Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Patents Software The Internet Your Rights Online

Amazon Awarded Cookie Patent 79

theodp writes "On Tuesday, the USPTO granted Amazon.com a patent for the Use of browser cookies to store structured data, which covers the storing of data structures and non-character data within browser cookies. In a February SEC filing (pdf), Amazon reiterated that they expect that they may license certain patents to third parties in the future."
This discussion has been archived. No new comments can be posted.

Amazon Awarded Cookie Patent

Comments Filter:
  • by Anonymous Coward on Tuesday March 30, 2004 @07:19PM (#8720649)
    I wanted to implement a cookie-driven Web site for a long time, but was clueless as for who I had to pay for using the technology.

    Now I can finally download and install HTTP Cookie Library [scriptarchive.com] and send my license check to Amazon.
    • by Anonymous Coward
      Fortune Cookies with things in addition to fortunes with them.

      However, I am going to patent the idea of storing non-obvious information in digital images for use in computer network transactions.
      • I was going to take a patent on sex, but after reading the US patent web site [uspto.gov], info on what can be patented, especially patenting existing processes I have had second thoughts and now will be patenting: Sex in the Bahamas...It better in the Bahamas (Patent Pending).
  • by endrek ( 547737 ) on Tuesday March 30, 2004 @07:23PM (#8720692) Homepage
    I think I'll go and patent a type of apple tree that grows apples.
    • I think I'll go and patent a type of apple tree that grows apples.

      just patent the DNA, same thing really..
    • Agriculture and Plant patents make up a huge portion of the whole patent operation. So, yes, there a many apple trees that bear apples that are indeed patented. Go to the uspto.gov site and search for "apple AND tree ANDNOT computer" and see how many hits there are.

      "What is a plant patent?

      A plant patent is granted by the Government to an inventor (or the inventor's hiers or assigns) who has invented or discovered and asexually reproduced a distinct and new variety of plant, other than a tuber propag
  • CSV, etc? (Score:4, Interesting)

    by Joff_NZ ( 309034 ) on Tuesday March 30, 2004 @07:28PM (#8720729) Homepage Journal
    wouldn't something like storing comma seperated values count as "structured"??
    • Re:CSV, etc? (Score:4, Insightful)

      by FFFish ( 7567 ) on Tuesday March 30, 2004 @07:32PM (#8720761) Homepage
      Better yet would be Python's pickle [python.org] serialization library, which stores anything from strings to classes, all in printable ASCII... ie. a freakin' cookie.
      • Re:CSV, etc? (Score:3, Informative)

        by Fweeky ( 41046 )
        Even php's serialize() (also available for Ruby [aagh.net]<plug>) does that; but this patent also talks about checksums, encryption, and back/forward compatability, so.. say.. like XML + schema + crypto of your choice.

        TBH you can put anything you like in a cookie, binary or not; you just base64 encode it or so. After that, well, people have been making file formats like this for years, and Amazon get a patent just for putting one in a cookie? Lame.
      • Just be extremely paranoid when deserializing from client.

        evJ00l Hax0r: "Hey, this guy stores complete data structures in cookies. Wonder if he minds if I stick system("cat /etc/apache/htpasswd");' in the end?"

  • by spRed ( 28066 ) on Tuesday March 30, 2004 @07:31PM (#8720751)
    So the patent looks silly on the face, but the opening claims are easy to work around and make it hard for them to sue:

    a method of incorporating at least one data structure from the database into a browser cookie to reduce accesses to the database

    Okay, the stuff I'm storing in the cookie isn't the same as a structure in my database. FOAD. You think it is? I say it is half a structure from my database. Or one item from each of five structures in my database.

    They could drown you in lawsuits, but they didn't need a patent to do that anyway.
    • by kherr ( 602366 ) <kevin&puppethead,com> on Tuesday March 30, 2004 @07:48PM (#8720872) Homepage
      I worked at a company doing cutting-edge stuff and we were always looking for stuff to patent. Our intent was to create a defensive portfolio that would also look enticing to VCs. But we never, ever thought of pursuing patents on the patently obvious (pun intended).

