Re: LYNX-DEV Cookies

[David Woolley]

> 
> But of course, they can also track your access and progress thru the site
> via the site's logs as well.

Most users don't even know how to configure an email ID in their browser,
and there is a trend to suppressing these, as there is for Referers,
although I think less page authors are aware of Referers, as they are
not in the standard server logs.   The IP address is going to be that
of a caching proxy on any well configured browser, and is otherwise
likely to be that of a dynamic PPP port on a terminal server.  You can't
realistically track people from the logs.

On the other hand, I am pretty sure that there is an option in Apache for
cookie logging.  Cookie logging is of no real use for maintaing state; its
only obvious purpose is for correlating requests for subsequent analysis.

> The 'privacy' concerns are related to what sites within a domain can
> find out from what a user has provided in the current and prior visits.
> What kind of information?  Only whatever the site has stored into a cookie.


First a technicality; most cookies are only the record number in a database.
The actual data is stored server side.

However the real issue is that the information that is critical from
a privacy point of view is not the individual access information, but the
correlation of that information.  1 + 1 = 2.5 in the statistics business.
Although access control is the high profile issue in computer security these
days, the very long standing issue of designing databases such that it
is not possible to bypass access restrictions by a series of correlated
requests is probably a much more difficult problem to solve.

Also, before the preponderence of ASP pages, which generate cookies
even when they are not needed, because the ASP engine doesn't know if
they will be needed, all my cookies were coming from search engines,
which didn't need them for the actual search (they were either stateless,
or carried the necessary information in the URL).  These could be used to
control Ad rotation, but given the likely nature of the business, I think
it is much more likely that they are selling the information obtained by
analysing access patterns to ALL their advertising customers, not just
using it within their organisation.  Paper magazines have been doing this
for decades.  (Have a look at the expiry time on the GTPLACER cookies
generated by one of the search enginesi; for mass market browser users,
they are giving you an identity for the life of your computer system -
I suspect that Lynx's non-persistent Cookie support is useless to them,
although still good enough for most of the really benign uses of Cookies.)

> has at other sites.  The only access that a different site at a different
> domain would have to the cookies is the same that that site might have to
> any other data file on your system.  Cookies are not, at least intentionally,

And what it can buy from the site which issued the cookie.  The system is not
just the technical part implemented by HTTP and Cookies, but the whole business
surrounding the site.  Note that most mail order operations also run a side
business in selling their mailing lists (in the UK, there is usually a minute
box to tick if you don't want this to happen).

With Ad Rotation++ as one of Microsoft's main selling points for ASP, I think
it is likely that, by site, most cookies in the near future will only be
tracking you to the extent necessary to ensure you see all the adverts.
Also, on an intranet, the use of cookies is likely to be benign.  However,
it is almost certain that any cookies returned from search engines are there
for market research purposes - rejecting those associated with Alta Vista
and DejaNews seems to have no impact on the ability to search.

Of course, market research is a swings and roundabouts thing.  You lose some
personal privacy, but you may get better targetted advertising and more
and better designed products.

++ I'm not actually sure that ASP Ad Rotation isn't stateless.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;