Forum OpenACS Q&A: Response to Getting rid of cookies

Collapse
9: Response to Getting rid of cookies (response to 1)
Posted by Joe Harrington on 09/09/00 01:18 AM
Ok, Ben, but please don't over-interpret what I say and then get offended by it.  I didn't say you were short-sighted for using cookies, I said you were short-sighted for calling them "a *very* important part of true collaboration".  I collaborated (truly) long before the invention of the web.  I can do it without cookies.  I can do it on the web without cookies, certainly to my satisfaction as a user.  You yourself said you have solved this problem once before without cookies, so I think you have overstated their importance.

It is certainly true that tracking a session on a particular site raises some privacy issues, but the big abusers (doubleclick.com and the credit-reporting agencies) depend on tracking you as an individual across many sites and over long periods of time.  That's most easily and frequently done with long-lived cookies and a presence on many sites.  You and many other web programmers talk about cookie technology as being independent of privacy concerns.  This is like saying that leaving your door unlocked in the city is independent of security concerns, because you as a pedestrian never enter someone's house without permission.

The "technology" of cookies involves both the client and server ends of things, and right now, I have very little control over how my browser treats cookies.  I can turn them off (and be locked out of many web sites), turn them on (and be defenseless against abusers), or be faced with as many as several hundred cookies per displayed page of please-click-to-go-on.  I currently choose the latter option, but I often find myself getting infinite cookie requests that lock my browser so that the only way to continue to use the web is to kill my browser and start over, losing where I am in my several open sessions on different sites.  Whenever I enable cookies, I get a .netscape/cookies file full of doubleclick.com and others who have on several occasions been cited for using these cookies to build and sell consumer databases that are a gross violation of privacy.  *You* may use cookies responsibly, but some others don't.

You may argue this is a browser issue, and it is.  If there were any decent open-source browsers out there, I'm sure someone would hack together a solution that would make cookies tasty to both web programmers and users (part of which I outlined in my posting).  Until the "technology" of cookies includes sufficient control on the client end, your responsible use of cookies on your particular site (and I do laud you for it) doesn't protect us from abuse by others.

I'm sad you're unsympathetic.  It's like a city developer saying he won't install locks on doors because he doesn't rob people on the street and then saying "go start your own door company if you don't like the way I build mine".  This is a social problem and I'd like to have the tools to do my part, run a cookieless site, and save the hundreds of complaints I'd get if I did otherwise.  Given the fact that Germany and other nations are implementing legal responses to the privacy-abuse opportunity presented by the current cookie technology, one might think web programmers would take the issue more seriously.

Shalon Wood and Dirk Gomez raise some good points that nobody has addressed.  Everyone just talks about the wonderful cookie solution and how hard it is to do anything else.  There are good sites out there that don't use cookies.  All we're looking for is an open-source way to do the same.  Right now, OpenACS is the only game in town for those of us who must put up a community site in our spare time.  Is OpenACS really ready to write off all of Germany?

--jh--