      One-click could be argued as a novel business practice. But crap like this is ridiculous. It's like the old joke of adding "with a computer" to anything and calling it novel. I've already moved to Powells [powells.com] for books, but I'll have to intensify my efforts to get others to stop shopping with Amazon.com.
      • What is the whole purpose of cookies? Honestly, wasn't the intent of cookies to store "structured" data? If your data isn't structured, can you call it data?

        Here is the definition of data:

        1. Factual information, especially information organized for analysis or used to reason or make decisions.
        2. Computer Science. Numerical or other information represented in a form suitable for processing by computer.


        I would be ashamed to have my name on a patent like this. It just makes you look really dumb!!!
      • >It's like the old joke of adding "with a computer" to anything and calling it novel.

        see, you missed a trick there, these days one takes all those patents wiht 'on a computer' in them and add 'on the internet' and viola, one patent portfolio.

    • a method of incorporating at least one data structure from the database into a browser cookie to reduce accesses to the database
      Yuck. Never trust the client with this sort of stuff. Just do the damn query and make sure your processing power and storage bandwidth gets upgraded ahead of your load.
      • You don't have to "trust" the client. Just use HMAC to cryptographically verify the cookie. Unless that's patented...
      • I'm sure they're not using it for the price of your purchase or anything. But how about even the last n ISBNs for books you've looked up? Sure, you could hack it to use other ISBNs but Amazon won't really care. It saves them a database query and/or server-memory storage to pull up your last viewed items and serves its purpose without compromising security in any way.
    • is the most lame and incompetent governmental body I have ever tought of. If I was USian, I would make a campaign to do a full restructure of it, because this is completely insane.
      • It's also terribly overworked. One of the items coming up for review in next year's federal budget is a significant increase in the number of patent reviewers, and I believe also a raise for the existing reviewers to help keep them from jumping ship and aiding companies in filing patents in such a way as to be able to slip by the remaining patent reviewers.
        • Our PTO is also overworked, but you know what happens if you file something that can be considered "trivial" or "not an invention"? It gets ditched. Rejected. If you want patent protection, you'll have to go to court. Far more expensive.
  • Prior Art (Score:5, Funny)

    by Anonymous Coward on Tuesday March 30, 2004 @07:34PM (#8720767)
    I don't know man, Cheech and Chong have been putting some pretty wild shit in their cookies for decades!
  • Of course the code has been legally buried by the crash of the company that I developer it for. I didn't even think for a second that this might be somehting that someone could patent.
  • by SmallFurryCreature ( 593017 ) on Tuesday March 30, 2004 @07:45PM (#8720844) Journal
    • The optimist

      Geez again? TIMING you idiots April fool starts on the 1st of april. Not on 31st of march. Geez. Is it that hard to read a calendar? And a good april fools joke is funny because people are tricked into thinking something that clearly couldn't be true. USPTO passing a silly patent does not qualify.

    • The evolutionist

      What kind of insect could possibly not see the bloody obviousness off this one. Use a cookie to store data. Well fucking duh. What next? Patent the use of an engine to power something? A trunk to carry luggage? A shovel to dig with? Outsourcing is bad enough but hiring lower lifeforms goes to far!

    • The pessimist with a gun

      This story only goes to show patent reform is impossible. Nothing will help here anymore but the old "put them against the wall" at the revolution. Going to be really crowded too. What will all the lawyers, ceo's, outsources, alcohol free beer inventors and people who talk in caps on the web.

    • The European

      Anyone else find it slightly odd that all the idiot patent stories come from america? Wonder why the USPTO is unable to hire any smart people. Is the USPTO banned from hiring non-americans?

    Come on you weren't expecting any serious response were you? Feeble jokes for a feeble joke of an institution.

  • by Oncogene ( 708031 ) on Tuesday March 30, 2004 @07:50PM (#8720881) Homepage
    You know, the US Patent Office's website [uspto.gov] uses cookies that would violate this patent.
  • key value (Score:3, Insightful)

    by Visigothe ( 3176 ) on Tuesday March 30, 2004 @08:13PM (#8721060) Homepage
    ok, I am stating this up front. I didn't read the entire patent article. My apologies.

    That said, isn't the idea of a cookie, in fact, a structure? In this case, a key/value pair??

