opinions

sep 2004

don't put me in your cookie jar
it's too late

don't put me in your cookie jar

Hey site designing people! No matter how many times you tell people that cookies are harmless and that everyone should set their browser to accpet them all, we know better. SOME cookies are harmless, but plenty are intrusive, violate our privacy, and subject us to more advertising crap. If I don't understand and trust what your cookie is doing, I won't accept it, and I will go elsewhere if you pester me too much with dialog boxes. So please consider the following.

One of the things I like about the Mozilla browsers (I am a recent firefox convert) is that when a site is trying to set a cookie, the expiration date is prominently displayed. This is now one of the main factors in my cookie decision process. It's a decision you need to think about -- "as long as possible" is not an acceptable or appropriate answer in most cases.

Cookie expires with session
I'm likely to accept it unless it's blatantly ad-related or has unencrypted information I consider sensitive.
Cookies expires in a week or less
Maybe.
Cookies expires in a year (I see this one a lot.)
See, this is where you're unclear on the concept. You'd like to identify repeat visitors, and I respect that. But if I'm pulling up your site for the first time, I don't know if I want to be a repeat visitor. I haven't had a chance to look at your privacy policy yet. I certainly haven't committed yet to being a customer. If I got more than about 7 or 8 requests to set a cookie from you, you've just lost my business forever. (That's another thing that drives me nuts: sites where every element on the page comes with a cookie request. You think you're gonna sneak one past me? No, I'm going to reject them all.)
Cookies persists for multiple years
If I have an extant real world relationship with you -- if you're my bank, for example, you can get away with this. If you're a vendor with whom I have a multi-year relationship, or so much trust that I allow you to set any cookie, OK. Otherwise, dream on. Why do you think you get to occupy space on one of my hard drives for so long, anyway?

2 sep 2004

it's too late

Since April or so, I've been working on a piece for this column (and possibly publication elsewhere) about Trusted Computing in general, and about Microsoft's separate-but-related Next Generation Security Computing Base initiative.

It's very difficult to write, because I need to strike a balance between being accurate and being shrill, and because virtually everyone who really knows what's going on is gagged by Nondisclosure Agreements. My article is still unfinished.

But MS has shipped Service Pack 2 for XP, which I am told incorporates NGSCB features (so does Office 2003, which I also recommend boycotting).

(I suppose I should say something to the effect that SP2 is nominally supposed to address serious security issues in XP. I won't connect a computer running any version of XP to the Internet. Period. I would never recommend that anyone else do so, either. But if you already have a computer running XP that is connected to the Internet, you might want to upgrade. Maybe. But I'd still advise research first.)

I don't often publish long lists of external links. However, Trusted Computing is an extremely complex issue, and I think understanding it from many sides is important to achieve a clear perspective. I think exposure to widely divergent opinions is a useful means to that end.

Horse's Mouths:

Other Sources:

2 sep 2004

top of page

pathetic caverns home

comment (opens in new window)

unauthorized reproduction prohibited.