×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

HTML5 Draws Concern Over Risks To Privacy

CmdrTaco posted more than 4 years ago | from the are-you-scared-yet dept.

Privacy 163

Hugh Pickens writes "The NY Times reports that in the next few years, HTML5 will provide a powerful new suite of capabilities to Web developers that could give marketers and advertisers access to many more details about computer users' online activities. The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user's hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited. 'HTML5 opens Pandora's box of tracking in the Internet,' says Pam Dixon, the executive director of the World Privacy Forum. Meanwhile Ian Jacobs, head of communications at the World Wide Web consortium, says the development process for HTML5 will include a public review. 'There is accountability,' Jacobs says. 'This is not a secret cabal for global adoption of these core standards.'"

Sorry! There are no comments related to the filter you selected.

Browsers... (5, Insightful)

the_one_wesp (1785252) | more than 4 years ago | (#33858292)

Browsers are still going to be the ones in charge of that kind of storage, just like history, cookies and other current way's of tracking user information. It's just going to require users to CONTINUE being careful about their web usage. I don't see that anything is changing.

Re:Browsers... (2, Insightful)

tomhudson (43916) | more than 4 years ago | (#33858492)

chmod -R a-w is your friend.

And yes, the standard is terrible. Go read it. [w3.org]

-- Barbie

Re:Browsers... (4, Funny)

PopeRatzo (965947) | more than 4 years ago | (#33858708)

chmod -R a-w is your friend.

Is he a rapper?

Oh, it's something on the computer?

Where is the icon for that app? It's not one of those things I have to type into the little black box with the white letters is it? I don't think my Windows 7 computer has one of those any more.

Re:Browsers... (3, Insightful)

koreaman (835838) | more than 4 years ago | (#33858770)

You are overly optimistic if you think Aunt Marge and Uncle Joe will have ever even seen or heard of "the little black box with the white letters" :)

Re:Browsers... (0)

Anonymous Coward | more than 4 years ago | (#33859010)

Did Windows 7 remove the command prompt out of the box? I am using 7 (Prof) and use the prompt pretty regularly, but I have tweaked 7 quite a bit to fit my liking. I ask because I may have tweaked something that enabled it as a by-product.

Re:Browsers... (1)

Pharmboy (216950) | more than 4 years ago | (#33859082)

Windows 7 and Vista support faux DOS just as XP does. Easier to just use a Cygwin bash shell most of the time, however, as the commands available are still quite limited.

Re:Browsers... (1)

FatdogHaiku (978357) | more than 4 years ago | (#33859952)

I think the XP commands [microsoft.com] still work, I don't use them all but some of them are fun.
Try:
Taskkill /im [program_image_name] /f
as a batch file to kill those programs that want to stay running in the background

Re:Browsers... (1)

JonySuede (1908576) | more than 4 years ago | (#33859216)

No, it is there by default and may I recommend you PowerShell . It is the bell shell I have used.

Re:Browsers... (1)

somersault (912633) | more than 4 years ago | (#33859276)

It is the bell shell I have used.

You should try the Bourne shell. It's the original Bell Shell!

Re:Browsers... (0)

Anonymous Coward | more than 4 years ago | (#33859408)

you made me laugh

How to chmod -R a-w in Windows Explorer (1)

tepples (727027) | more than 4 years ago | (#33859856)

chmod -R a-w is your friend.

Where is the icon for that app?

Under XP it was like this:

  1. Right-click a folder and choose Properties.
  2. Turn on the "Read-only" checkbox.
  3. Click Apply, then choose apply to all items in this folder. (Wording differs among operating system versions.)

Re:Browsers... (1)

jonescb (1888008) | more than 4 years ago | (#33858864)

Or symlink to /dev/null That what I did with Chromium's .cache folder since it gets ridiculously huge in a short period of time (i.e. 1gb in 2 weeks). I'll go after the cookie jar next.

Re:Browsers... (1)

somersault (912633) | more than 4 years ago | (#33859308)

Why not just have a script that clears it out every so often, ie once a week or whenever your reboot? Your internet connection may be fast, but using the cache where applicable is presumably still faster.

Re:Browsers... (1)

JonySuede (1908576) | more than 4 years ago | (#33859200)

what is so terrible int that standard, i did a 10 quick check and the sample I have read looked sane to me. What did you find so terrible in this spec? Take the page : http://www.w3.org/TR/2010/WD-html5-20100624/elements.html [w3.org] , where did you saw something so disgraceful that it must be called terrible ?

How, Specifically? (4, Interesting)

Doc Ruby (173196) | more than 4 years ago | (#33859544)

What features does HTML5 include that let one server access any data other than that created by that server, or by the client user through the HTML GUI sent by that server? Why should any client state be available to the server, except the same kind of client-side feature list of supported media types and browser version that we've had since HTML1.0?

Re:How, Specifically? (1)

obarthelemy (160321) | more than 4 years ago | (#33859886)

My guess would be

1- Browsers not enforcing restrictions, or bugs allowing short-circuiting them, so even if only originating sites "should" see their own databases, maybe they won't, in reality. What really happens when a page loads an ad frame which launches a Flash applet that tries some HTML 5 gimmicks ?