  • ... no problem, become a patent attorney.

    That's right, just a few years of law school, and you can cash in on the corrupt patent system.

    If being called a "lawyer" troubles you, just insist on being called "Esquire". If people won't, sue em. Sue everybody!

    They'll be no reason to worry anymore -- you'll see politicians and doctors outsourced before the lawyers go.

  • So (Score:5, Insightful)

    by dtfinch ( 661405 ) * on Tuesday March 30, 2004 @09:04PM (#8721365) Journal
    Their method appears to be for storing a binary copy of the entire customer record, encoded (base64 or similar), encrypted, and checksummed, into a cookie. As prior-art as the title of the patent may appear, I haven't seen it done in exactly this fashion.

    If you do it without encryption or without a checksum then you're probably not infringing. Same if you avoid binary encoding. If you save a textual representation of the record, and use a form of encryption that works on plain text, you can achieve the same effect without infringing.

    And if someone tries to patent my idea, I'll make business very hard for them.
    • I did this too (Score:3, Informative)

      by samjam ( 256347 )
      The second revision of the second generation of Ananova email alerts (anyone remember this?) had two such encrypted addresses, the From address and the Reply-To address, which included an encrypted checksummed version of the customers address-id and the story-id of the message that was sent.

      This was so that we could tell in bounced OR replied messages which customer sent the message and for which story, and it would loosely authenticate the user for performing "safe" operations on their email alert account
    • Re:So (Score:5, Informative)

      by greppling ( 601175 ) on Wednesday March 31, 2004 @02:27AM (#8723108)
      If you do it without encryption or without a checksum then you're probably not infringing. Same if you avoid binary encoding.

      That's not how I read the claims. The basic claims are 1, 10, 18, 26, 35, 40. Adding encryption or checksums to storing the data structures as cookies are covered by separate claims, always listed in addition to the basic claims.

      The whole point of this patent is IMO what they call "schema data". By this they mean having a separate file that describes the data structure used in the cookies, so that the way the data structures can be changed without changing the code en/de-crypting the cookie. (Claim 1.) Unless someone is using such a metafile describing the data structure, and has written a generic cookie parser that is controlled by this metafile, I am pretty sure he will not be infringing the patent. This is, of course, not revolutionary, but it's definitely much better software design than the typical PHP/MySQL web site.

      Adding versioning of the data structures is claim 7. Claim 26 is then about using this data to generate personalized web pages from the cookie data without any database lookups.

      So, IMHO this patent isn't that silly. You most likely don't have to "work around" it just because you are storing some structured user data in cookies, it is to the contrary very unlikely that you are infringing it. Definitely, all posts here have missed the "schema data" aspect so far. Maybe there is prior art for this, but if there is, noone has pointed out any so far.

      I think the only good reason to be against this patent is to be against software patents in general. Which I am, btw:)

    • Seems they forgot compressed...
    • The HSBC InvestDirect site in Australia does this; it was developed 2 years prior to the patent being filed.

      What's required for this to be prior art? Anyone skilled in the art looking at the cookies from that site would be able to work out what was going on, so is that enough?
  • by pdcryan ( 748847 ) on Tuesday March 30, 2004 @09:23PM (#8721504) Homepage
    Morse (the telegraph guy) was awarded a patent claim for:

    "electro magnetism, however developed for marking or printing intelligible characters, signs, or letters, at any distances."

    Sound a little over-broad? The Supreme Court thought so too(1853). Broad claims get through the patent office sometimes. That's what courts are for. Will Amazon get some money out of this? Probably. Would I give them any money for it? No.
    • You say: "Broad claims get through the patent office sometimes. That's what courts are for."
      But, Thats what the freaking patent office is for (sweeping out the broad claims).
      The process should be: apply for patent, too broad, denied, don't like it, go to court against PTO.
      But instead, it is: apply for patent, granted, threaten to sue a lot of suckers, make some money, one non-sucker sues back, wins, patent cancelled.
      Which one do you think misspends more taxpayers' money??
  • *WHY*? (Score:2, Insightful)

    by jonadab ( 583620 )

    Isn't it considered to be better practice (in terms of security and privacy and
    all that jazz) to only use the cookie as a unique ID, an index into your DB
    table(s) containing all the other information? What is the advantage to
    storing more stuff on the client side?
    • So you can patent it, of course.
  • by Futurepower(R) ( 558542 ) on Tuesday March 30, 2004 @10:04PM (#8721741) Homepage

    I've often thought it would be interesting to write a program that caused stored cookies to be returned with with slight changes. You could load the program, browse Amazon, and see what happened.

