This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

August 04, 2010

Cookies v. The People

For some reason, The Wall Street Journal launched a new, large-scale offensive on web cookies - and decided to focus on the purported malice of Microsoft in particular:

"All the latest Web browsers, including Internet Explorer, let consumers turn on a feature that prevents third-party browser cookies from being installed on their computers. But those settings aren't always easy to find. Only one major browser, Apple's Safari, is preset to block all third-party cookies, in the interest of user privacy.

The Internet Explorer planners proposed a feature that would block any third-party content that turned up on more than 10 visited websites, figuring that anything so pervasive was likely to be a tracking tool.

When he heard of the ideas, Mr. McAndrews, the executive involved with Microsoft's Internet advertising business, was angry, according to several people familiar with the matter. Mr. McAndrews feared the Explorer group's privacy plans would dramatically reduce the effectiveness of online advertising by curbing the data that could be collected about consumers."

I do not have any insight into the decision process behind browser features at Microsoft - and it would be unfortunate if this factor alone had such a significant bearing on the final outcome. I do know, however, that the characterization of third-party cookie blocking as an important privacy feature is grossly misguided at best - and that there are compelling technical arguments to be made in favor of not enabling it by default.

The fundamental problem is that for better or worse, browsers necessarily make it trivial to track users across cooperating websites, without any need for the actors to appear malicious or evil. Quite simply, every computer system is unique, and browsers, by design, offer a substantial insight into it: very few other people share exactly the same browser and OS version, uptime, browser window size, installed fonts and applications as you - and so, reliable browser instance fingerprinting is certainly not science fiction.

This obvious possibility aside, there are many types of core web features that offer functionality essentially identical to cookies, and are depended on by much of the Internet; for example, RFC2616 caching allows long-lived tokens to be stored and retrieved through HTTP headers such as ETag, or simply embedded in persistently cached JavaScript code. The only reason why cookies are preferred is that they are well-known, purpose-built, have well-understood security properties, and can be managed by users easily. I encourage you to check out Ed Felten's excellent essay for more: the alternatives are very easy to embrace, but will suck for consumers more.

It is possible to build a reasonably anonymous browser, but only by crippling many of the essential features that make the modern web tick; products addressed to the general public should probably not go there. Disabling third-party cookies alone feels like a knee-jerk reaction that really does nothing to improve your privacy - and actually impacts your security. A striking example is that a ban on third-party cookies makes it very difficult to create XSRF-resilient single sign-on systems for complex, SOP-compartmentalized web applications (at least unless you introduce a dependency on JavaScript - the other Great Satan of the Internet).

To add insult to injury, because of compatibility issues, the existing third-party cookie blocking mechanisms gradually morphed into honor systems anyway: one implementation allows cookies to be set once the third-party frame is interacted with (which can be facilitated without user knowledge by having a transparent, invisble frame follow the mouse pointer for a while). Another allows cookies to be read and modified after the initial visit to a particular "third-party" site. A yet another implementation allows servers to declare good intentions by specifying a special HTTP header (P3P) to simply bypass the mechanism.

Given the way the web works, the most realistic way to improve user privacy is to create a community standard for notifying well-behaved players about your privacy preferences, and allowing them to comply. It will actually work better than the inevitable technological whack-a-mole with cookie-equivalent mechanisms: malicious parties will have the ability to track you for the foreseeable future anyway - but with explicit preference declarations, parties who want to be seen as reputable would not be able to assume that cookies are blocked simply because this is how your browser ships - and promptly switch to an alternative tracking mechanism in good faith. Commercial search engines obey robots.txt, so this system has a chance of working, too. If you disagree and distrust corporations, legislative approaches to privacy protection may be your only remaining bet.

Speaking of advisory privacy mechanisms, Microsoft actually deserves some credit rather than blame - namely, for supporting the aforementioned P3P signaling in their products: the associated HTTP headers are used to make cookie policy decisions in Internet Explorer, and not in any other browser. Alas, the protocol is a bit of a cautionary tale by itself: W3C attempted to create a complex, all-encompassing, legally binding framework to compel businesses to make honest, site-wide declarations; and the concept eventually collapsed under its own weight. Large businesses are extremely hesitant to use P3P, out of the risk of increasing their legal footprint; while small-scale web developers are simply intimidated by the monumental 110 page specification, and copy off recipes from random places on the web, with little or no regard for their intended meaning.

So yeah, privacy is hard. Blaming a browser vendor is easy. It's just not very productive.


  1. Yes, privacy is hard. Blaming any particular vendor is a waste of time as all the major ones have financial reasons to allow tracking. OTOH, it sounds to me like you are suggesting that I shouldn't put a lock on my front door, because it really isn't that much harder to break my first floor windows. Security through obscurity doesn't work IF you are being explicitly targeted, but in the case of privacy you are just part of a mass people. Most sites aren't going to go to the effort right now to do anything but tracking cookies as that works with most people. So as long as only the cognescenti disable them, it is actually going to increase their privacy. So please stop talking about it! :-)

  2. Nah, that's not my argument at all :-) Cookie controls could be better, and yes, there are many interesting questions surrounding the opt-out model and users' inherent ability to comprehend it.

    That said, I think that vilifying cookies in particular is a harmful trend (because there are equally usable alternatives that suck worse for consumers), so is proposing half-baked technical solutions such as third-party cookie blocking.

    Also note that the argument works both ways: some privacy advocates now complain that users don't understand opt-out cookies, and the default settings are not what they want. Make them opt-in, and you will probably see some businesses making exactly the same argument ("our customers don't understand default browser settings, and that's not what they want") to do cache-based user tracking or any other similar trick that gives no recourse to knowledgeable users.

    In the end, I suspect that there simply are no elegant, technical solutions here, and we need social ones, instead...

  3. "The only reason why cookies are preferred is that they are well-known, purpose-built, have well-understood security properties [link to Google's doc about same-origin model], and can be managed by users easily."

    'Well-understood security properties' -- seriously?

    How many people are even able to describe accurately what the same-origin model actually is? Or maybe you mean that the same-origin model as typically implemented provides no reliable security properties, but I really don't think that is well-understood.