
The Original Cookie specification from 1997 was GDPR compliant (2019) - todsacerdoti
https://baekdal.com/thoughts/the-original-cookie-specification-from-1997-was-gdpr-compliant/
======
ThePhysicist
If you think cookie consents are messed up I recommend you to check out the
advertising industry's IAB consent framework, which is their attempt to self-
regulate in order to avoid or at least deflect external regulation: Its
purpose is to enable them to share your personal data between hundreds or
thousands of ad networks.

We develop an open-source consent manager
([https://klaro.kiprotect.com](https://klaro.kiprotect.com)) and considered
implementing the IAB framework, after seeing how it works we decided not to
though as we don't want to support privacy-invasive approaches.

That said players like Google also use privacy as a strategic tool to force
other players out of the ad market. Since Google can easily get first-party
cookies into > 95 % of all browsers they won't be impacted by the restriction
of third-party cookies. As most users go through their site many times per day
they also have enough other signals they can use to track people without
relying on cookies (user agent, IP address and a little Bayesian statistics is
sufficient if you see enough traffic). They will probably continue to remove
tracking capabilities that they don't need anymore from Chrome to slowly
suffocate any remaining competitors that still rely on them.

~~~
Sephr
I'm working on a zero-configuration consent manager:
[https://transcend.io/consent-manager](https://transcend.io/consent-manager)
(blog post coming soon!)

What makes our consent manager stand out is that it records all attempted
tracking events and can replay the events later once consented. This helps
site owners capture the entire user journey through their site.

~~~
tomaskafka
> that it records all attempted tracking events

Locally? While clever, I can't imagine how this would be GDPR-compliant when
stored on (no matter whose) server side ...

~~~
Sephr
Yes, locally on the browser. No data leaves your browser without your consent.

------
pmontra
If we'd never had cookies or we ban them now we'd be left with basic auth over
https. That's equivalent to a first party cookie. It would be enough to create
an ecommerce site with a cart and a recommendation engine. Every single site
would have the same login form, managed by the browser. I guess we'd end up
with an <auth> or <input type="auth"> tag to embed it inside the page and
style it.

Another consequence, there would be more server to server communications
because the first party server could send all sort of information to the
servers that are setting third party cookies in pages now. The focus of
privacy policies would be there.

Probably no way to implement OAuth.

~~~
eru
Banning cookies wouldn't do too much against tracking: modern browsers leak
enough information that you can fingerprint individual users by eg screen
resolution, available fonts etc.

~~~
stubish
Removing an entire front in the War on Privacy wouldn't help? There are many
things to fix if we want to reclaim privacy. There is certainly no single
magic bullet and it certainly isn't all going to happen at once.

~~~
mantap
It wouldn't help, it would just push it underground and make it harder to deal
with.

The opposite would work better. Create a standard for tracking people then
legally enforce that all tracking conforms to that standard. Then users can
opt out.

~~~
criddell
Imagine we didn't have already have cookies. If somebody suggested the
creation of cookies as they are now, do you think nothing would change?

~~~
derangedHorse
Yeah, I do think nothing would change. The vast majority of people I know have
complete apathy over 3rd party tracking. It's just not something on their
minds (for both devs and non-devs)

~~~
tripzilch
This is because, "the browsers messed up" (quote from the article).

------
hoppla
I find it disturbing that the biggest ad company controls the biggest browser.
I can see how privacy friendly specifications do not get implemented

~~~
shadowgovt
Ironically, Google actually puts a huge amount of engineering effort into
thinking through privacy concerns because they're a huge target and they stand
to lose a lot if they lose consumer goodwill.

... but their thought process does generally include "Google and their data
stores are a trusted repository."

~~~
nerdponx
And because privacy chokes out their advertising competition.

------
latchkey
Interesting discussion, in 1997, from Brian Behlendorf who had a hand in the
early specs.

[https://lists.w3.org/Archives/Public/ietf-http-wg-
old/1997Ja...](https://lists.w3.org/Archives/Public/ietf-http-wg-
old/1997JanApr/0456.html)

~~~
edoceo
Wow. We've been talking the same circles of conversation around privacy for
ages. That email could have been written yesterday.