    They can store cookies if you allow them to store them. However, what you return is entirely your decision. It's your computer.
    • ...and thus the reason for their patent. They store the cookies with a checksum and encrypted. So they can tell if you tampered with it.

      I'm wondering how it is faster to pull a cookie from the browser, compute its checksum, compair, if they match, decrypt, then decode. Surely that can't be faster than a properly cached local database query.
      • by HalfFlat ( 121672 ) on Tuesday March 30, 2004 @10:34PM (#8721904)
        I'm wondering how it is faster to pull a cookie from the browser, compute its checksum, compair, if they match, decrypt, then decode. Surely that can't be faster than a properly cached local database query.


        Given that the limiting resource is server resources as opposed to customer waiting time or network bandwidth, and given how much seriously faster CPU is over disk access, it looks like a win to me.

        Once your data gets larger than 8k or so, you begin to seriously annoy people on modem connections, so I'm assuming the cookie is smaller than this. Checksumming and decrypting 8kbytes of data on a modern machine really ought to be very quick indeed. For order of magnitude estimates, I'd guess the process takes about 15 clock cycles per byte of cookie as an upper bound, coming to significantly less than a milisecond on a modern CPU. This is much less than the cost of a disk access.

        • Multiply that by several hundred pizza boxes accessing your database cluster.

          I'm betting it's 100 times easier to scale your web farm than it is to scale your database cluster. (Actually betting isn't the right word, I know that for a fact.)
          • I'm betting it's 100 times easier to scale your web farm than it is to scale your database cluster
            Not to mention cheaper. Fast CPU's (for a web server) are dirt cheap. Large/fast raid arrays (for a DB server) are expensive. And that's just assuming they are running a free/inexpensive DB. An Oracle license could be more than the hardware costs of the server.

      • You could return a cookie from a pool of cookies received by other people at other times. If you can guess the method of checksumming and encryption, you can make your own.

        Surely checksumming and encryption cannot be patented, even by a patent office corrupted by allowing too little money to do a good job.

        As the world moves to broadband, there begin to be new privacy issues. Often your IP identifies you.

        Ask yourself, why does Amazon want to encrypt data about you? There are issues here that nee
        • Surely checksumming and encryption cannot be patented, even by a patent office corrupted by allowing too little money to do a good job.

          Oh, such fresh, fresh innocence.

          Off the cuff, I can think of three patents in this realm alone. RSA patented RSA encryption, the (extremely obvious, done by everyone) table lookup optimization in CRC32 is patented, and IBM has certain tables of bit encodings (simple checksums that are particularly resistant to common hard-drive errors) patented.

          • This kind of stuff gets old. Someone reads a comment and thinks how it could be wrong, instead of trying to understand what was meant.

            What I meant was that the idea of using checksumming and encryption in cookies cannot be patented.

            Also, Amazon is not patenting the checksumming and encryption. If they use patented encryption, it would be someone else's. It seems unlikely they would be using complicated encryption, since that would not save CPU cycles over just storing the data on their own servers.
            • I'm sorry -- I was being sarcastic, but the vitriol was really aimed at the PTO ("one would have to be innocent to assume that an incredibly idiotic patent wouldn't get through"), not you.

              What I meant was that the idea of using checksumming and encryption in cookies cannot be patented.

              That certainly could be true, but it's not what you wrote in your original post:

              You could return a cookie from a pool of cookies received by other people at other times. If you can guess the method of checksumming and e
        • You could return a cookie from a pool of cookies received by other people at other times. If you can guess the method of checksumming and encryption, you can make your own.
          You're assuming that Amazon's storing anything interesting about you. More likely they're storing relatively trivial info like your name and interests (i.e. a list of stores to display)
          Ask yourself, why does Amazon want to encrypt data about you?
          Assuming Amazon is sending anything more than trivial information, do you want them to se
      • I'm wondering how it is faster to pull a cookie from the browser, compute its checksum, compair, if they match, decrypt, then decode. Surely that can't be faster than a properly cached local database query.

