• 5 minute Read

Dear Mozilla: Please Don’t Kill Cookies

Yesterday, Mozilla pressed ahead with a user privacy proposal that, if widely adopted, will radically change the way we develop for the web. Instead of trying to regulate technology to protect consumers from data collection, we should regulate what companies can do with the data they collect.

Dear Mozilla: Please Don’t Kill Cookies

Yesterday, Mozilla announced that it’s working with a Stanford organization called the Cookie Clearing House to implement an alternative to the “Do Not Track” button, the web standard supported by the Obama administration (which now looks like it may never be delivered). Unlike the Do Not Track button, which allows users to opt in or opt out from cookie collection by sending a message directly to the server, the Cookie Clearing House proposal lays out four “presumptions” about how cookies ought to behave–and they’re all wrong.

The proposal suggests workarounds for “edge cases” where web developers don’t want cookies to behave traditionally–mostly involving published cookie whitelists and blacklists. Mozilla’s plan is to implement this proposal along with some intelligence that allows cookies on sites users visit regularly.

The problem with this approach is that the presumptions the Clearing House proposes don’t match up to the way the web has been built for the last 10 years.

Sure, these presumptions are intended to be a more granular approach to a feature that Apple’s Safari browser implements by default, which is to block all third-party cookies (we’ll get to what that means in a moment). Unfortunately, almost every website in existence today uses third-party cookies in some capacity and will therefore be an “edge case,” which means that developers and consumers are going to have to jump through a lot of hoops to deliver the experience we’ve come to expect from the web. This isn’t just because most websites rely on advertisements for their revenue (although most do); it’s because of the way the Web works.

I’m going to let you in on a dirty little secret about the Web: Although it has advanced enough in the last few years that many web applications are practically indistinguishable from desktop apps, we’re all faking it. Except for some very brief exceptions, after you load a webpage, we have no idea who you are or what you’re doing, because we don’t maintain an active connection between you and the server. Although technologies are emerging to fix this problem, the Web as we know it today is largely stateless, meaning that each time we need to send data from your browser to the server, we need to start from scratch. It’s as if you were in a conversation with someone who couldn’t remember names, so you needed to introduce yourself every time you spoke.

In order to remember who you are, websites rely on cookies. Although they’ve taken on a lot of forms in the public consciousness of late, they’re actually extremely simple. When you first visit a website, the server sends your browser a domain name and a small string of text (4 kilobytes maximum) and says “store this text and send it back to me the next time you visit this domain name.” The next time you visit, your browser does exactly that, and the server uses that string of text to identify you and remember what you were doing the last time it heard from you so it can deliver the appropriate response. This basic mechanism is the backbone of everything interactive you do online, from logging in to Facebook to buying things on Amazon.

There’s a catch, however: When your browser loads a webpage, it’s actually making multiple requests to numerous servers to fetch images, bits of JavaScript, videos, and more. Any one of these servers can set a cookie for their respective domain. Because these servers often run under a different domain name than the main website (Facebook loads many of its images from https://fbcdn-sphotos-a-a.akamaihd.net/, for example), they’re called “third-party” servers.

It is true that often times these third-party servers are run by advertising companies, and they use their ability to set cookies to track user behavior across multiple sites. This isn’t necessarily bad, but it is something consumers have a right to be concerned about. At the same time, there are many uses of third-party cookies that are extremely important to the basic functionality of many websites, like allowing users to log in to multiple sites owned by the same company at the same time (something we do here at Fast Company) or using third-party APIs to pull in content from other sources on the fly.

None of this is to say that consumers don’t have a right to privacy, but changing the behavior of the web in a way that would force just about every developer to change the way they build websites isn’t the right way to do it. Moreover, the proposal seems like it may actually take some choice away from the user by delegating a list of accepted and blocked cookies to a central committee. And it doesn’t actually address the root problem that consumers have, which is that they don’t trust companies with their data.

There is a better solution to this problem, one that doesn’t presume any behavior on the part of anyone or anything and leaves consumers truly in control: Regulate data collection. The reason most consumers don’t trust companies with their data is that there are virtually no limits on what they can do with it. Websites that collect data are required to have privacy policies, but they’re written by the companies and can be changed at will. Instead, consumer advocates, tech companies, and government groups should come together and decide what companies can and cannot do with the data they collect in a way that protects consumers but preserves ad revenues and site functionality. If you don’t want to believe me, how about Lou Montulli, the guy who invented cookies:

In the end. the decision to disable third-party cookies or keep them on was left to me. I agonized about the decision for weeks and in the end I chose to keep them. . . . Today, I still believe that it was the correct decision. Governments have an ability to regulate the collection of data by large visible companies and has shown a willingness to do so. The public has a responsibility to keep pressure on both the companies that have the ability to track users and governments to enact reasonable privacy regulations and enforce them. Most important, there are other mechanisms that can replace Web cookies for tracking if they are universally disabled, and those mechanisms would be much harder to observe and disable.

By regulating the ecosystem around the Web instead of trying to change the behavior of the technology itself, we can protect consumers without making the Web less magical. It will also leave consumers more in control because instead of needing to understand the complexities of how Web technologies work, they simply need to know what they think companies should and shouldn’t be able to do with their data. In the end, that’s the problem we’re trying to solve anyway. The Web works just fine.

[Image: Flickr user Cindy Kilpatrick]

About the author

Gabe Stein is a contributor to Co.Labs specializing in computer science history, publishing and futurology. Prior to becoming a contributor, Gabe was the resident "News Hacker" and an editor for Co.Labs.