Dear Mozilla: Please Don’t Kill Cookies

Yesterday, Mozilla pressed ahead with a user privacy proposal that, if widely adopted, will radically change the way we develop for the web. Instead of trying to regulate technology to protect consumers from data collection, we should regulate what companies can do with the data they collect.

Yesterday, Mozilla announced that it’s working with a Stanford organization called the Cookie Clearing House to implement an alternative to the "Do Not Track" button, the web standard supported by the Obama administration (which now looks like it may never be delivered). Unlike the Do Not Track button, which allows users to opt in or opt out from cookie collection by sending a message directly to the server, the Cookie Clearing House proposal lays out four "presumptions" about how cookies ought to behave—and they’re all wrong.

The proposal suggests workarounds for "edge cases" where web developers don’t want cookies to behave traditionally—mostly involving published cookie whitelists and blacklists. Mozilla’s plan is to implement this proposal along with some intelligence that allows cookies on sites users visit regularly.

The problem with this approach is that the presumptions the Clearing House proposes don’t match up to the way the web has been built for the last 10 years.

Sure, these presumptions are intended to be a more granular approach to a feature that Apple’s Safari browser implements by default, which is to block all third-party cookies (we’ll get to what that means in a moment). Unfortunately, almost every website in existence today uses third-party cookies in some capacity and will therefore be an "edge case," which means that developers and consumers are going to have to jump through a lot of hoops to deliver the experience we’ve come to expect from the web. This isn’t just because most websites rely on advertisements for their revenue (although most do); it’s because of the way the Web works.

I’m going to let you in on a dirty little secret about the Web: Although it has advanced enough in the last few years that many web applications are practically indistinguishable from desktop apps, we’re all faking it. Except for some very brief exceptions, after you load a webpage, we have no idea who you are or what you’re doing, because we don’t maintain an active connection between you and the server. Although technologies are emerging to fix this problem, the Web as we know it today is largely stateless, meaning that each time we need to send data from your browser to the server, we need to start from scratch. It’s as if you were in a conversation with someone who couldn’t remember names, so you needed to introduce yourself every time you spoke.

In order to remember who you are, websites rely on cookies. Although they’ve taken on a lot of forms in the public consciousness of late, they’re actually extremely simple. When you first visit a website, the server sends your browser a domain name and a small string of text (4 kilobytes maximum) and says "store this text and send it back to me the next time you visit this domain name." The next time you visit, your browser does exactly that, and the server uses that string of text to identify you and remember what you were doing the last time it heard from you so it can deliver the appropriate response. This basic mechanism is the backbone of everything interactive you do online, from logging in to Facebook to buying things on Amazon.

There’s a catch, however: When your browser loads a webpage, it’s actually making multiple requests to numerous servers to fetch images, bits of JavaScript, videos, and more. Any one of these servers can set a cookie for their respective domain. Because these servers often run under a different domain name than the main website (Facebook loads many of its images from https://fbcdn-sphotos-a-a.akamaihd.net/, for example), they’re called "third-party" servers.

It is true that often times these third-party servers are run by advertising companies, and they use their ability to set cookies to track user behavior across multiple sites. This isn’t necessarily bad, but it is something consumers have a right to be concerned about. At the same time, there are many uses of third-party cookies that are extremely important to the basic functionality of many websites, like allowing users to log in to multiple sites owned by the same company at the same time (something we do here at Fast Company) or using third-party APIs to pull in content from other sources on the fly.

None of this is to say that consumers don’t have a right to privacy, but changing the behavior of the web in a way that would force just about every developer to change the way they build websites isn’t the right way to do it. Moreover, the proposal seems like it may actually take some choice away from the user by delegating a list of accepted and blocked cookies to a central committee. And it doesn’t actually address the root problem that consumers have, which is that they don’t trust companies with their data.

There is a better solution to this problem, one that doesn’t presume any behavior on the part of anyone or anything and leaves consumers truly in control: Regulate data collection. The reason most consumers don’t trust companies with their data is that there are virtually no limits on what they can do with it. Websites that collect data are required to have privacy policies, but they’re written by the companies and can be changed at will. Instead, consumer advocates, tech companies, and government groups should come together and decide what companies can and cannot do with the data they collect in a way that protects consumers but preserves ad revenues and site functionality. If you don’t want to believe me, how about Lou Montulli, the guy who invented cookies:

In the end. the decision to disable third-party cookies or keep them on was left to me. I agonized about the decision for weeks and in the end I chose to keep them. . . . Today, I still believe that it was the correct decision. Governments have an ability to regulate the collection of data by large visible companies and has shown a willingness to do so. The public has a responsibility to keep pressure on both the companies that have the ability to track users and governments to enact reasonable privacy regulations and enforce them. Most important, there are other mechanisms that can replace Web cookies for tracking if they are universally disabled, and those mechanisms would be much harder to observe and disable.