2- Ad servers and web sites collaborating to circumvent restrictions. I activated Opera's "only accept cookies from the site I'm visiting", I've been getting somehow flaky behavior from some sites. Will there be the same option regarding other locally-stored content, especially databases ? Will web sites be "encouraged" to provide interfaces from the local storage they created on visitors' computers to advertisers/trackers ?

3- Remote tracking. I've read on /. that it's frequently possible to identify a visitor only by combing trough easily available info (IP, OS, browser, timezone...). If trackers really try hard, a few mistakes will let them link even different PCs/OSs/Browsers to one single person.

Re:Browsers... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#33858706)

It's a very similar problem to the privacy concerns over Flash about 6 or 7 years ago. When people realized you could store a lot of information separate from standard browser cache, people started taking advantage of the situation until it was patched. Similar things with HTML5, breeches will be discovered, then much later get patched after the damage is done.

Re:Browsers... (1)

somersault (912633) | more than 4 years ago | (#33859332)

breeches will be discovered, then much later get patched after the damage is done.

Heh. Best typo (or more likely, spelling mistake) ever.

Hint: try Googling breaches and breeches.

Re:Browsers... (0)

Anonymous Coward | more than 4 years ago | (#33859548)

Nonetheless, they can both be patched.

Don't cookies do the same thing? (2, Interesting)

bogaboga (793279) | more than 4 years ago | (#33858306)

Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Folks, I thought this isn't new at all. Don't cookies do the same thing? I have a cookie that will 'never' expire unless I delete it. What am I missing?

Re:Don't cookies do the same thing? (3, Insightful)

chemicaldave (1776600) | more than 4 years ago | (#33858368)

I think the fear is that this will contain exponentially more data than do HTTP cookies.

Re:Don't cookies do the same thing? (1)

Chrisq (894406) | more than 4 years ago | (#33858476)

Well its 5mb per origin (draft proposal ) not much more than flash or silverlight [shinedraw.com] , which are 100kb per object and 1mb per file.

Re:Don't cookies do the same thing? (1)

hedwards (940851) | more than 4 years ago | (#33858516)

Flash has already become a problem. As in those zombie cookies that Adobe didn't feel inclined to offer a way of getting rid of or deciding to decline. Being able to store things with flash is fine, as long as the end user gets to decide and is aware of it.

Re:Don't cookies do the same thing? (2, Informative)

maxume (22995) | more than 4 years ago | (#33858850)

It's not particularly obvious, but there is a fairly easy way to decline them ahead of time:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html [macromedia.com]

That's the first result for a Google search on 'flash prefs', but that is pretty much an incantation, not something most people will think of right away. Getting rid of existing flash cookies requires visiting another page there:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]

Re:Don't cookies do the same thing? (1)

tepples (727027) | more than 4 years ago | (#33860012)

How does one delete Flash cookies on a machine that has been taken offline for maintenance? Going to www.macromedia.com would just result in "Server not found".

Re:Don't cookies do the same thing? (1)

maxume (22995) | more than 4 years ago | (#33860228)

Why would one be worried about it if the system is not online?

Anyway, someone doing real maintenance can probably manage to track down the directories where the data is stored and delete the files manually, the criticism in GP comment was that Adobe did not provide any way to manage the cookies.

Re:Don't cookies do the same thing? (5, Insightful)

John Hasler (414242) | more than 4 years ago | (#33859080)

> Being able to store things with flash is fine...

No it isn't. Creatures such as Flash should never be able to store or read anything. They should be locked in their sandboxes with only the input the browser chooses to give them.

It's called "offline support". (1)

tepples (727027) | more than 4 years ago | (#33859896)

Creatures such as Flash should never be able to store or read anything. They should be locked in their sandboxes with only the input the browser chooses to give them.

The browser chooses to give them a sandbox within whose confines they can store or read what they want. It's called "offline support". Otherwise, web applications would stop working when the client machine disconnects from the Internet.

Re:Don't cookies do the same thing? (1)

shadowrat (1069614) | more than 4 years ago | (#33859534)

HTML5 can generate and save 5 meg of data locally, but as far as i know there isn't a limit to how many megs of resources they can cache from the server. The server could easily save tons of information in the form of images and text files or whatever you want in your local cache. I don't think it can be read by other sites though.

i also don't really understand the html5 part of this. for example, one claim is that websites will be tracking your gps location via html5. Ok. some people don't want that tracked. that's understandable. But that information comes from a smartphone. People already have a ton of apps that are capturing that information and doing who knows what with it. Those apps aren't even protected by HTML5's sandboxing and limitations. People are going bonkers to freely share that information in facebook and foursquare. It seems silly to be warning everyone how html5 will pose huge threats to online privacy when we are already in a situation worse than the foretold disaster.

Re:Don't cookies do the same thing? (1)

Hognoxious (631665) | more than 4 years ago | (#33858798)

Assuming the quantity of data is on the Y-axis, I'm literally dying to know what the X-axis represents.

X represents time (1)

tepples (727027) | more than 4 years ago | (#33859920)

Assuming the quantity of data is on the Y-axis, I'm literally dying to know what the X-axis represents.

X represents time. Storage density with respect to time has been roughly exponential, much like integrated circuit density (Moore's law).

Re:Don't cookies do the same thing? (1)

icebraining (1313345) | more than 4 years ago | (#33858824)

Why? It just needs a couple hundred bytes to insert an URL to your personal tracking record. Then it can store and retrieve how many GBs per user they want.