Wish more visibility cookie UI like was mentioned was possible.

~~~
TeMPOraL
Holy shit. Indeed it could. I wouldn't be surprised if I saw this text as a HN
comment in 2020.

My favourite pieces:

> But there is a compelling argument that compensation models based on
> clickthroughs or more are flawed because it encourages the content developer
> to focus exclusively on pushing people through the ad, rather than actually
> providing useful content. I'm sure many content sites would refuse to
> partake in this.

Yet here we are. I guess it was hard to predict, 23 years ago, just how
insanely proftable this business model will become.

>> The bottom line is that WWW advertising is based on a business model which
didn't even exist a couple of years ago. It is based on leveraging technology
which is new and evolving. I am confident that it will evolve in response to
improvements to the technology..

> The business model of sponsored content has been around forever. So have
> these privacy issues (...) Looking to technology for a solution to the
> privacy problems is as misguided as blaming technology for causing them.

The kind of nonsense Brian replied to here, that this business model is new
and innovative, and thus somehow worth exploring... I swear I see these kind
of arguments regularly even today.

------
jokoon
The amount of time I lose trying to fight against advertisers is worrying.

I've set up several firefox containers for websites.

I'm now using two firefox profiles. My main profile has javascript disabled by
default through ublock, except for some websites.

My second profile has javascript enabled by default, but I enabled a custom
tougher blocklist with ublock (can't remember which). I use this second
firefox profile for websites I don't really trust.

Even with all this, with the websites I'm using, I'm quite certain it's not
enough.

Before the virus, I was at my mother's, and I admit that watching TV again (in
europe) was not that bad. I'm starting to think that getting the news from the
internet is now equally bad than watching TV.

About firefox containers: why can't firefox automatically compartmentalize
cookies and such, by default? I've never understood why website A can read the
cookies from website B. Ideally, there should be a setting to prevent such
thing, even if it breaks some websites.

~~~
correct_horse
> why can't firefox automatically compartmentalize cookies and such, by
> default?

It breaks some websites according to Mozilla, so Firefox does not block them
by default. Firefox's term for this is third-party cookies, and you can change
your Firefox settings to block them (without using containers) - see
[https://support.mozilla.org/en-US/kb/disable-third-party-
coo...](https://support.mozilla.org/en-US/kb/disable-third-party-cookies)

edit: the default settings block "cross-site tracking cookies" which is
presumably different from "3rd party cookies", but I'm not exactly sure how.

~~~
TeMPOraL
> _but I 'm not exactly sure how._

I'm guessing they have a blacklist, probably a community one maintained by
some ad blocking project. That strikes me as the only feasible way of telling
apart good and bad uses of the same technology, but it unfortunately requires
unending gruntwork.

------
ZWoz
From article: "This was great. In fact, the invention of the cookie was the
single most important thing we have ever added to the internet. It changed the
internet from just a passive place for us to read things, to an interactive
place."

There was several interactive protocols, like telnet or IRC. Maybe that cookie
implementation is one reason, why people confuse web with Internet?

~~~
apexalpha
Did IRC or telnet became the backbone for the entire online economy like the
www with cookies became?

~~~
ZWoz
They were influencial back in time. In alternative reality, where web stayed
in original form, we probably have some other and more designed to specific
problem solution.

------
q92z8oeif
back in 1999 or so I did a small research to check cookie support on the main
browsers at the time. There was a few odd ones, but mostly mozilla and IE4
were the big ones at the time.

The mozilla cookie spec used language like "up to" for everything. Microsoft
released a copy of the specification on MSDN with all the "up to" replaced
with "at least". So IE4+ would support urls "at least" 1000chars. cookies at
least whatever-limit it was supposed to have. etc.

They basically one-upped mozilla by offering web devs infinite resources that
would, by definition, break on any browser following mozilla sane
specification. While, also by definition, supporting everything made under the
mozilla specification.

And all the users and webmaster of that time are directly responsible for the
privacy mess we are today. And sadly, they are repeating everything again by
adopting GoogleChrome and it breakneck speed in setting "standards" that self-
serve Google.

This standards trumping for convenience is the ultimate incarnation of
embrace-extend-extinguish and we can't stop falling for it!

