HTML5 Draws Concern Over Risks To Privacy

Hugh Pickens writes "The NY Times reports that in the next few years, HTML5 will provide a powerful new suite of capabilities to Web developers that could give marketers and advertisers access to many more details about computer users' online activities. The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user's hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited. 'HTML5 opens Pandora's box of tracking in the Internet,' says Pam Dixon, the executive director of the World Privacy Forum. Meanwhile Ian Jacobs, head of communications at the World Wide Web consortium, says the development process for HTML5 will include a public review. 'There is accountability,' Jacobs says. 'This is not a secret cabal for global adoption of these core standards.'"

Browsers...

[the_one_wesp]

Browsers are still going to be the ones in charge of that kind of storage, just like history, cookies and other current way's of tracking user information. It's just going to require users to CONTINUE being careful about their web usage. I don't see that anything is changing.

Re:Browsers...

[tomhudson]

chmod -R a-w is your friend.

And yes, the standard is terrible. Go read it.

-- Barbie

Re:Browsers...

It's a very similar problem to the privacy concerns over Flash about 6 or 7 years ago. When people realized you could store a lot of information separate from standard browser cache, people started taking advantage of the situation until it was patched. Similar things with HTML5, breeches will be discovered, then much later get patched after the damage is done.

Re:Browsers...

[PopeRatzo]

chmod -R a-w is your friend.

Is he a rapper?

Oh, it's something on the computer?

Where is the icon for that app? It's not one of those things I have to type into the little black box with the white letters is it? I don't think my Windows 7 computer has one of those any more.

Re:Browsers...

[koreaman]

You are overly optimistic if you think Aunt Marge and Uncle Joe will have ever even seen or heard of "the little black box with the white letters" :)

Don't cookies do the same thing?

[bogaboga]

Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Folks, I thought this isn't new at all. Don't cookies do the same thing? I have a cookie that will 'never' expire unless I delete it. What am I missing?

Re:Don't cookies do the same thing?

[chemicaldave]

I think the fear is that this will contain exponentially more data than do HTTP cookies.

Re:Don't cookies do the same thing?

[captainpanic]

So, the actual news is that although we get new technology, old problems still aren't fixed?

The fact that with current technology all this data is already available doesn't mean that it does not need to be fixed in the future.

Re:Don't cookies do the same thing?

[Canazza]

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

go delete your flash cookies thanks to Adobe's handy deletion tool. First result on Google for "Delete Flash Cookies"

Re:Don't cookies do the same thing?

[maxume]

It's not particularly obvious, but there is a fairly easy way to decline them ahead of time:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

That's the first result for a Google search on 'flash prefs', but that is pretty much an incantation, not something most people will think of right away. Getting rid of existing flash cookies requires visiting another page there:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Re:Don't cookies do the same thing?

[icebraining]

They are, if you care. Most browsers allow you to disallow cookies, storage, etc, or clean them up periodically.

Most people don't care. No: most people want to be remembered by the sites for convenience, and they mostly definitively don't want to have to allow/disallow on a site by site basis.

The problem isn't technological, it's sociological.

Re:Don't cookies do the same thing?

[captainpanic]

Genuine question - if people honestly don't care, then is it really a problem?

Is it that they don't care, or don't understand?

If people honestly don't understand the problem, then it's up to a government to protect the people, or up to the producer of a particular product to protect its customers (enforced by laws to protect the people).

Privacy is an abstract concept, which is difficult to understand for most people. Privacy for most people still means "to be able to close the curtains at night", and has nothing to do with the internet or any other digital technology.

Re:Don't cookies do the same thing?

[John+Hasler]

> Being able to store things with flash is fine...

No it isn't. Creatures such as Flash should never be able to store or read anything. They should be locked in their sandboxes with only the input the browser chooses to give them.

Re:Don't cookies do the same thing?

[AusIV]

What are you talking about? And who modded this insightful?