Offline mode in web applications (1)

tepples (727027) | more than 4 years ago | (#33859970)

It just needs a couple hundred bytes to insert an URL to your personal tracking record.

Not all portable devices have cellular data plans, especially in the United States of America. PDAs and netbooks, unlike smartphones, usually disconnect from the Internet when used by passengers in a vehicle. So a web application needs a lot more than a couple hundred bytes to save the objects that the user has chosen to download for offline use. It can use the rest of the space to collect statistics on what the user does inside the offline application.

Re:Don't cookies do the same thing? (1)

clone53421 (1310749) | more than 4 years ago | (#33859994)

A single increase from A to B is always exponential if you use the right exponent...

Re:Don't cookies do the same thing? (4, Interesting)

captainpanic (1173915) | more than 4 years ago | (#33858416)

So, the actual news is that although we get new technology, old problems still aren't fixed?

The fact that with current technology all this data is already available doesn't mean that it does not need to be fixed in the future.

Re:Don't cookies do the same thing? (3, Interesting)

icebraining (1313345) | more than 4 years ago | (#33858852)

They are, if you care. Most browsers allow you to disallow cookies, storage, etc, or clean them up periodically.

Most people don't care. No: most people want to be remembered by the sites for convenience, and they mostly definitively don't want to have to allow/disallow on a site by site basis.

The problem isn't technological, it's sociological.

Re:Don't cookies do the same thing? (1)

Tim C (15259) | more than 4 years ago | (#33858976)

Genuine question - if people honestly don't care, then is it really a problem?

Re:Don't cookies do the same thing? (3, Interesting)

captainpanic (1173915) | more than 4 years ago | (#33859018)

Genuine question - if people honestly don't care, then is it really a problem?

Is it that they don't care, or don't understand?

If people honestly don't understand the problem, then it's up to a government to protect the people, or up to the producer of a particular product to protect its customers (enforced by laws to protect the people).

Privacy is an abstract concept, which is difficult to understand for most people. Privacy for most people still means "to be able to close the curtains at night", and has nothing to do with the internet or any other digital technology.

Re:Don't cookies do the same thing? (1)

nyctopterus (717502) | more than 4 years ago | (#33859742)

I don't think this is the case. I think a lot of people do understand that the internet can be a danger to their privacy. It's not that they don't care about it, it's that they are taking a (reasonable) calculated risk. For the vast, vast majority of people the value of hassle-free surfing far outweigh the dangers. The lack of privacy on the internet has never seriously damaged them, and realistically never will (regardless of what a bunch of tinfoil hat-wearing libertarian nerds might say).

I bet a TFHWLN are gearing up right now to beat me down with OH BUT IMAGING WHAT GETTING YOUR IDENTITY THEVEREED WOULD DO!!!, but just as I don't spend money on a bullet-proof vest to protect me from accidental shootings, I suspect most people are making an okay call betting that their internet privacy just isn't that big a deal.

Re:Don't cookies do the same thing? (0)

Anonymous Coward | more than 4 years ago | (#33859072)

If people weren't aware that the Nazis were burning Jews, does that make it okay?

Re:Don't cookies do the same thing? (1)

LingNoi (1066278) | more than 4 years ago | (#33859032)

No. It's simply not a problem for most people.

Re:Don't cookies do the same thing? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#33859188)

No. It's simply not a problem for most people.

Neither is police brutality. Or Habeus Corpus. Or the bearing of arms.

The number of people affected by an action http://en.wikipedia.org/wiki/First_they_came... [wikipedia.org] has no bearing on whether the action is ethical or heinous.

Re:Don't cookies do the same thing? (3, Insightful)

AusIV (950840) | more than 4 years ago | (#33859762)

What are you talking about? And who modded this insightful?

We're not talking about a civil rights issue, we're talking about an option you can turn on or off in your browser. It's not a problem for most people, so they don't turn it off. It's there to be turned off if you like. We're not even talking about getting rid of that option, we're just discussing sane defaults.

Can you give a decent explanation of how this relates to police brutality?

Re:Don't cookies do the same thing? (0)

Anonymous Coward | more than 4 years ago | (#33859014)

Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Folks, I thought this isn't new at all. Don't cookies do the same thing? I have a cookie that will 'never' expire unless I delete it. What am I missing?

That, in combination with html5 local databases, you can create cookies that cannot be deleted. Ever.

Re:Don't cookies do the same thing? (1)

Barefoot Monkey (1657313) | more than 4 years ago | (#33859030)

Because of that process, advertisers and others could, experts say, see weeks or even months of personal data that could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

Folks, I thought this isn't new at all. Don't cookies do the same thing? I have a cookie that will 'never' expire unless I delete it. What am I missing?

A cookie is something that is sent to the server every time you make an HTTP request. HTML5 local storage stays on the client and is accessed by client-side code (such as javascript).

Don't fear the standard, use a better browser (1)

andellmoon (868381) | more than 4 years ago | (#33858308)

The browsers should let users control their data and privacy settings. Let users disable the new features just like the users who are truly concerned shut off 3rd party cookies and JS.

Re:Don't fear the standard, use a better browser (1)

arndawg (1468629) | more than 4 years ago | (#33858646)

The problem is, by turning off cookies your internet experience is SHIT. With HTML5 the problem is probably going to get even worse.