~~~
jefftk
All that's required for reliable tracking with cookies is a unique identifier
(8 characters would be plenty) and no spec has had such a low limit.

------
djantje
Processes being transparent and knowing what happens and being able to choose,
for me as a user this is important.

1st party cookies can be reasonable and needed for functionality.

3th party cookies are for conviniences only.

~~~
gpvos
I don't know of anything useful enabled by third party cookies; can you
elaborate?

~~~
grishka
Comment widgets like Disqus. You log into one once and you have your account
on any website that embeds this widget. Of course, the tradeoff is that now
Disqus can track the hell out of you.

~~~
gpvos
Ah, yes. I've always found that a tricky case. A good request blocker can at
least make sure you're only tracked on the sites where you use it, but that's
probably going to remain outside the amount of configurability browsers offer.

------
lenlorijn
GDPR only mentions cookies once.

 _Natural persons may be associated with online identifiers […] such as
internet protocol addresses, cookie identifiers or other identifiers […]. This
may leave traces which, in particular when combined with unique identifiers
and other information received by the servers, may be used to create profiles
of the natural persons and identify them._

As long as you are not building profiles of people, cookies are fine and you
don't even have to ask for permission to use them. Stop collecting data you
don't need, and if it is part of your business model, maybe ask a lawyer what
part of GDPR actually impacts your business instead of doing what everyone
else is doing or relying on internet comment sections.

~~~
gpvos
And as long as you aren't including any advertisers on your site which are
building profiles of people (and practically all of them are). Or using
Wordpress plugins that do the same, probably without telling you. Etc.

------
mikorym
The original NSA tracking systems were meant to be anonymous too.

I don't have a source, but this came out around the time of Snowden in 2013.
Basically, the story was that the original programmer had the idea to encrypt
the info of the people being tracked, so that the operators would always see
an alias and the underlying info would only be revealed to people with the
necessary clearance. I also assume they would also only reveal the information
to the operators when the targeted people became clear suspects rather than
just being anyone in the general populace.

~~~
EvanAnderson
You're probably thinking of ThinThread[1] and William Binney[2].

[1]
[https://en.wikipedia.org/wiki/ThinThread](https://en.wikipedia.org/wiki/ThinThread)

[2]
[https://en.wikipedia.org/wiki/William_Binney_(U.S._intellige...](https://en.wikipedia.org/wiki/William_Binney_\(U.S._intelligence_official\))

~~~
mikorym
Yes, exactly. Thanks!

------
mfontani
I might remember wrong, mind you... "but".

A long while ago, browsers were compliant, in that they only allowed first-
party cookies by default, and users had to opt-in (by going into the browser's
settings) to allow third party cookies to work.

This was difficult to do for most, but not many sites were unusable without
third party cookies enabled, and there weren't that many sites to begin with,
so it was "fine": not many users even touched that setting if they weren't
affected.

Once there were more sites in total, and once more of them were nigh unusable
without third party cookies enabled... there was a problem. A big one. Users
had to be told how to configure their user-agent to make the site work.
Instructions had to be provided for all common browsers. It was a mess.

User-agents could've solved this by making the UI/UX better: the user could
have an easy-to-use interface to enable third-party cookies per-session, per-
site, per-something...

... but instead they ended up implementing the easiest way out, and browsers
(no longer user-agents now...) started defaulting to third party cookies being
allowed by default.

I guess using something like lynx, today, gets one a glimpse into how it was,
and how it could have been.

~~~
masswerk
I actually recall options as: deny all cookies, allow first party cookies,
allow all cookies, ask. (The latter one soon became unrealistic, but it was
definitely in some of the earlier Netscape browsers.) Default was "allow first
party cookies".

Edit: Just rechecked, Netscape Communicator 4.7 (as of Nov. 1997) had the
exclusive options (radio buttons)

    
    
      () Accept all cookies
      () Accept only cookies that get sent back to the originating server
      () Do not accept cookies
    

and an additional checkbox

    
    
      [] Warn me before accepting cookies
    

(the latter triggering a prompt for any attempt to set a cookie not already
denied by the previous options).

Edit 2: I got it (NS4.7) to display a cookie warning:

    
    
      The server 192.168.1.2 wishes to set a cookie
      that will be sent back to itself. The name
      and value of the cookie are:
      test=ABC
      This cookie will persist until Jun 7 10:42:41 2020
      Do you wish to allow the cookie to be set?
      
                               [Cancel] [OK]
    

Mind (a) that all vital data is included in the message and (b) the kind of
general competence expected from an average user, back in the day (long before
URLs were deemed too complicated).