By regulating the ecosystem around the Web instead of trying to change the behavior of the technology itself, we can protect consumers without making the Web less magical. It will also leave consumers more in control because instead of needing to understand the complexities of how Web technologies work, they simply need to know what they think companies should and shouldn’t be able to do with their data. In the end, that’s the problem we’re trying to solve anyway. The Web works just fine.

[Image: Flickr user Cindy Kilpatrick]

Add New Comment


  • Albin

    I'd say the best insurance policy for 3rd Party cookies is to provide some actual functionality, value added that will be missed by the browser user, and not just for the data miner.  I disabled 3PCs briefly today with these headlines, just to see what would happen.  What happened was Disqus wouldn't work on some sites I like to comment on.  That's enough for me.  That said, I have the Abine plug in installed against the most offensive miners, and flush cookies from time to time just to speed things up.

  • Vardhan

    When i invite somebody, i don't want a whole dozen of uninvited people to accompany .. who exactly took that book !

    Just like that .. when i visit example.com, i want to be sure that only example.com can collect data from browser, as I've accepted the use policy of only example.com.  If they decide to share or sell my data,  i can decide if i want  to use that site or not.

    In fact, sharing of assets thru single domain will benefit the asset provider in checking potential misuse of the assets.

  • antediluvian

    You made a key statement...preserve revenue. Because that's what this all comes down to, preserving ad revenue.

    Sorry, I don't buy that we must preserve the model that developed during the rampant commercialization of the web. If only users and consumers had even 1/10th the power of commercial entities, maybe I could consider it. But the web users are simply a commodity to be bought and sold on the web, never the end customer.

    The ONE entity on the web that doesn't place advertising on the top of the pyramid is Mozilla, a non-profit organization. I trust them SO MUCH MORE than all the competing interests that simply view me as eyeballs attached to a wallet.

    Yes, I get that advertising pays SOME of the bills. But you don't need to track my every move. Simply place ads in locations that are relevant to the content around them, and you have accomplished your mission. That way you can reach cohorts of people with the same interests, and that is a great fit for marketers, and no one has to be tracked.

    Don't try and tell me we need to have third party tracking because some brands cannot fit their myriad servers under one domain. That's just lazy IT.

    As far as accomplishing this with some form of effective regulation, have you looked at the world around you? We can't get effective regulation of the financial industry after a major recession brought about in part by the deregulation of the banking industry. If we can't reach agreement that we need to reform the industry that nearly killed the economy, how will we reach agreement on 3rd party cookies? Would the opinions of users carry as much weight as the advertising industry and major marketers...or the tech companies that enable them? They never have before...why should I think they will now?

  • Gabe Stein

    You're right, I should have said to preserve revenue and site functionality. Updated.

    Otherwise, you're saying you think we should try to change the way established technologies work in an attempt to stop data collection that, according to the inventor of the cookie, probably won't work anyway, instead of trying to solve the actual problem, which is that you don't trust companies with your data? Got it. Good luck with that.

    My proposal is that instead of asking consumers to understand the way the web works at a technical level (and, no offense intended, but it's clear from your comments that you don't), we let them use the law to tell companies what they can and cannot do with their data. That's what law is for. We should use it.

  • Fatemeh Khatibloo

    This will sound trite, but this is a bad time to be arguing for more government regulation around ANYTHING relating to the internet. 

    I think all the challenges you mention (multiple site login and content management, for example) have potential solutions under the Clearinghouse proposal that wouldn't impact site functionality (or even potentially revenue), whether it's a SSO provider that I whitelist myself, or a DAM provider that applies for whitelisting. (In this sense, I think of a new category of cookie: the fourth estate or fourth party cookie).

    More importantly, I think the very fact that the internet is so "magical" is kind of dangerous. Most people would benefit from taking a bit of control of their digital lives; it's hard to imagine getting in a car without understanding a damn thing about how it works, and yet we spend our lives online completely oblivious to how the internet functions. 

    I'd advocate, for example, letting consumers opt in to specific targeting networks (on a continuum from "most discounts, maximum convenience, least privacy" to "fewest discounts, least convenience, penultimate privacy"). I'd advocate for in-browser cookie preference management. I'd advocate for personal data lockers and tokens to share data the server needs.

    The internet is a spectacular place. I don't want to see it regulated, but I do want to see its citizens become better informed.

  • Gabe Stein

    First, I'm not so sure about the car analogy :). I don't know many people who understand anything about what's actually going on under the hood, myself included.

    That said, I definitely understand your concern, and I completely agree that we shouldn't be regulating the internet itself. I also think consumers should learn more about what's going on, but I think the reality is that most people aren't going to have patience for opting in or out of anything -- they're just going to use the default settings and browse to Facebook. That's why I think the Clearing House's "presumptions" -- even the name suggests it's a bad idea -- will actually end up taking more choice away from consumers.What I'm proposing is that we regulate companies who use data. Not the internet itself or its underlying technologies, but what you can do with data when you collect it.