Got (soy) milk? The WaPo writer's take on cookies is ... not mine. Then again, I wrote the cookie portions of the P3P spec and was "inside" the meetings between M$'s IE team circa IE5.5 pre-fcs and the (other) IAB (the word is "Advertizers") and the P3P tech and policy teams. I worked for Engage (statistical user tracking) and compeated with DoubleClick (deterministic user tracking) at the time, so I wouldn't know as much as he does. Walking down the cookie path there is ... name: WebLogicSessionAc2 cont: BFQyXGC69R1Z50JL8ZBuhBubbnR3BzbFzqythwbSKtlS59ZX41Sw!-1332720106!-548373882 host: www.washingtonpost.com path: / type: any type of connection expr: at end of session 616 bits of session state labl: none name: DMID3 cont: 4WuLXH8AAAEAAD40XBYAAABD host: .rsi.washingtonpost.com path: / type: any type of connection 200 bits of persistent state expr: 12/14/24 09:13:45 persistent till 2024 labl: stores identifiable information without any user consent name: sa_cdc_u cont: g00200200000006AB11034667790000794930.0018C61897 host: .surfaid.ihost.com path: /crc type: any type of connection 376 bits of persistent state expr: 01/29/12 18:45:58 persistent till 2012 labl: does not store identifiable information Registration form interposition, collecting email address password us zip code iso3166 id (string form) gender year of birth job title primary responsiblity job industry company size 1st-party marketing click box (default opt out) 3rd-party marketing click box (default opt out) 16 x 1st-party targeted content click box (default opt out) --- first name (optional) last name (optional) street address (optional) street name (optional) apt. number (optional) city (optional) state (optional) 3rd-party (American Express) marketing click box (default opt out) 10 diget telephone number (disclosure noted to AmEx) (optional) 3rd-party (International Living) marketing click box (default opt out) --- in very small font and with gray-on-blue color difference is this: By submitting your registration information, you indicate that you agree to our User Agreement Privacy Policy. these two texts are not displayed by default, each has an anchored link, not a checkbox, that must be manually clicked to display the associated legal agreement. --- I decided I was Vint Cerf and I was CEO of a 50-100 person cluster-phuck in the IT rackets. As good a stuckee as any. And yes, all this good stuff is sent in the clear, over an unencrypted link. More cookies follow: --- name: ASPSESSIONIDSSTSRRQB cont: LPAKIBLBPJJFNFKOCFOEHMAP host: financial.washingtonpost.com path: / type: any type of connection expr: at end of session 208 bits of session state labl: stores identifiable information without any user consent name: test_cookie cont: CheckForPermission host: .doubleclick.net path: / type: any type of connection expr: 12/19/04 10:24:40 labl: stores identifiable information without any user consent name: ru4.28 cont: 1#1106#0#1106=ad-1106-154|1|1103470287%7C1106%7Cad-1106-154%7Cpl-1106-125%7Ccontrol%7C0%7Cpl-1106-125%2526northeast%2526morning%2526noinfo%2526high%25260%2526C3%7C28|null%7Cnull%7Cnull%7Cnull%7Cnull%7Cnull%7Cnoinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%7C0|1103470287# host: .edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:12:14 2408 bits of persistent state labl: stores identifiable information without any user consent At this point the registration page is interposed again, and submitted again, and no more cookies appear to be deposited or replayed and modified, but are there actually only that many cookies??? Snuck in are these additional cookies: name: ACID cont: ee140011034695480036! host: .advertising.com path: / type: any type of connection expr: at end of session 176 bits of session state labl: stores identifiable information without any user consent name: ru4.1106.gts cont: 2 host: edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:13:46 labl: stores identifiable information without any user consent name: 86698181 cont: _41c59bec,0668393370,699393^235460_ host: .servedby.advertising.com path: / type: any type of connection expr: at end of session 288 bits of session state labl: stores identifiable information without any user consent name: SESSIONREM cont: (my wife's pc login@isp, omitted) host: .washingtonpost.com path: / type: any type of connection expr: at end of session labl: none name: DMSEG cont: 9463E8EFE54A1281&F04462&41C4D577&41C6E29B&0&&41C30F4B&5D313C73C487FF2C5853E61C6A470E77 host: .washingtonpost.com path: / type: any type of connection expr: 12/14/24 09:18:57 704 bits of persistent state labl: stores identifiable information without any user consent name: wpniuser cont: (my wife's pc login@isp, omitted) host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 labl: none name: WPATC cont: A=2:D=3:C=2:C=167:E=AEBAD:S=24:S=245:B=24:B=59:B=99:B=100:VS=3 host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 512 bits of persistent state labl: none name: intrusiveAllowed cont: false host: .washingtonpost.com path: / type: any type of connection expr: 12/19/04 10:44:42 labl: none name: UPROF cont: WU9CPTE5NjQrRz1mZW1hbGUrWklQPTA0MTAzK1VUPWV4cGxpY2l0K0M9VW5pdGVkIFN0YXRlcytCPU9USF9KT0IrQj1PVEhfUkVTUCtCPU9USF9JTkQrQj1TSVpFXzE= host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 1040 bits of persistent state labl: none name: UPDATED cont: 1103470451 host: .washingtonpost.com path: / type: any type of connection expr: 02/19/08 20:01:36 labl: none name: wp_point cont: true host: .washingtonpost.com path: / type: any type of connection expr: 12/21/04 10:09:40 labl: none name: sauid cont: 3 host: www.washingtonpost.com path: / type: any type of connection expr: 01/01/10 00:00:00 labl: none --- I make that as 18 cookies, 6 3rd-party cookies, 9 without any policy meta data, one with meta data declaration that it "does not store identifiable information" and 8 with meta data declaration that each "stores identifiable information without any user consent", 5 that are session only, and 13 that are persistent, some reasonable (lifetime of ad campaign), some more difficult to defend, commercially (20 year horizon). I counted 1288 bits of state stored for the (flexible definition of) session, and 5,240 bits of persistent state stored. Outside the scope of the P3P spec (and the subject of a real shoot-out at that circa-IE5.5 meeting) was linkage to data obtained by other means (e.g., Axion). All we were able to impose on the doubleclick-esque model was cookes couldn't be both policy A and policy B, the two meta data policy descriptions would have to be encoded on seperate cookies. Now what did the WaPo resident rocket scientist write about cookies? One thing you don't need to worry about on the Web -- contrary to what some security programs suggest -- is browser cookies. These small, inert text files are placed on your computer by most Web sites to customize your use of them; for example, The Post's site uses cookies to store registration info. These site-specific cookies are harmless. Other, "third-party" cookies are set by ad networks to track ad viewership across multiple sites. They also pose no security threat. They do raise some privacy issues, but they can be easily blocked by any new browser without impeding your Web use. In either case, fretting over the nonexistent threat of cookies is a pointless distraction. I'm so relieved. That was just one page view. Time for some soy milk to wash down all those cookies. Eric P.S. I lost the arguement with the rest of the P3P tech team that dropping the last octet in a dotted quad didn't really provide address anonymity.