A few days ago, Joel Spolsky wrote a piece, entitled Does Issuing Passports Make Microsoft a Country?, that expressed a deep-set fear in Microsoft’s Passport. I’ll leave you to read the piece, rather than of summarizing it here; instead, I’ll just present the problems that I have with his arguments.
I’ll start with a minor problem, just to get it out of the way. Joel presents an explanation of cookies that is extremely simplified, and tries to make the technology sound like it’s impossible for a website to store more than a unique identifier on your computer. This isn’t true, though — most websites store simply an identifier in their cookie because it’s more efficient, not because it’s all they can do. Cookies merely store variable names and the data for those variables, and that data can be anything the website wants it to be (so long as it’s under 4096 bytes in size times 20 cookies per domain). Most websites choose to use a single variable, which contains a unique identifier, because they can then house kilobytes upon megabytes of data on you in a database on their end, with no limitation on size and no security problem while the data’s flinging around the net with every single HTTP transaction you make against the server.
(Two good cookie references are Cookie Central and Netscape’s cookie implemetation page. And note that I bring this problem up only because Joel’s definition of cookies plays into his big-picture argument against Microsoft, namely that they are thwarting this mild-mannered, innocuous technology through devilish back-end tricks.)
Another minor problem I have is Joel’s use of the recent Toysmart.com hoo-hah as an example of privacy rights gone wronged. While fears and objections were well-aimed early on, when the failed dot-com floated the idea of selling their customer list, it’s been very well-publicized that the FTC and a majority of state Attorney Generals nipped that attempt in the bud. I’m not sure what this example gains for Joel’s argument.
My big problem with the article, though, is that Joel’s implication that Microsoft is misusing browser technology completely ignores the fact that they could just as easily implement their data-sharing entirely on the back-end, without anyone being the wiser. Every major website page these days is generated by scripts, back-end procedures, and databases; Microsoft could use network connectivity between their various websites and intelligent scripting to provide the same functionality, and do so without breaking a sweat.
Picture a small slice of the current MS-owned website pie — Expedia and Investor. Now imagine that both of these websites are implemented such that they set their own individual cookies, not some master Passport cookie. Follow along with my (purely hypothetical) data exchange.
First, you go and log into Expedia. After you type in your username and password and click on the Log In button, the Expedia webserver contacts the master Passport database to validate your credentials. They check out, so the database sends back to the webserver your unique Passport identifier (say, “JASON12345”), and the webserver then sends that back to your browser in the form of a cookie, a cookie that’s specific to expedia.com, not to passport.com.
Next, you check out flights to Las Vegas… and Expedia sends that information to the master Passport database. You look at prices on cruises to the Carribean… and again, Expedia sends that information to the master Passport database. Everything that you do gets tracked, just like almost every e-commerce website worth its chops does today, but in addition, this information is all sent along to the master Passport database by the backend webserver, with no browser hijinks necessary.
Once done with Expedia, you trek on over to Investor. You type in your login information, and after clicking the “Log On” button, the Investor website contacts the master Passport database to validate your credentials. Once validated, the database sends the webserver your unique identifier (again, “JASON12345”), and the webserver sends that back to your browser in the form of a cookie, this one specific to investor.com.
This time, though, the Investor webserver also queries the master Passport database about your habits when you were on Expedia. It sees that you were interested in Las Vegas flights, so it assumes (perhaps incorrectly) that you aren’t averse to risk; when it returns the Investor home page to you, there are a few links to high-risk investment opportunities that wouldn’t be there for other customers. It sees that you’re interested in cruises, so it throws up a banner ad for a specialty cruise which will feature barons of finance and seminars on investing. And all of this happens in the microseconds after you click on the “Log On” button, all without the need for browser redirects or cookie tricks.
I’m partly surprised that Microsoft didn’t implement Passport this way, but I think that I understand what my arguments would be if I were part of the Passport engineering group. I’d imagine that, given Microsoft’s ability to do what they want no matter how the browser’s implemented, consumers would rather not have to log into and out of every single subsite of a major website group. There’s something powerful about being able to log into Expedia, HotMail, Investor, CarPoint, and all the other MSN sites with a single click; it’s like being able to shop at all two hundred stores in the mall while only having to park the car once. (Interestingly, Joel even points out how painful it is to keep track of all the website logins and passwords that we all have these days, with which I don’t think anyone would argue.)
Also, though, Microsoft isn’t doing anything that Yahoo or the Go Network aren’t also doing. Yahoo has chosen to keep the yahoo.com domain name on all of their various subsites, so they don’t even have to resort to browser redirects to get cookies across sites. The Go Network uses redirects very early on to be able to share their cookies; going to http://www.espn.com/ redirects you to http://espn.go.com/ instantly, just as http://www.abc.com/ redirects you to http://abc.go.com/. And of course, their shopping and finance sites have go.com domain names, so again, cookie sharing is a breeze.
I guess that I don’t know what this whole controversy is about. Joel seems upset that Microsoft redirects you twice, but I wonder if he’d be upset if going to http://www.expedia.com/ redirected you to http://expedia.msn.com/, and Microsoft implemented cookie sharing that way. That’s how all the other major e-commerce players are doing it, and I’ve never seen an article about that, nor would I expect to.
The bottom line is that it’s still a web surfer’s job to understand what it is he or she is doing. If you’re scared about data sharing between websites, don’t frequent those websites. It’s not like Microsoft is hiding the fact that Investor and Expedia are part of the MSN empire, just like the Go Network isn’t trying to cloak their involvement in ESPN.com. But don’t invent nefarious plots and schemes to justify your fears; there are enough real bad neighbors out there on the Internet, and they’re much more worth our time and venom.