We're not talking about a civil rights issue, we're talking about an option you can turn on or off in your browser. It's not a problem for most people, so they don't turn it off. It's there to be turned off if you like. We're not even talking about getting rid of that option, we're just discussing sane defaults.

Can you give a decent explanation of how this relates to police brutality?

Re:Don't cookies do the same thing?

[Simetrical]

Genuine question - if people honestly don't care, then is it really a problem?

The problem is that users are given a tradeoff: either they enable cookies and let people track them, or disable cookies and break all the sites they use. Offered that decision, most people will rationally opt for the latter. The goal is to give them a third option: let sites work properly without privacy or security problems.

Web standards try to give apps as much power as possible without hurting privacy or security more than before, so you don't have to trade off here-and-now features to fend off abstract threats. Other application frameworks, like conventional binaries, don't even try: if you run the program, you have to trust it completely.

An example of one technology that tries this and gets it wrong is Android. You can decide what privileges to give an app before you install it, but popular apps often ask for lots of unreasonable privileges, so in practice most people ignore the risks and just install the things. On the web, applications can do the large majority of useful things Android apps can do (if you count cutting-edge standards that aren't widely supported yet), but few of the harmful things. This puts users in a much better position: they don't lose many features, but they're at much lower risk.

So, yes, it is a problem, and it is fixable, and the web is the only way forward toward fixing it. Others have tried, like Bitfrost, but only the web has enough momentum to build a real application base around the idea of totally untrusted applications that are still really useful.

The irony....

[tawt]

...of an article about privacy that requires you to register to read it

FUD

[The+MAZZTer]

Article reads like it was written by someone who has no idea about the time and effort taken to sandbox sites from each other. Sounds like he's talking about LocalStorage or client side DBs, which can hold more data but are no more privacy risks than a single unique ID stored in a cookie linked to an unlimited REMOTE database. Accessing web history is not a part of HTML5, more FUD there, and browser vendors are working to block JS from being able to access that information. They also seem to refer to geolocation, which in Chrome at least has to be explicitly granted to sites unless you turn it on globally.

The "supercookie" thing is perhaps the one legitimate thing mentioned but browsers should (or probably will if they don't already) clear out most of those locations (except Flash, but you can't blame the browsers for that really) when you clear your private data, which at least Firefox and Chrome can do for you.

As for "buckets to put tracking information into" why bother relying on "buckets" on the client which may or may not exist, are limited in size, may change or be emptied at any time, etc, when you can buy as many "buckets" as you want server-side and store virtually unlimited data about them?

Re:FUD

[Richard_at_work]

browsers should (or probably will if they don't already) clear out most of those locations (except Flash, but you can't blame the browsers for that really) when you clear your private data

This is the only part of your post that I disagree with - if a browser allows a plugin to write to a location on disk in any form, then the browser should be responsible for further access to that location, and the maintenance of that location, not the plugin. Saying its Flashes fault that these things don't get removed is simply excusing the browser from its responsibilities.

Re:FUD

[TheRaven64]

The browser doesn't allow the plugin to write to the disk, the OS does. Plugins are just libraries - they can do anything that any binary can do. If you are using nspluginwrapper on *NIX, you can make plugins run in a chroot and clean up after them, but file accesses do not go via the browser and 'modern' operating systems do not provide any facilities for running subprocesses that validate system calls via the parent.

Re:FUD

[Richard_at_work]

Bullshit. Seriously, bullshit. The browser provides the interface through which the plugin can work - just because currently plugins have near free reign on most browsers does not mean that that is acceptable.

Javascript is blocked from writing to disk, and indeed doing a lot of things in certain circumstances (IE blocks a lot of JS when the page is opened locally and not through a remote server).

So again, to say its not the browsers fault is falsely excusing it from blame - the browser can certainly lay down a strict set of rules by which the plugins can and cannot work, and that certainly includes local file access.

Microsoft got shat on for this a long time ago about ActiveX, so the other browser makers now need to get an equal shitting on for anything else that they allow access to the internet via their browser without setting up suitable security restrictions.

