atl.hp.com>
Date: Thu, 18 Jul 1996 16:35:44 +0800
To: hfinney@shell.portal.com (Hal)
Subject: Re: Cookie alternatives
In-Reply-To: <199607161607.JAA08875@jobe.shell.portal.com>
Message-ID: <199607172056.QAA15431@jafar.issl.atl.hp.com>
MIME-Version: 1.0
Content-Type: text/plain

Hal writes:

> However I think in current usage on the web cookies are most commonly
> used basically as nonces, random values whose purpose is to maintain
> continuity in a series of interactions.  When a server gives a cookie
> to a web browser, that browser supplies the cookie on future
> interactions with the server.  The cookie probably does not have any
> specific data about the user or the interaction, but is used only to
> link up the interactions which take place.  It is most probably used as
> an index into a database maintained on the server itself.
[ snip ]
> As a user of the web, I would prefer to have more control over the kind
> of information which servers gather about my browsing habits.
[ snip ]
>                                          Nevertheless to the extent
> that I have bargaining clout in these interactions, I will prefer
> systems which do not infringe so much upon my privacy.
> It is interesting to consider how shopping carts might be done without
> cookies and similar technologies which allow servers to get more
> information about me than necessary.

I think you're exactly right about how cookies are used, but I believe
privacy concerns stemming from cookies have been blown out of proportion
lately.  For the average Joe User running his single-user PC at home,
connected by modem to his local ISP, it makes little difference whether
a site issues a cookie to Joe or not; his IP address already uniquely
distinguishes him.  The site can simply use his IP address as its
database index.  If Joe deletes his cookie file each night before
invoking the browser, the impact of cookies is completely negated.

Now for those of us who access the net from multi-user systems or from
behind a firewall, the cookie uniquely identifies a particular browser
instance -- that is, it makes us equal to Joe.  And that's the reason
cookies were invented in the first place: because IP address and other
information available to the server didn't provide a unique server
database index.

I don't mean there are no privacy implications at all, and there are 
clearly other ways of accomplishing the cookie's function.  My point is
that merely removing cookies doesn't really help Joe's privacy much.
And it's Joe we ought to be concerned about as he represents the typical
user of today as well as the future.

-- Jeff