• Other Thoughts >

    June 20, 2022

    The Cookie Concern

    Internet cookies were designed to simply be a temporary data storage mechanism, where a small amount of information could be placed in a text file on a user’s computer. Due to the stateless nature of the internet protocols – where every request is treated as an independent transaction that has no knowledge of any previous transactions – cookies grew to become the default method for state management. By using cookies, sites could “remember” who a user was and how they might have interacted with a site before.

    By itself, that isn’t necessarily a problem. However, ookies were designed to have a very siloed nature that restricts when the information in them can be accessed. This led to the proliferation of cookies online, which in turn resulted in slower page loads and discrepancy issues (since different systems can't use the same cookie/data source). It also led to very valid security concerns about data privacy and data leakage. In other words, cookies turned into a problem.

    There's been a lot of attention given to cookies as a privacy concern. The browsers have generally responded to these concerns by stopping support for third-party cookies. In fact, Apple and Mozilla first started blocking third-party cookies back in 2013 when they started blocking cookies from advertisers in their browsers, Safari and Firefox. Since then they've increased the restrictions, up until March 2020, which is when Safari started completely blocking all third-party cookies. Google currently still supports third-party cookies in Chrome, but it will be phasing that support out in roughly a year (mid-2023). Google had planned on making that change this year, but had to delay their plans when it turned out that it was too large of a change to happen as quickly as they had hoped.

    Which brings me to my concerns about all of these cookie changes. I'm not very enthusiastic about these changes because I think they miss the point by focusing on the mechanism instead of the actual problem. The problem is data being collected about a person against their will. It doesn't actually matter if the data is being collected via a cookie, some other form of client storage, or by having the data sent to a server. Focusing on cookies as the issue is like saying that you can't have this dollar bill, but you can have these 4 quarters or those 10 dimes. It might be annoying, but it doesn't really change much.

    To be fair, the browsers are focusing on the cookies because that's a tactical problem instead of the more ambiguous problem of user privacy. The browsers also aren't solely focused on cookies, as they are making privacy related changes to other types of browser-based data storage mechanisms. The problem is that when you point out that these browser-based changes can result in the same data being collected via servers instead, you often get a shrug of the shoulders and a "well, there's nothing the browsers can do about that". That's true, but it bothers me for two reasons. The first is that the browsers promote these changes as big improvements to privacy, when it doesn't necessarily stop the privacy violations from happening - but rather that they just don't happen directly in the browser. The second is that pushing the violations out of the browser also makes them harder to detect, too.

    It's like the browsers are a security guard company employed at a bank. The bank keeps getting robbed, so the security company decides that since the majority of the bank robbers are coming in the front door, they'll move all of the cameras and the guards to that front door - and then advertise what a great job they're doing of protecting the door. So the bank robbers break in through the wall of the bank vault instead, and the security company still points out what a great job they did in securing the front door. Meanwhile, the bank robbers end up actually stealing more money this way too. It's not like the security company is wrong about how secure they made the front door, but it's still missing the point.

    The other concern I have with the privacy changes is that these cookies and other storage mechanisms aren't simply being used to violate people's privacy. They're used for very legitimate purposes that benefit users, too. By adopting these privacy changes, the browsers may hinder the usability and usefulness of the web. Safari is an excellent example of this, because while they have some of the strongest privacy features, it's not uncommon to run into sites that tell you that you need to use a different browser to access their services.

    It might seem like all of these concerns of mine mean that I don't think anything should change. That's not the case. If the choice was doing nother or these proposed browser changes, I'd likely pick the changes. What I wish, though, was that we were thinking about more radical changes to how the web works that these proposed changes. Ideally, what I'd like to see is the whole dynamic of websites and companies collecting and storing data about individuals be flipped around such that it's people who collect and control their own data. Right now, every site you visit asks for more information about you, and then stores that data in their servers. I'd like to see a system where we each have our own data repository, and when we visit a site, instead of giving them our name, email address, mailing address, etc. we give them a link to our own data repository. This would mean people could directly control who had access to their information. Not only that, but it would also mean the information used would be up to date, since if you moved or somethign, you could just change the information the one time in your data repository.

    Granted, this would be a major change to how the web works - but I think it's a much better design in the long run. Luckily, I'm not the only one who thinks so, either. There is a start-up in Boston called Inrupt that's working on this very idea. Ironically enough, one of the co-founders of Inrupt (and the CTO) is the inventor of the web, Sir Tim Berners-Lee. Another point in Inrupt's favor is that Bruce Scheir is their Chief of Security Architecture too. So I'm keeping my hopes up, and watching Inrupt's progress. It's going to be interesting no matter what!

    Thanks for reading! Kris

© 2009-. Kristen Chapman. All Rights Reserved.