Home About Buy online Blog Archives Newsletters Subscribe Contact

[Dutch_Master]

I know there is a recent thread about HTML5, but it doesn't address this issue: Earlier this week the NY Times ran an story about HTML5 and its effect on users privacy.

The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user’s hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Full story

If you've read the article you've seen that marketeers already have at least 10 known locations to store their "code injections", making it increasingly difficult to get rid of any and all. What's more of a concern, the same technology can, no: will be abused by scammers to eavesdrop on unsuspecting surfers, targeting their sensitive data like bank accounts and creditcard stuff... I predict the first such scam to happen within a fortnight of a major (financial) website switching to HTML5 (Google, banks, etc) and maybe not even that long...

This is something the browser makers should be very wary of, their reputation is on the block here... And the axe will fall as soon as a fault (exploit) is found: it'll be the end of that browser. Except for IE of course

[johnhudson]

But as this is out in the open one would assume that the risk is primarily to closed source browsers. Can't see the FOSS community allowing this to go on for long.

[Dutch_Master]

The FOSS community can't afford to let it happen in the first place... Remember, the likes of M$ and Apple will closely follow the way FOSS browsers will handle this and if even just one fails the marketing guys will have it in the papers for weeks, implying FOSS as a whole, not just the one failing browser. FUD, remember....

[ollie]

As long as you can locate the stored information, it can be deleted. The tools just need to be developed and built into the browsers to delete data from all possible storage locations. Just another new way of tracking potential customers.

[Dutch_Master]

Known locations isn't the problem Ollie. But it appears cookie-writers have complete control over where the browser will/must store their cookie, and that may be somewhere where their code can be executed to harvest data and "call home", i.e. a trojan. IMO it's the browsers job to not only keep track of any and all locations but also prevent these cookies to be stored outside the known and therefore monitored locations. Cookies can be written with executable code in it, so the browser should be aware of the concept of "executable cookies" and eliminate these, better: refuse them while warning the user for action to be taken.