This is most certainly a browser issue.

Re:FUD

[TheRaven64]

Bullshit. Seriously, bullshit. The browser provides the interface through which the plugin can work

No it doesn't. It provides a set of interfaces that allow the plugin to interface with the browser, but as long as the plugin is native code it can issue system calls. If it can execute an interrupt instruction, it can do anything that any other application can do.

There are only two possible ways of preventing this. One is to require plugins to be compiled by the browser using a language that does not allow 'unsafe' operations. At a minimum, such a language would need to be garbage collected (otherwise dangling pointers could be used escape) and no pointer arithmetic. Good luck getting plugin writers to rewrite their entire codebase in such a language.

The other alternative is for the operating system to provide a mechanism for isolating the plugin. UNIX provides chroot(), but it requires root privileges, so you'd need a plugin launcher that was setuid root, which makes it very attractive target for exploits.

Javascript is blocked from writing to disk, and indeed doing a lot of things in certain circumstances

Entirely different. The limitations of JavaScript are inherent in the source language. There is no way for JavaScript code to issue interrupts or to make system calls. There is no way for it to call arbitrary C functions in the current address space. The browser's interpreter or compiler for JavaScript simply does not produce any code that can escape the sandbox (modulo bugs).

the browser can certainly lay down a strict set of rules by which the plugins can and cannot work, and that certainly includes local file access.

As you so eloquently put it; bullshit. The browser can make any rules that it wants, but it can't enforce them - that was my point. Unless it is intercepting any system calls that the plugin makes (most operating systems don't provide a convenient facility for doing this - you could do it via ptrace(), but the performance hit will be horrible), then it can't prevent a plugin from accessing the filesystem.

Microsoft got shat on for this a long time ago about ActiveX

Plugins are an entirely different issue. The problem with ActiveX was that it was downloading arbitrary untrusted code from the Internet and running it with normal app privileges. Plugins, in contrast, are supposed to be trusted code. Installing a plugin requires user action, just like installing an app. If you don't trust the plugin author, you can simply not run their plugin.

Sandboxes. Now.

[TubeSteak]

Browsers should no longer be allowed to frisk about in the general operating system,
scattering data willy nilly throughout your computer into wildly obscure folders.

I propose robust sandboxes.
You want to delete all the tracking information? Delete the sandbox.
Honest websites won't be spending their efforts to break out of the box and
malicious websites were going to pwn you anyways, so does it matter if they do?

I'm not proposing sandboxes as a security measure, merely a way to keep all the cruft from your browser & plugins locked down in one (easily deletable) place.

This is fear-mongering

[jjb3rd]

This neo-luddite fear-mongering must end!!! Properly secured browsers negate these "new" threats. The only "problem" as I see it, is the likely-hood that in browser manufacturers (Apple, Google, Microsoft, Firefox, Opera, etc.) rush to get these new capabilities, they'll put security on the back burner and we'll have a few years of this nonsense. This is no reason to not implement compelling features. It just raises the stakes for people to do it right. Having spent some time developing some HTML5, I for one, am looking forward to the new goodness.

Didn't the '90s teach us?

[Darkness404]

Didn't the 90s (And early 2000s) teach us anything? If HTML isn't implemented in essentially the same way across all browsers the Internet will stagnant again and we will turn to cross-platform plugins like Flash to actually get stuff done.

Re:Didn't the '90s teach us?

[John+Hasler]

> ...we will turn to cross-platform plugins like Flash to actually get stuff done.

"Stuff" that doesn't need doing.

Re:FUD, Yes, But Some Truth and Risk Increase

[tomhudson]

say, Slashdot or New York Times doing something to better my reading experience.

You must be new here :-p

Seriously, we already have latency problems caused by multiple sites doing their crap on every page load (look at the source for any page that includes tracking and ad javascript includes). We don't need web sites sifting through 5 meg of local storage (which they'll grow to 100 meg, just like the original cookie limits specification quickly succumbed to hyperinflation) because they'll want to store it in xml.