The irony.... (2, Insightful)

tawt (1193211) | more than 4 years ago | (#33858314)

...of an article about privacy that requires you to register to read it

Re:The irony.... (0)

Anonymous Coward | more than 4 years ago | (#33858760)

Seriously, it annoys the hell out of me when I want to read an article Slashdot links to but I have to register first. Yeah yeah, it's "free of cost." But that's bullshit. It takes my time, my effort, and as the parent says my privacy. And it's only going to get worse if/when NYT puts up their paywall.

As a site that is pretty much a news aggregator, I think it's a disservice to readers for Slashdot to link to articles that require reader registration.

mshenrick (1)

mshenrick (1874438) | more than 4 years ago | (#33858332)

but surely all the browsers except idiot exploiter will have an option to block this, or at least an add on. firefox has something like this for javascript

So your Saying.. (1)

Quantus347 (1220456) | more than 4 years ago | (#33858334)

So your saying that a more powerful internet will require more powerful internet security?!? Dear god, we cant have that, it would be too much like progress. Quick, everyone smash the magic box before it steals your soul through the webcam (to support terrorists)!!!

Re:So your Saying.. (0)

Anonymous Coward | more than 4 years ago | (#33858660)

So my saying? Did you forget that your sentence structure doesn't require the use of a possessive pronoun?

Re:So your Saying.. (1)

MichaelKristopeit 16 (1916820) | more than 4 years ago | (#33858666)

your an idiot.

Re:So your Saying.. (0)

Anonymous Coward | more than 4 years ago | (#33858722)

Sow are you.

Re:So your Saying.. (0)

Anonymous Coward | more than 4 years ago | (#33858754)

your mums a sow

cabal (0, Offtopic)

snookerhog (1835110) | more than 4 years ago | (#33858342)

I for one like to think that there really is a "secret cabal" somewhere deep underground controlling the interwebs.

Re:cabal (1)

JustOK (667959) | more than 4 years ago | (#33858426)

it's not a monopoly

FUD (5, Informative)

The MAZZTer (911996) | more than 4 years ago | (#33858352)

Article reads like it was written by someone who has no idea about the time and effort taken to sandbox sites from each other. Sounds like he's talking about LocalStorage or client side DBs, which can hold more data but are no more privacy risks than a single unique ID stored in a cookie linked to an unlimited REMOTE database. Accessing web history is not a part of HTML5, more FUD there, and browser vendors are working to block JS from being able to access that information. They also seem to refer to geolocation, which in Chrome at least has to be explicitly granted to sites unless you turn it on globally.

The "supercookie" thing is perhaps the one legitimate thing mentioned but browsers should (or probably will if they don't already) clear out most of those locations (except Flash, but you can't blame the browsers for that really) when you clear your private data, which at least Firefox and Chrome can do for you.

As for "buckets to put tracking information into" why bother relying on "buckets" on the client which may or may not exist, are limited in size, may change or be emptied at any time, etc, when you can buy as many "buckets" as you want server-side and store virtually unlimited data about them?

Re:FUD (2, Insightful)

Richard_at_work (517087) | more than 4 years ago | (#33858448)

browsers should (or probably will if they don't already) clear out most of those locations (except Flash, but you can't blame the browsers for that really) when you clear your private data

This is the only part of your post that I disagree with - if a browser allows a plugin to write to a location on disk in any form, then the browser should be responsible for further access to that location, and the maintenance of that location, not the plugin. Saying its Flashes fault that these things don't get removed is simply excusing the browser from its responsibilities.

Re:FUD (4, Informative)

TheRaven64 (641858) | more than 4 years ago | (#33858730)

The browser doesn't allow the plugin to write to the disk, the OS does. Plugins are just libraries - they can do anything that any binary can do. If you are using nspluginwrapper on *NIX, you can make plugins run in a chroot and clean up after them, but file accesses do not go via the browser and 'modern' operating systems do not provide any facilities for running subprocesses that validate system calls via the parent.

Re:FUD (2, Insightful)

Richard_at_work (517087) | more than 4 years ago | (#33859256)

Bullshit. Seriously, bullshit. The browser provides the interface through which the plugin can work - just because currently plugins have near free reign on most browsers does not mean that that is acceptable.

Javascript is blocked from writing to disk, and indeed doing a lot of things in certain circumstances (IE blocks a lot of JS when the page is opened locally and not through a remote server).

So again, to say its not the browsers fault is falsely excusing it from blame - the browser can certainly lay down a strict set of rules by which the plugins can and cannot work, and that certainly includes local file access.

Microsoft got shat on for this a long time ago about ActiveX, so the other browser makers now need to get an equal shitting on for anything else that they allow access to the internet via their browser without setting up suitable security restrictions.

This is most certainly a browser issue.

Re:FUD (3, Informative)

TheRaven64 (641858) | more than 4 years ago | (#33859692)

Bullshit. Seriously, bullshit. The browser provides the interface through which the plugin can work

No it doesn't. It provides a set of interfaces that allow the plugin to interface with the browser, but as long as the plugin is native code it can issue system calls. If it can execute an interrupt instruction, it can do anything that any other application can do.

There are only two possible ways of preventing this. One is to require plugins to be compiled by the browser using a language that does not allow 'unsafe' operations. At a minimum, such a language would need to be garbage collected (otherwise dangling pointers could be used escape) and no pointer arithmetic. Good luck getting plugin writers to rewrite their entire codebase in such a language.

