Cookie Handling, a Brief Primer

  • Article

Recently WSJ's Walter S. Mossberg
spent a bit of time railing against tracking cookies as meeting his definition
of spyware. He points out the problem that some of these cookies are useful for remembering
site preferences and site login information, but many are just tracking user behavior. He specifies that users should have to opt in to
any type of cookie. Eric Pererson, of Jupiter Research, then chimes in and suggests
how painful of an exercise
this would be for the user. (imagine 9 popups for every visit to CNN or at least
one really complex dialog with 9 items). Zachary McGeary, also of Juniper,

points out other solutions focused, I believe, on blocking cookies that are
known to be bad (aka blacklisting). Microsoft Monitor then praises
Internet Explorer's support for P3P and has his own recommendations for
dealing with cookies.

Let's try to untangle what sorts of cookie/privacy mitigation
techniques there are:

First we have the things we can make decisions on:

-

**First/Third party cookies**  
We differentiate if the cookie is getting requested from the main  
page's server or from other servers. When people talk about tracking across  
different web sites, it is typically because both websites are requesting  
ads or other resources from the same third party server. Cookies served from  
these third party web servers are called third party cookies. What's the  
typical time this happens? Banner Ads. You get a banner ad from the  
advertiser's web site and they use cookies with the image file.

  • Session/Persistent cookies
    These are typically
    the type of cookies needed to support online shopping carts. Session cookies
    clear after the browser closes. Since they don't persist they aren't quite
    as useful for tracking you as an individual day to day. The other type are
    called Persistent Cookies.

  • Per Site
    I might trust passport.com, while someone
    else doesn't trust passport.com's cookies. A list of trusted sites would be
    a whitelist, a list of untrusted sites is a blacklist. These lists could
    come in an subscription form.

  • P3P (compact
    policies)
    In an attempt to figure out the differences between good
    uses and bad uses of cookies, the site provides along with the cookie a list
    of promises about how the information gathered from the cookie will get used
    (and much much more).

Next, what can we do with this information?

-

**Block (reject)**  
  
Don't allow the cookie to get set

  • Allow (accept)
    Let the cookie through

  • Prompt the user
    This is where we leave the decision up to the user to block or
    allow.
    Bugging the user with every decision is not normally considered a good
    thing. An implementation should probably remember the decision (adding it to
    the whitelist or blacklist) to reduce the frequency of popups.

  • ForceSession
    This is where a persistent cookie is
    forced into a session cookie. We delete the cookie when the browser gets
    closed.

  • ForceFirstParty

    Accept the cookie but only allow it to be get sent as a first party cookie.

P3P allows for a lot of information about the use, intent,
dispuite process etc to be expressed. IE boils it down to if Personally Identifiable Information
(PII) is used with your implicit or explicit consent and even that is a bit
too much lawyer speak reading what the settings mean. To give you an idea how
bad this can get, P3P Compact Policies allow you to say to accept all cookies
that will be used for government telemarketing and that any violation of the
policy could result in monetary compensation and disputes are handled by a court
of law or an independent organization but not customer service, but not many
people think about cookies that deeply. The full P3P xml policy file is even
MORE expressive. With all that complexity it's not too surprising that Firefox and Mozilla
doesn't seem to be
all
that sure about the value of P3P.

IE exposes

all of its supported functionality (Full P3P compact
policies, whitelisting, blacklisting etc) in an xml based

Customized Privacy Import File which can be imported from the privacy tab of
Internet Settings. However some quick searchs leads me to think that this is one of those features that just
didn't take off. Maybe an export privacy settings, and a
clean way to plug in subscriptions could help?

Oh BTW, my personal setting is Medium-High in Internet Explorer,
which means explicit opt-in of any third party cookies that are used for PII.

    -- Ari Pernick (arip)