~~~
mfontani
Yup, there you go! I wasn't that far off :^)

------
atoav
One of my family members sometimes creates some wordpress pages as a
freelancer. He doesn't really know all these technical details behind Cookies
and GDPR, but he knew he needed to do somthing.

Him: I need to install some kind of cookie banner plugin.

Me: Alright, why do you think that? Which cookies does your site place?

Him: I don't know...

This is the entire problem. He didn't knoe what his site does, and he wanted
to add a cookie banner "just in case".

~~~
hadrien01
If he doesn't collect any personal data (with Google Analytics for example),
GDPR and ePrivacy do not apply to his business

~~~
closeparen
A normal Wordpress install would have an httpd access log and a user
registration system (with email verification and password reset) for comments.

~~~
Grumbledour
Both are fine with GDPR as long as you disclose them somewhere. That can of
course be a problem if you have insufficient technical knowledge.

Does WordPress come with a page disclosing this by default?

Of course, the server access log is not really their business, just the opt-in
email. So I guess the webhoster needs to educate its customers if they store
server logs?

This can all get kind of complicated if you don't know what you are doing.

------
LoSboccacc
> The original cookie specification did not allow third-party cookies.

no, the original spec did not allow cross domain cookies, so you can not set a
cookie for a third party from your domain, but you can, yesterday like today,
connect to a third party server from your page and have that serve third party
cookies (say, like the Facebook pixel)

~~~
grishka
No, you overlooked the "verified/unverified transactions".

~~~
LoSboccacc
no the section itself traces the workaround as well as the restriction, it's
some more hops to jump and users need not to be involved

------
glitcher
One detail I found striking was about the effect of that 1996 Financial Times
article:

> ...this article had a big impact. Soon after many other newspapers started
> looking into this, which led to two Federal Trade Commission hearings, and
> the web industry felt pressured to respond.

Feels like we're living in much different times now. There is a lot more noise
across our media outlets today, plus the general public seems way more
complacent about privacy issues as a whole.

Would an equivalent impact be possible in today's world based off of one well
written article? Certainly on some topics yes, but when it comes to user
privacy?

------
smadge
"Without cookies, it would not be able to update without you logging in every
single time. Meaning every time you wanted to see a new tweet or post a reply,
you would have to login again. Every time your browser had to load anything,
it forgot who you were."

That's not true. User agents can remember the credentials you use for a
domain. HTTP authentication was never really adopted and sites preferred using
web forms and cookies for authentication.

------
AmericanChopper
But it isn’t compliant with Directive 2009/136/EC (which is the directive that
created all those cookie banners to begin with), in the sense that it still
allows for implementation of cookies that aren’t “strictly necessary”. Meaning
even if all browsers implemented cookies strictly according to that spec, all
of the distinctions that directive makes between different types of cookies
would still be valid, and we’d still have the same amount of cookie dialogs.

~~~
iso947
That directive was created because of the abuse of cookies by the personal
information abuser

------
ars
Before 3rd party cookies, companies would proxy advertising traffic through
the primary domain.

It was annoying to setup, and technically complicated, but it worked.

If 3rd party cookies had never been enabled, that's what we would be doing
today, and you would never even know your traffic was being sent to a 3rd
party.

There's a reason they enabled 3rd party cookies: Because blocking them did not
help at all.

Today such proxying would be even easier. Don't promote banning 3rd party
cookies, you'll just make privacy even worse.

~~~
harikb
Proxying does not allow a 3rd party to track beyond the customer domain
boundary. So yes, ads will be served, like tv ads, but they will not be a
based on your behavior at other site(s)

~~~
skinkestek
> Proxying does not allow a 3rd party to track beyond the customer domain
> boundary.

I'm fairly sure one of us misunderstand.