The other alternative is for the operating system to provide a mechanism for isolating the plugin. UNIX provides chroot(), but it requires root privileges, so you'd need a plugin launcher that was setuid root, which makes it very attractive target for exploits.

Javascript is blocked from writing to disk, and indeed doing a lot of things in certain circumstances

Entirely different. The limitations of JavaScript are inherent in the source language. There is no way for JavaScript code to issue interrupts or to make system calls. There is no way for it to call arbitrary C functions in the current address space. The browser's interpreter or compiler for JavaScript simply does not produce any code that can escape the sandbox (modulo bugs).

the browser can certainly lay down a strict set of rules by which the plugins can and cannot work, and that certainly includes local file access.

As you so eloquently put it; bullshit. The browser can make any rules that it wants, but it can't enforce them - that was my point. Unless it is intercepting any system calls that the plugin makes (most operating systems don't provide a convenient facility for doing this - you could do it via ptrace(), but the performance hit will be horrible), then it can't prevent a plugin from accessing the filesystem.

Microsoft got shat on for this a long time ago about ActiveX

Plugins are an entirely different issue. The problem with ActiveX was that it was downloading arbitrary untrusted code from the Internet and running it with normal app privileges. Plugins, in contrast, are supposed to be trusted code. Installing a plugin requires user action, just like installing an app. If you don't trust the plugin author, you can simply not run their plugin.

Re:FUD (1)

tepples (727027) | more than 4 years ago | (#33860056)

as long as the plugin is native code it can issue system calls.

But unless the plug-in is run in a process with sufficient privileges, its system calls will fail with "Permission denied".

then it can't prevent a plugin from accessing the filesystem.

What about chroot()? See OLPC Bitfrost [laptop.org] for how a sandbox of native code could be implemented.

Drop privileges before processing input (1)

tepples (727027) | more than 4 years ago | (#33860170)

UNIX provides chroot(), but it requires root privileges, so you'd need a plugin launcher that was setuid root, which makes it very attractive target for exploits.

UNIX also provides inetd, which runs setuid root to listen on well-known ports but drops privileges as soon as they're no longer needed. Likewise, a plugin container can cwd(), chroot(), and setuid() before processing any untrusted input.

Re:FUD (1)

0123456 (636235) | more than 4 years ago | (#33860070)

'modern' operating systems do not provide any facilities for running subprocesses that validate system calls via the parent.

Uh, hello? Have you never heard of Apparmor and SELinux?

I have an Apparmor wrapper for Flash which prevents it from doing pretty much anything other than playing videos. It literally cannot write flash cookies to the local disk because the kernel only allows it to write to its own config directory.

And given the insane amount of denials I see for access attempts to random files (it even tries to write to a root-owned font directory), that's a really good idea.

FUD, Yes, But Some Truth and Risk Increase (1)

eldavojohn (898314) | more than 4 years ago | (#33858458)

... when you can buy as many "buckets" as you want server-side and store virtually unlimited data about them?

Because it costs money? My fear is considering what spammers may or may not do with this local storage. I'm not opposed to local storage but I think it needs more user notification when and what is accessing it. Not requiring user intervention but knowledge about who and what is storing that data. I would prefer a browser to let me know if some no name advertiser were storing data there than, say, Slashdot or New York Times doing something to better my reading experience. I welcome it. It needs to happen. The W3C branched this to a totally separate group from the regular HTML 5 group I believe because there's a lot to iron out yet. I hope they change the way things are allowed to access it in the browser implementation yet. I hope.

People get upset when you further facilitate and make it easier for bad people to do bad things. That's how it's been for quite sometime whether the social enemy is a serial rapist or Facebook.

I suspect, as has already been noted [arstechnica.com] that this will simply facilitate more advertisers to do this because now they don't need servers or bandwidth to support your "unlimited data" buckets.

Re:FUD, Yes, But Some Truth and Risk Increase (2, Insightful)

tomhudson (43916) | more than 4 years ago | (#33858590)

say, Slashdot or New York Times doing something to better my reading experience.

You must be new here :-p

Seriously, we already have latency problems caused by multiple sites doing their crap on every page load (look at the source for any page that includes tracking and ad javascript includes). We don't need web sites sifting through 5 meg of local storage (which they'll grow to 100 meg, just like the original cookie limits specification quickly succumbed to hyperinflation) because they'll want to store it in xml.

-- Barbie

Re:Re:FUD...squared (1)

memyselfandeye (1849868) | more than 4 years ago | (#33858728)

Granted, I haven't really been only the whole HTML5 bandwagon, but why would any application want to store data on the client machine other then a session id, whether it's user information, preloaded application data, or buying habits? Last time I had anything to do with anything like this was a web based application to run some laboratory instruments where I work, and the only thing we kept on the client machine was a session cookie, which would be regenerated anytime tracking information (ip,browser info) didn't match, or after a 1/2 hour timeout. Making sure the browser didn't cache data was a friggin' nightmare if I remember correctly.

