Recently WSJ's Walter S. Mossberg spent a bit of time railing against tracking cookies as meeting his definition of spyware. He points out the problem that some of these cookies are useful for remembering site preferences and site login information, but many are just tracking user behavior. He specifies that users should have to opt in to any type of cookie. Eric Pererson, of Jupiter Research, then chimes in and suggests how painful of an exercise this would be for the user. (imagine 9 popups for every visit to CNN or at least one really complex dialog with 9 items). Zachary McGeary, also of Juniper, points out other solutions focused, I believe, on blocking cookies that are known to be bad (aka blacklisting). Microsoft Monitor then praises Internet Explorer's support for P3P and has his own recommendations for dealing with cookies.

Let's try to untangle what sorts of cookie/privacy mitigation techniques there are:

First we have the things we can make decisions on:

  • First/Third party cookies
    We differentiate if the cookie is getting requested from the main page's server or from other servers. When people talk about tracking across different web sites, it is typically because both websites are requesting ads or other resources from the same third party server. Cookies served from these third party web servers are called third party cookies. What's the typical time this happens? Banner Ads. You get a banner ad from the advertiser's web site and they use cookies with the image file.

  • Session/Persistent cookies
    These are typically the type of cookies needed to support online shopping carts. Session cookies clear after the browser closes. Since they don't persist they aren't quite as useful for tracking you as an individual day to day. The other type are called Persistent Cookies.

  • Per Site
    I might trust passport.com, while someone else doesn't trust passport.com's cookies. A list of trusted sites would be a whitelist, a list of untrusted sites is a blacklist. These lists could come in an subscription form.

  • P3P (compact policies)
    In an attempt to figure out the differences between good uses and bad uses of cookies, the site provides along with the cookie a list of promises about how the information gathered from the cookie will get used (and much much more).

Next, what can we do with this information?

  • Block (reject)
    Don't allow the cookie to get set

  • Allow (accept)
    Let the cookie through

  • Prompt the user
    This is where we leave the decision up to the user to block or allow. Bugging the user with every decision is not normally considered a good thing. An implementation should probably remember the decision (adding it to the whitelist or blacklist) to reduce the frequency of popups.

  • ForceSession
    This is where a persistent cookie is forced into a session cookie. We delete the cookie when the browser gets closed.

  • ForceFirstParty
    Accept the cookie but only allow it to be get sent as a first party cookie.

P3P allows for a lot of information about the use, intent, dispuite process etc to be expressed. IE boils it down to if Personally Identifiable Information (PII) is used with your implicit or explicit consent and even that is a bit too much lawyer speak reading what the settings mean. To give you an idea how bad this can get, P3P Compact Policies allow you to say to accept all cookies that will be used for government telemarketing and that any violation of the policy could result in monetary compensation and disputes are handled by a court of law or an independent organization but not customer service, but not many people think about cookies that deeply. The full P3P xml policy file is even MORE expressive. With all that complexity it's not too surprising that Firefox and Mozilla doesn't seem to be all that sure about the value of P3P.

IE exposes all of its supported functionality (Full P3P compact policies, whitelisting, blacklisting etc) in an xml based Customized Privacy Import File which can be imported from the privacy tab of Internet Settings. However some quick searchs leads me to think that this is one of those features that just didn't take off. Maybe an export privacy settings, and a clean way to plug in subscriptions could help?

Oh BTW, my personal setting is Medium-High in Internet Explorer, which means explicit opt-in of any third party cookies that are used for PII.

    -- Ari Pernick (arip)