I'm usure if I misread you post or if you think there is a technical
limitation to prevent a tracking company from reading cookies from proxied
data?

If so, do you care to explain?

~~~
apexalpha
I would think the idea is that cookies set on a.com cannot be read by b.com.
Even if they both proxy cookies from the same advertising network.

~~~
skinkestek
I see. I was talking about the fact that the cookies are visible to the
ad/tracking company.

In my opinion (and I think this is common) ad/tracking companies are third
parties and when a company proxy data to one of them it is then by definition
residing with a third party ev3n if they don't share it with their other
customers.

~~~
iso947
An advertising company knows I travelled to wikivoyage and spent lots of time
reading about Thailand.

They then know that I (same cookie) visited cnn and read about Ebola

They then know I visited a cycle magazine and read about a new bike.

With proxying they wouldn’t be able to link those three visits together (with
cookie data)

When I visit a fourth site, it’s a brand new visit - there is no way for the
advertising. Company to know I’m the same version who visited the previous
sites.

------
y42
Not surprising, as cookies were not meant for tracking, but for simple
e-commerce purposes (like keep the shopping cart). What really surprises me is
that everytime someone is complaining about advertising and whatsoever: it's
always the cookies.

Cookies are not bad. And in fact, there are a lot of technologies to replace
tracking-cookies and make tracking even more effective.

Seems like cookies are just the scapegoat in this whole story.

------
Chirono
From what I understand, Firefox blocks third party cookies by default these
days.

[https://blog.mozilla.org/blog/2019/09/03/todays-firefox-
bloc...](https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-
party-tracking-cookies-and-cryptomining-by-default/)

~~~
gsnedders
Firefox and Safari have been progressively limiting what third-party cookies
are allowed over the past seven years.

------
gdubs
Oh my god, nostalgia — I complete forgot about the “V Chip”. [1]

1:
[https://en.m.wikipedia.org/wiki/V-chip](https://en.m.wikipedia.org/wiki/V-chip)

------
goto11
People are far to focused on cookies! Any number of tricks can be used to
track sessions and to track users across sites. If cookies were outlawed,
trackers would just shift to browser fingerprinting.

GDPR is about what you are actually allowed to do with the obtained
information.

------
austincheney
> Cookies today have a really bad reputation, and many people are saying we
> shouldn't even have cookies at all.

The bad reputation is qualified because cookies have achieved 100%
technological obsolescence. Here is the previous comment where I mentioned
this and people wanted but failed to prove it wrong:
[https://news.ycombinator.com/item?id=23098196](https://news.ycombinator.com/item?id=23098196)

~~~
Normal_gaussian
The reliance on JavaScript, which a reasonable minority disable, is a valid
rebuttal.

Your reply that cookies can also be disabled fails to address this as client
side JavaScript and cookies provide overlapping, not equivalent, capabilities.

~~~
austincheney
Not exactly. It says either technology can be equally invalidated by the user
with the same level of effort, which makes the “disabled JavaScript” rebuttal
particularly weak. In practice, though, what percentage of users disable
JavaScript where cookies are used?

~~~
Normal_gaussian
Particularly with modern cookie management- most disabled JS users allow first
party cookies.

~~~
kevin_thibedeau
Self-destructing cookies make sites usable but denies them use of an easy
tracking tool. It would be nice if Firefox added this as an optional built in
feature to complement the 3rd party cookie blocking. 99% of the cookies you
receive don't need to be persistent so why keep them around.

------
tripzilch
In the early 2000s I was using Opera and for a while I had set it to block 3rd
party cookies. Unfortunately Yahoo Mail was one of the few sites that stopped
working, so I had to disable the setting again.

While it's nice that the original cookie specification is GDPR compliant,
ultimately it is better to have the actual GDPR. The article mentions browser
fingerprinting, and it seems to me very hard to define a technical
specification that completely blocks any kind of fingerprinting. Whereas the
GDPR basically says "no unnecessary data collection without consent",
sidestepping the whole technical aspect and going straight for the intent.

> The browsers messed up too!

I think this is an interesting remark, because what ultimately happened is
that adtech captured (a giant chunk of) the browser industry with Chrome. And
I'm not sure whether IE (historically) lacking tracking protection was adtech
influenced, or a case of "the browsers messed up", or something else.

