

Magic cookies mean the end of privacy on the Internet - bayareaguy
http://philip.greenspun.com/panda/user-tracking

======
dasil003
I think it's a pretty specious argument.

Cookies are all under your control. This is a lot more than you can say about
all the rest of the data that is collected about you daily. For people who are
concerned about this sort of thing, there are plenty of tools manage cookies
to a policy of their choosing. The fact that cookies are automatic just mean
things are convenient enough to be useful for average people. If every site
required an account that had to be logged in to every time you visited it, you
wouldn't fundamentally have any more privacy, you'd just be a lot more
inconvenienced.

The bottom line is that if you want real privacy you have to know what you're
doing every step of the way and you have to work at it (a mountain cabin off
the grid is a pretty good start). On the Internet you already have an
advantage over any physical world transaction. Finding unsecured wifi where no
one knows you is already more work then clearing your cookies.

~~~
dhimes
_a mountain cabin off the grid is a pretty good start_

And then came Google Earth...

------
cd34
Philip Greenspun was referring to the OPS (Open Profiling Standard) and OSCC
(Open Standard Content Cookies) cookies . These were browser stored cookies
that could not be bypassed. The theory behind these were that every browser
had an ID, and that ID could be tracked for profiling purposes without
compromising privacy. That magic cookie would be sent to every site so that
cross-domain sites in the same network could establish the browser as the same
surfer.

archive.org is down for maintenance, but,
<http://developer.netscape.com/ops/proposal.html> is the original proposal.
developer.netscape.com is no longer online and mozilla.org never received
permission or wasn't able to resurrect the site.

------
lkrubner
The article says "Revised (lightly) July 2003" but it seems nearly identical
to what I remember reading in the book in his 1999. For me, the thing I took
away from it, back in 1999, was that privacy on the Internet was limited - it
belonged only to those who were willing to jump through considerable hoops to
get it. A few things, which Greenspun almost accidentally mentions in another
of his essays, aided privacy in some contexts, especially multiple people
getting grouped behind one IP address, via NAT or many other gateway
interfaces. But the overall trend has been toward less privacy, since the mid
90s.

It is interesting to think of the degree to which privacy has survived in some
contexts, since its funeral ode was written 10 years ago.

------
ephramzerb
The nice thing is that browsers provide good control for managing one's
cookies, and browsers like Safari ship with pretty sensible, user-friendly
defaults (block cookies from 3rd party sites).

The current privacy Valdez is flash cookies, which are shockingly ubiquitous.
You can't clear them easily (clearing browser cookies won't work) and they
bypass browser cookie defaults. I polled a lot of developers and just about
every single one of them had no idea about them -- and if that demographic is
oblivious to them, imagine the rest of the population.

[http://www.wired.com/epicenter/2009/08/you-deleted-your-
cook...](http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-
think-again/)

~~~
nzmsv
After I installed NoFlash in Firefox, I was surprised at how many sites have
the Flash cookie thing. I never knew :)

Personally, I don't really care about the tracking all that much. I'm
extremely boring :) Which is why these cookies persist. I think most people
simply don't care, even if they know about them. The only reason I block Flash
is because it crashes Firefox on a regular basis.

------
NathanKP
The article seems rather old but the basic concepts are still applicable. Just
clear your cookie cache periodically, preferably after each browsing session.

~~~
veqon
Sure, I clear the cookies every time close the browser. But can't they just
store everything as a session on the server?

~~~
stakent
And, of course, are you aware of flash cookies?

~~~
ytNumbers
If you're browsing with Firefox, you can take control of flash cookies by
installing the "Better Privacy" Add-on.

<https://addons.mozilla.org/en-US/firefox/addon/6623>

------
dwightman
This is an important concept that is easy to forget. I would be interested to
learn about technologies that could address magic cookie privacy concerns
without requiring cookies from being periodically deleted.

I hope a major privacy violation will not be necessary to bring mainstream
attention to this issue.

------
euroclydon
I have my browser prompt me for all cookies including third-party cookies,
which I will never allow.

~~~
windsurfer
Man that would be so annoying. I wish there was an easy way to whitelist which
cookies I accept, kind of like noscript.

~~~
NathanKP
I agree. I had it ask me every time for a while but it was too frustrating.
Many sites ask to set five or more cookies because of the different ad
providers they use.

Now I just clear the cache and cookies every time after I am done browsing.