I mean, from an advertisers point of view, what's to stop a browser, either via plugin or natively, to supply random/or junk information to to the bucket. I know I'd be inclined to let facebook know that I currently reside somewhere in North Korea, drive a flying saucer to work and enjoy eating broken glass. If somebody's application relied on that information, that's their fault. By extension,I know I wouldn't enjoy my bank account, insurance account, loan account, or anything similar ever being stored on my machine.

I don't care what the encryption will be/if anything. In either scenario, it is an unsatisfactory method. How hard would it be for a malicious program to replace the data buckets for bank of stupidia with one that has a redesigned interface. If the software could replace the button that says "change address" with one that says "check statement," and respond to such a click by rapidly filling out the form and submitting the data, the user might not realize what's going until it's to late, if ever. To prevent this, the server-side checking is going to have to be grossly more sophisticated, all to save a paltry ammount of bandwidth!? I doubt the 5*10^9 MB of data is going to even be worth the cost of defending a single lawsuit.

Obviously a goofy example, but I think it makes the point. In science, we trust the user (our 5 senses) very little. In the inter-tubes, we should trust them even less!!!!

Re:FUD (0)

Anonymous Coward | more than 4 years ago | (#33858542)

I don't have so much against my bank knowing my banking details, and my sex shop knowing my toy preferences, but I would certainly be upset if any of those got hold of the other stuff. Sandboxing is supposed to help, but so far no sandbox has been 100% effective. Having the data on totally separate servers puts some extra limits on it getting accidentally shared.

Re:FUD (1)

Chrisq (894406) | more than 4 years ago | (#33858630)

The "supercookie" thing is perhaps the one legitimate thing mentioned but browsers should (or probably will if they don't already) clear out most of those locations (except Flash, but you can't blame the browsers for that really) when you clear your private data, which at least Firefox and Chrome can do for you.

Also they have nothing to do with HTML5, and can be implemented in flash-enabled browsers

Re:FUD (1)

cats-paw (34890) | more than 4 years ago | (#33858688)

It is still a warning to be vigilant. The big corps are going to be involved in setting the standard, and they are definitely going to want these tracking mechanisms.

Re:FUD (0)

Anonymous Coward | more than 4 years ago | (#33859280)

Reply reads like it was written by someone who has no idea about the time and effort Macromedia took with the Flash player to provide a working model for sites to sandbox sites from each other that browsers are now copying since Macromedia didn't slap evil patents around any of it. Sounds like he's implying Local Storage in Flash can't be cleared. Flash can hold more data but are no more privacy risks than a single unique ID stored in a browser cookie linked to an unlimited REMOTE database. Accessing web history is not a part FLASH, and Adobe and browser plugin creators have already given users a number of tools for controlling Flash from Flash's context menu as well as from browser plugins. Also Flash doesn't know where you are, unless the JavaScript is used to find it.

Flash already allows for site based granular size and access limits in it's control panel plus an easy way to delete it all. Browsers don't have this yet, but you can't blame Flash for that really.

Then he starts yammering about buckets, but I didn't care.

Sandboxes. Now. (2, Interesting)

TubeSteak (669689) | more than 4 years ago | (#33858364)

Browsers should no longer be allowed to frisk about in the general operating system,
scattering data willy nilly throughout your computer into wildly obscure folders.

I propose robust sandboxes.
You want to delete all the tracking information? Delete the sandbox.
Honest websites won't be spending their efforts to break out of the box and
malicious websites were going to pwn you anyways, so does it matter if they do?

I'm not proposing sandboxes as a security measure, merely a way to keep all the cruft from your browser & plugins locked down in one (easily deletable) place.

Hah. You forgot... (0)

Anonymous Coward | more than 4 years ago | (#33858418)

...that many want the browser to be the operating system.

With Javascript the preferred systems programming language

I've got my set of barf bags ready...

Re:Sandboxes. Now. (0)

Anonymous Coward | more than 4 years ago | (#33858772)

No need to wait for your OS or some other party or the web browsers to try to impliment such a sandbox. It's available now. I'd recommend you look into Mandatory Access Control, particularly if you are a Linux user. It will allow you to whitelist the exact activities your browser (or any other program) is allowed to do, blocking everything else.

If Linux's SELinux seems to complicated (which, IMO, it is) there's SMACK, AppArmor and my favorite - Tomoyo. They all get the job done fine. I know MacOSX and FreeBSD have something comaprable, although I have no experience with it. No idea what to do if you're a Windows person.

On my system, Firefox can only create/delete/write/symlink/etc files within ~/.mozilla, and flash can only craete/delete/symlink/etc files in ~/.adobe. If I remove those two directories, tracking information et al are all gone.

While you're at it, you may as well ensure your PDF reader can only read files that end in .pdf, and can't write to anything on the harddrive at all or access the network at all. Etc, etc, etc.

whalesong (0)

Anonymous Coward | more than 4 years ago | (#33858396)

its a shame but HTML5 has turned out to be a PR stunt, more marketing than IT.

it's pretty clear now that it isn't going to take off for the web - so no need to get concerned about issues of this kind - lets face it.

if you buy an ipad then you're hardly going to care about privacy -just enjoy your great new iAds - "aren't they neat!"

Someone doesn't understand open standards (1)

BitZtream (692029) | more than 4 years ago | (#33858398)

The fact that HTML is open to all means anyone can implement it in their 'browser' ... and they can allow the user to control the browser stores and feeds back to others on the Internet.

