Back in 1994 there was a problem with the internet, how could you track state from one page to the next. When the internet was invented privacy and network simplicity were such concerns that browsers were unable to track who you were from page to page, link to link. Everything was stateless and documents were provided for the free to everyone on the internet. It was a free anonymous society.
However, something changed in 1994, an engineer at Netscape needed a way to make e-commerce possible. The idea was to create a virtual shopping cart, but for the site to track one user from page to page, product to product, they had to create a unique token that would stay with you as you browsed the website.
When the cookie was first released on the web, it was done with great caution, and in many cases you need to approve each cookie, and the default was for the cookie to erase itself after you had left the site or closed your browser. People were afraid that they would loose to much of their privacy if sites could just track you anywhere on the web.
Today, however cookies are not just used for e-commerce, they are used to identify us personally on the web. Google uses it to help web site owners understand who is visiting the owner’s site. Sites like twitter, myspace, and facebook use cookies to determine if you are logged in, and in some cases auto personalize the visiting site when you arrive. Nice features like these can be great however there is a cost. If the site owner places the facebook javascript on their page, not only does the browser call up the facebook cookie, but it also passed the address of the referring site back to facebook. So, in this case facebook knows which site you visited, and any data in the url. ( lucky for us that if the URL is https, and you click an http link, your referring address is not sent to the new server. )
However, there is a growing problem with this. Javascript files send the cookie, and it can be used to track which sites you visit and to report this back to a central site, even when you are not logged in. Cookies are a way to track logins and shopping carts, but they can be used at anytime, and most browsers auto accept cookies these days. On many sites, there will be a persistent cookie, and a logged in cookie, and those sites can then track you even when you are not logged in. In fact they can correlate the data between the two cookies pretty easily.
Having these remote login site was great when politics were to ignorant to use it, but recently the US government has become more sophisticated and has subpoenaed twitter for their access logs, which might carry with it every other site you have visited in the last year. The worst part is that this data, which once was private is now being subpoenaed without your permission or notification. Our government feels that average citizens do not have the right to know when they are being watched online.
If you don’t believe that governments should not be allowed to track every web search you do or every behavior you perform on the web, for this reason that I am asking you all to turn off cookies. This will be hard, but it’s an act of protest. Turning off cookies will effect the revenue of Google and Facebook as they seed to profit off this data to provide ever more targeted ads. And for the most part I really do prefer more targeted ads. I however do not agree with privacy being eroded by our government. Our government fundamentally should not be able to act on this data.
If you can’t bring yourself to completely disable cookies, you can set up your browser to dispose of them more often, however sites could still correlate this data over time; and our government can still subpoena this data without your permission or knowledge. I strongly feel like this is a gross challenge to the principles of the 4th amendment.
We need a free society so that everyone’s views are valued and discussed in the open. Support freedom, disable cookies.
While I certainly can appreciate your desire to reduce all this tracking I don’t see that completely disabling cookies as the solution.
However, I’m wondering if there’s a way extensions could be created that when enabled would look for special cookie names in the response and when found make sure they’re added to the collection with the httponly property preventing them from being read by javascript.
Perhaps there’s other ways too to simply prevent this code from sending that information?
@Rob_mills You are right, some browsers do allow the rejection of only 3rd party cookies, or rather if your content is loaded from a domain that is not the root of the document, then it rejects sending cookies along. This would be the case for tracking cookies, but I am not sure it’s the case for facebook or openid. the fact that our government sees this data as fair game, and secondly that they are querying this data without the user’s knowledge is unacceptable to me.
right now Mozilla and Google are join in on the band wagon and opting for a do not track header to be sent from the browser, which they plan to respect.