        You have to be extremely careful where you use this technique, as it's vulnerable to replay attacks (remember what cookie you had at time A, let Amazon change it at time B, and then set it back to the cookie you had at time A). If you use a scheme like this, you have to deal with people being able to r
        • You have to be extremely careful where you use this technique, as it's vulnerable to replay attacks (remember what cookie you had at time A, let Amazon change it at time B, and then set it back to the cookie you had at time A). If you use a scheme like this, you have to deal with people being able to revert all the state in the cookie back.

          Also note that you want to be doubly-careful when dealing with a complex set of data (as Amazon does) and triply-careful when dealing with a system that deals with mone
    • I've often thought it would be interesting to write a program that caused stored cookies to be returned with with slight changes.

      I had a similar thought, except that making random changes would probably currupt the cookie and it would be detected/rejected/ignored.

      My idea was to send valid cookies. You would return cookies from other random people running the same software :)

      -
  • So we can all agree that this is a bad thing. What can we do about it?

    Why not take a page directly from the activist handbook. When environmental activists are trying to fight for an issue they have found it useful to attack a company that has particularly bad environmental policies (like the oil companies).

    So let us attack a company that has particularly bad patent policies: Amazon. There are plenty of alternatives out there anyway. Let's band together and start giving amazon some bad press. I just pos [sillytech.com]

    • That has already been tried with One-Click. It doesn't work. Slashdot is used to dealing with technology companies that have technology buyers that have an opinion that's sometimes influenced by Slashdot (especially via secondhand word-of-mouth). Joe Blow is the target Amazon customer. Amazon just doesn't care about bad press surrounding their patents (or at least they feel that their losses due to the bad PR are less significant than the benefit derived from being able to club BarnesAndNoble.com down w
    • What about legal action? There are at least a few lawyers out there that would sympathize with this madness (Lawrence Lessig comes to mind immediately, but he has other things on his plate).

      Perhaps the most obvious person to initiate, organize, or fund a class-action suit would be the W3C itself. After all, what Amazon has done here is to basically patent what was an open-standard. One Click could be argued to be more like a trademark on the name. But this is potentially SO much broader, and seems
  • Bad Amazon! No Cookie Patent!
  • Prior Art (Score:2, Informative)

    by kerfuffle ( 766986 )
    The main ingredients of this "patent" seem to be using a cookie for structured data to avoid DB overhead, with the inclusion of some internal "checksum/session" keys.

    The HSBC Australia online trading platform publicly launched in Nov 1999 and implemented in Python, used cookies to pass serialised Python structures between client and server to avoid needless per request DB lookups (and to allow simple horizontal scaling, since instead of requiring a "session DB" one only required HTTP servers capable of de

    • I would expect that a large amount of internal documentation exists on the history of this project (including at least one presentation to an Open Source conference).

      Would the author of this post please get in touch with me to discuss how to proceed with this information (though the Austraian courts if not US - is Australia in the WTO. See my other comment in this thread here [slashdot.org]
  • Now I don't have to worry about web sites tracking my every move with their cookies! All I have to do is avoid Amazon, and I can remove my tin foil hat!

    Oh wait, that sounds a little too sarcastic to be probable... darn, just when I thought there was a little ying in this Evil Empire's yang.
  • by Hank Reardon ( 534417 ) on Wednesday March 31, 2004 @11:03AM (#8725669) Homepage Journal
    I know that I developed something to store data structures in Cookies prior to the filing date of January 31, 2000.

    In the course of one of my contracts, I needed a nice way to impliment a next/previous page functionality without the use of a session table (long story as to why). I ended up using a cookie as a stack for that functionality.

    The problem is that this code was written for a private, in-house data warehousing system, and I don't have the code.

    Could I file a "friend of the court" or some other such brief on this matter describing how I implimented (for profit!) this technology before the patent date?

  • "Whoa, Amazon's selling cookies now?"

    I think I need to eat some breakfast...

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...