Where as if we were talking about something propreitary like say Flash, you run the risk of having very little options over controlling it since there is only one implementation (one useful one anyway) and they aren't going to add any useful features for privacy anytime soon since thats a big reason to use flash on certain sites in the first place (Yes, I know the new versions are better about flash cookie control, just making a point)

Yes, HTML5 has some features that make it easier for you to be tracked, but leaving your front door not only unlocked but also wide open with a sign that says 'I'm out of town for the next 2 weeks' is about the same thing. Their are provisions in place to protect that user.

Didn't the '90s teach us? (4, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#33858514)

Didn't the 90s (And early 2000s) teach us anything? If HTML isn't implemented in essentially the same way across all browsers the Internet will stagnant again and we will turn to cross-platform plugins like Flash to actually get stuff done.

Re:Didn't the '90s teach us? (2, Insightful)

John Hasler (414242) | more than 4 years ago | (#33859206)

> ...we will turn to cross-platform plugins like Flash to actually get stuff done.

"Stuff" that doesn't need doing.

Re:Someone doesn't understand open standards (1)

tomhudson (43916) | more than 4 years ago | (#33858638)

Adobe opened the flash format years ago, same as they did with pdf, AND supplies tools for 3rd parties to develop competing flash implementations.

Flash, flex, SDKs, etc, they're all open-sourced courtesy of Adobe [adobe.com] .

Re:Someone doesn't understand open standards (0)

Anonymous Coward | more than 4 years ago | (#33859130)

Calling adobe flash open source is laughable

This is fear-mongering (2, Interesting)

jjb3rd (1138577) | more than 4 years ago | (#33858404)

This neo-luddite fear-mongering must end!!! Properly secured browsers negate these "new" threats. The only "problem" as I see it, is the likely-hood that in browser manufacturers (Apple, Google, Microsoft, Firefox, Opera, etc.) rush to get these new capabilities, they'll put security on the back burner and we'll have a few years of this nonsense. This is no reason to not implement compelling features. It just raises the stakes for people to do it right. Having spent some time developing some HTML5, I for one, am looking forward to the new goodness.

of 1.2 billion starving kids, 100% are ignored (0)

Anonymous Coward | more than 4 years ago | (#33858586)

while all of US are feasting on.... ?turds??

"Sunday is10/10/10. The government and other professional liars have had something to say about the date. Everything the government and media say are lies, or the groundwork for lies to come. All of it is especially, sculpted soft stool from the Dairy Queen machinery of a banker’s ass. You’re expected to eat and enjoy it, without knowing the composition or the source. The complexity of their intentions can be summed up quite simply. They want to take you to the point where you don’t know what the ice cream is made of, or where it came from, to the point where you line up with your cones in hand and wait in a rapt, religious hunger to obtain it from the source. Your eyes should gleam with gratitude as you walk away, knowing that you have seen one of the key mysterious out workings of God. You are free to speak in tongues as soon as your tongue is freed up for the opportunity. Fecallalia is the new glossolalia and you are now tanked up with shit for your own part in the performance. Please be creative with your lies. You’re playing musical chairs in front of a crematorium.

You are not dead. You are dreaming but the dream grows dark, when you are surviving on a dead man’s shit.

Humanity has many enemies. It has as many enemies as there is room in the mind to contain them. The most enduring and powerful of these enemies is the most invisible when it is most obviously before your eyes; appearing as something else. There is only one enemy and that is your mind. It is also your best friend, depending on who is in charge of it. Your life is either a virtual cathedral or a toilet designed as the object of desire. Gold plated shit-nacks are the bronzed baby shoes of your dreams that died in the cradle. It doesn’t really matter if you’re Chuck Berry lying face up under a glass table or lining up behind a banker’s ass. It’s still you. it’s still shit. The first place it happens is in your mind. A lot more people would understand the allegory of the temptation in the Garden of Eden and the resulting civilization if they studied all of the meanings of transposition or, maybe not. Maybe you need to know what the apple is. Maybe you need to understand the dynamics of the cosmic attractive force. Maybe the best way to understand how the mind works is to empty it first. Anyone who can empty their mind and relentlessly keep it empty for a period of time will get a first hand education on how the mind works and all of the implications as well."

Fear! (1)

kikito (971480) | more than 4 years ago | (#33858594)

Horror! Panic! Aaaaaah!

HTML5 -- a new "language", standard or what? (2, Insightful)

swb (14022) | more than 4 years ago | (#33858618)

HTML5 -- is it a new language? Is it a set of extensions to HTML, Javascript, or is it more of a concept/phenomenon, like "Web 2.0"?

I read it as an extension of the HTML standard, but quite often its treated as a "new language" as opposed to an extension, upgrade, etc. I wonder if that's half the problem -- I think generally speaking, people are a little weary of many new things, technology wise, and failure to cast this as more of an upgrade than a wholly new entity (even if the new features make it so) probably has a lot to do with some of the scaremongering associated with it.

Re:HTML5 -- a new "language", standard or what? (1)

dzfoo (772245) | more than 4 years ago | (#33860068)

There are two HTML5, if you will. First, there's the 5th revision to the Hyper-Text Mark-up Language, which includes extended mark-up for semantic organization of HTML documents, among other things. Second, there's HTML 5, the concept/phenomenon. The latter, just like the "Web 2.0" is a catch-all phrase encompassing various new features, technologies, and concepts used on modern web applications.