------
EGreg
So what happened? The spec was not followed?

~~~
shadowgovt
The spec was too restrictive for the use cases site developers wanted, and the
feature set was expanded to accomodate them.

The alternative was they were building sites in Flash when they wanted more
complicated client-server interactions, which was much more expensive
(development time, processor time, bandwidth) but supported all the features
they wanted for the user experience.

------
x3blah
"This also applies to other things, like browser-fingerprinting, or how Google
will now try to identify people using machine learning without actually using
cookies."

Even if only a User-Agent string is sent from a "browser" that has no
Javascript engine and does no CSS processing or auto-loading of any resources,
the online ad services folks, not to mention the "web security" folks, will
still try to create a "fingerprint".

There are companies whose entire business is dependent on a demand for
lists/databases of user agent strings. For example,

[https://deviceatlas.com/](https://deviceatlas.com/)

[https://51degrees.com/](https://51degrees.com/)

[https://www.scientiamobile.com/](https://www.scientiamobile.com/)

Fingerprinting based on user agent seems like a rather easy problem to solve.
Aside from not sending the header or every user sending the same one, one idea
is to keep changing the string.

The following is from a file called "mosaic-spoof-agents" and dates back to at
least 1996.

    
    
       #
       # Agent Spoofing -- Who will you be today?
       #
       # "I don't think [t]he[y]'ll be too keen" -- Originally from Monty Python, run
       #                                            into the ground by Tommy Reilly
       #
       # NOTE! There is a hard limit of 50 agents! Mosaic will not read anymore!
       #
       # This file should be located in your HOME directory under the filename:
       #   .mosaic-spoof-agents
       #
       # This file consists of lines that begin with a # (comment), a - (a seperator
       #  for the sub-menu off options), a + (this is special...it denotes that the
       #  agent following it [no spaces] should be the default agent to use) and
       #  anything else (considered an agent spoof line).
       #
       -  This is a seperator...as long as the first thing is a dash
       #  This is a comment line
       #
       # This is the "example" agent. If you don't like it...comment it out.
       #   if you want it to be your default, put a + infront of it.
       #
       Bond_James_Bond/007 (BMW; Z3 Roadster)  DOHC_inline_16-valve_4-cylinder
       Gandalf/White (Shadowfax; Wind)  White_Staff
       Elric/Emperor_of_Melnibone (Hellsword; StormBringer - Devourer of Souls)
    

[https://github.blog/2010-03-08-ncsa-mosaic-on-
github/](https://github.blog/2010-03-08-ncsa-mosaic-on-github/)

[https://github.com/alandipert/ncsa-
mosaic](https://github.com/alandipert/ncsa-mosaic)

One could argue that the original "netiquette" was to change one's user agent
string. At least we can see it was contempleted by authors of Mosaic.

[https://en.wikipedia.org/wiki/Mosaic_(web_browser)](https://en.wikipedia.org/wiki/Mosaic_\(web_browser\))

Today tech companies will argue that any user agent string is an abberration
from what they expect then "something is wrong". Users might get blocked or
they might be alerted their "browser is not supported" and/or be advised to
"upgrade". They might receive a "security" warning that someone logged in to
their account. All based on simply changing the user agent string. The
assumption today is that no netizen would ever do that.

Today, browsers allow changing the user agent string using some "toolbar" or
"console" but if the name given to it is any indication, this is only meant
for "developers", not "dumb [users]", to borrow from the infamous Zuckerberg
quote.

One of the authors of Mosaic is now a Silicon Valley VC who posts on HN.

The "Who do you want to be today?" is probably a play on the Windows 95 slogan
"Where do you want to go today?" A web browser was a new thing in Windows back
then, the web being an idea Gates was not easily sold on, and I always thought
the slogan seemed to suggest someone thought web access would be a selling
point to users.

------
anticensor
The predicate of the title is in the wrong tense: it would be GDPR compliant
if it still applied. This is because laws are not retroactive.

------
emilfihlman
I really don't get what's with people wanting to both have and eat the cake,
for free. It's obnoxious and toxic. Don't use or go to pages if you don't want
to give them your information. Period.