-- Barbie

HTML5 -- a new "language", standard or what?

[swb]

HTML5 -- is it a new language? Is it a set of extensions to HTML, Javascript, or is it more of a concept/phenomenon, like "Web 2.0"?

I read it as an extension of the HTML standard, but quite often its treated as a "new language" as opposed to an extension, upgrade, etc. I wonder if that's half the problem -- I think generally speaking, people are a little weary of many new things, technology wise, and failure to cast this as more of an upgrade than a wholly new entity (even if the new features make it so) probably has a lot to do with some of the scaremongering associated with it.

the issue seems to hinge on one concept:

[circletimessquare]

i don't have a problem with a website seeing everything i do on that website. i have a problem with a website seeing what i do on other websites

let foo.com have evercookies on my computer about everything i do... at foo.com. not a problem. but i don't ever want foo.com too see what i do at fubar.com, and visa versa

of course, foo.com can sell my info to fubar.com through different channels, but that's a problem that predates the internet, and has nothing to do with browser privacy. and i know if doubleclick has their ads on foo.com, they can infer certain things about my activities at foo.com... actually, now that i think about it, that's a fatal hole in any browser privacy: if a webpage is serving content from another website, such as with advertising networks, we're pretty much doomed no matter what the markup language, aren't we?

to really have browser privacy, you'd have to destroy the entire possibility of webpages serving content from other domains. how the heck do you enforce that? a rule like "when loading content from foo.com, everything on this page must come from foo.com"? is that a viable concept? no more google analytics, no more iframes... i don't know, we're just doomed

but... even if you had that rule, foo.com could just agree with double click to proxy their ads, running them through their servers, so everything is coming from one domain, even though it really isn't. then they can simply see how one particular ip address walks across the web where they have similar agreements with other sites. no escape. you'd have to spoof your ip with every request, which breaks all sorts of functionality on most websites. maybe you could have a new ip for every tab, every session... what a nightmare

basically, the concept of privacy on the internet is void. if you type it on the web, it is known, end of discussion. crap

AdBlock!

[Meneth]

My favourite filter:

*$third-party

Blocks all kinds of crap. Speeds up browsing, too. Even on Slashdot it blocks Google Analytics and something from demandbase.com.

Of course, you'll need lots of exception rules, but if you want to be aware of where your browser goes to get its files, it's well worth it.

How, Specifically?

[Doc+Ruby]

What features does HTML5 include that let one server access any data other than that created by that server, or by the client user through the HTML GUI sent by that server? Why should any client state be available to the server, except the same kind of client-side feature list of supported media types and browser version that we've had since HTML1.0?

Re:How, Specifically?

[Doc+Ruby]

None of that has anything to do with HTML5.

Re:How, Specifically?

[WebManWalking]

You're referring to the "same origin policy" and you're right. There are 3 new mechanisms in HTML5 for remembering something across page loads (added to the older 4th mechanism, cookies), and all 4 of them are subject to the same origin policy.

Many of the new features of HTML5 exist to allow browsers to do the same things as plug-ins. A poorly written plug-in is a much bigger security vulnerability than the well-thought-out new features of HTML5, which were largely contributed by browser vendors themselves. The browser vendor has a vested interest in keeping the browser secure against attack. And they know how to accomplish that, because they're more familiar with their own internal security model and they're more motivated to follow it rigorously.

Implementing the same origin policy thoroughly and correctly is in the vendor's best interest. I'm pretty sure that HTML5 will make us more secure than the plug-in riddled environment we have now.

Turning on privacy breaks the web

[Animats]

More and more sites just don't work if you enable strong privacy controls. Some of this seems to be deliberate, and it's getting worse.

• If you don't let YouTube store Flash data, the "Press ESC to exit full screen mode" message will not disappear.
• If you block third party cookies, CBS TV video won't play.
• If you block most cookies, many video sites will play the same ad over and over.
• "511.org", a Government-run site for traffic information, goes into an infinite reload loop if you block Google Analytics.