Recently WSJ's Walter S. Mossberg
spent a bit of time railing against tracking cookies as meeting his definition
of spyware. He points out the problem that some of these cookies are useful for remembering
site preferences and site login information, but many are just tracking user behavior. He specifies that users should have to opt in to
any type of cookie. Eric Pererson, of Jupiter Research, then chimes in and suggests
how painful of an exercise
this would be for the user. (imagine 9 popups for every visit to CNN or at least
one really complex dialog with 9 items). Zachary McGeary, also of Juniper,
points out other solutions focused, I believe, on blocking cookies that are
known to be bad (aka blacklisting). Microsoft Monitor then praises
Internet Explorer's support for P3P and has his own recommendations for
dealing with cookies.
Let's try to untangle what sorts of cookie/privacy mitigation
techniques there are:
First we have the things we can make decisions on:
First/Third party cookies
We differentiate if the cookie is getting requested from the main
page's server or from other servers. When people talk about tracking across
different web sites, it is typically because both websites are requesting
ads or other resources from the same third party server. Cookies served from
these third party web servers are called third party cookies. What's the
typical time this happens? Banner Ads. You get a banner ad from the
These are typically
the type of cookies needed to support online shopping carts. Session cookies
clear after the browser closes. Since they don't persist they aren't quite
as useful for tracking you as an individual day to day. The other type are
called Persistent Cookies.
I might trust passport.com, while someone
else doesn't trust passport.com's cookies. A list of trusted sites would be
a whitelist, a list of untrusted sites is a blacklist. These lists could
come in an subscription form.
In an attempt to figure out the differences between good
uses and bad uses of cookies, the site provides along with the cookie a list
of promises about how the information gathered from the cookie will get used
(and much much more).
Next, what can we do with this information?
Don't allow the cookie to get set
Let the cookie through
Prompt the user
This is where we leave the decision up to the user to block or
Bugging the user with every decision is not normally considered a good
thing. An implementation should probably remember the decision (adding it to
the whitelist or blacklist) to reduce the frequency of popups.
This is where a persistent cookie is
forced into a session cookie. We delete the cookie when the browser gets
Accept the cookie but only allow it to be get sent as a first party cookie.
P3P allows for a lot of information about the use, intent,
dispuite process etc to be expressed. IE boils it down to if Personally Identifiable Information
(PII) is used with your implicit or explicit consent and even that is a bit
too much lawyer speak reading what the settings mean. To give you an idea how
bad this can get, P3P Compact Policies allow you to say to accept all cookies
that will be used for government telemarketing and that any violation of the
policy could result in monetary compensation and disputes are handled by a court
of law or an independent organization but not customer service, but not many
people think about cookies that deeply. The full P3P xml policy file is even
MORE expressive. With all that complexity it's not too surprising that Firefox and Mozilla
doesn't seem to be
that sure about the value of P3P.
all of its supported functionality (Full P3P compact
policies, whitelisting, blacklisting etc) in an xml based
Customized Privacy Import File which can be imported from the privacy tab of
Internet Settings. However some quick searchs leads me to think that this is one of those features that just
didn't take off. Maybe an export privacy settings, and a
clean way to plug in subscriptions could help?
Oh BTW, my personal setting is Medium-High in Internet Explorer,
which means explicit opt-in of any third party cookies that are used for PII.
-- Ari Pernick (arip)