Just like "Web 2.0" meant AJAX, CSS 2, pastel colors, and round corners; "HTML 5" means a heavy reliance on JavaScript and CSS 3 to support rich multimedia clients, more AJAX, and rounder corners.

        -dZ.

More paranoia from the World Privacy Foundation (1)

grapeape (137008) | more than 4 years ago | (#33858648)

As much as I appreciate their intended purpose...they should really get a talking head that has a clue about technology. Their previous fear mongering topics have been rfid, cloud computing, social networking, etc. The one thing their "warnings" have in common is that all seem to have been put together by someone with a complete lack of understanding of how things already work.

HTML 5 will certainly allow for more flexibility for developers but will also allow browser vendors to provide better security simply due to a large portion of 3rd party addons becoming unnecessary. Its much easier to keep track of one standard over a bunch of what ifs.

the issue seems to hinge on one concept: (3, Interesting)

circletimessquare (444983) | more than 4 years ago | (#33858668)

i don't have a problem with a website seeing everything i do on that website. i have a problem with a website seeing what i do on other websites

let foo.com have evercookies on my computer about everything i do... at foo.com. not a problem. but i don't ever want foo.com too see what i do at fubar.com, and visa versa

of course, foo.com can sell my info to fubar.com through different channels, but that's a problem that predates the internet, and has nothing to do with browser privacy. and i know if doubleclick has their ads on foo.com, they can infer certain things about my activities at foo.com... actually, now that i think about it, that's a fatal hole in any browser privacy: if a webpage is serving content from another website, such as with advertising networks, we're pretty much doomed no matter what the markup language, aren't we?

to really have browser privacy, you'd have to destroy the entire possibility of webpages serving content from other domains. how the heck do you enforce that? a rule like "when loading content from foo.com, everything on this page must come from foo.com"? is that a viable concept? no more google analytics, no more iframes... i don't know, we're just doomed

but... even if you had that rule, foo.com could just agree with double click to proxy their ads, running them through their servers, so everything is coming from one domain, even though it really isn't. then they can simply see how one particular ip address walks across the web where they have similar agreements with other sites. no escape. you'd have to spoof your ip with every request, which breaks all sorts of functionality on most websites. maybe you could have a new ip for every tab, every session... what a nightmare

basically, the concept of privacy on the internet is void. if you type it on the web, it is known, end of discussion. crap

Re:the issue seems to hinge on one concept: (1)

John Hasler (414242) | more than 4 years ago | (#33859522)

...if a webpage is serving content from another website, such as with advertising networks, we're pretty much doomed no matter what the markup language, aren't we?

Only if you accept that "content".

basically, the concept of privacy on the internet is void.

People have always been able to see you when you walk down the street. I guess privacy has always been dead.

fud, fud, fud your boat gently down the fud (1)

bl8n8r (649187) | more than 4 years ago | (#33858716)

The last thing corporate interest wants is a video format which is open and available to everyone. Expect the barrage of crap over HTML5 to continue. The article says nothing about the details of what's so "bad" about HTML5. The best they could come up with is:

"which large amounts of data can be collected and stored on the user's hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user's location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited."

How is this any different than the current 150MB of cache sitting on everyone's comp? The best source they could come up with was an out-of-context quote from someone at the World Privacy Forum and some freelance programmer from New York?? Sorry, but the security issues with HTML5 are going to be in the implementation layer -- just like Flash, Silverlight, or Active-X. With security, it's rarely the technology which is at fault, it's the way the technology is used in the codebase.

Re:fud, fud, fud your boat gently down the fud (1)

cheesybagel (670288) | more than 4 years ago | (#33859064)

It's the usual journalist sensationalist. Like the LHC is going to generate a black hole that will destroy our universe.

AdBlock! (5, Informative)

Meneth (872868) | more than 4 years ago | (#33858778)

My favourite filter:

*$third-party

Blocks all kinds of crap. Speeds up browsing, too. Even on Slashdot it blocks Google Analytics and something from demandbase.com.

Of course, you'll need lots of exception rules, but if you want to be aware of where your browser goes to get its files, it's well worth it.

Re:AdBlock! (0)

Anonymous Coward | more than 4 years ago | (#33859344)

I strongly suggest you look at the addon called RequestPolicy. It does basically that with a better interface and lets you control all redirects too. Many might not be aware that 3rd party requests can be chained - it becomes immediately evident when using RequestPolicy because you need to permit each additional n-th layer of third party requests. Adblock is great and essential, but as always use the best tool for the task at hand.

Oh for Christsakes. (1)

BlueKitties (1541613) | more than 4 years ago | (#33858842)

for technology in new_technologies:
print "Privacy experts [see:someguy] are concerned %s doesn't protect user privacy."%technology

Evercookie? (0, Offtopic)

watermark (913726) | more than 4 years ago | (#33859360)

This reminded me of a piece of software called evercookie, it uses like 10 different ways to keep cookies persistent in a user session, HTML5 items being one of them. I would post the link, but it seems that Slashdot doesn't support copy and paste in Chrome 6.

Yeah Right.. (1)

crf00 (1048098) | more than 4 years ago | (#33859406)

So will IPv6, Semantic Web, Social Web, Facial Recognition, and any P2P protocols coming in future seriously invade our privacy. Neither did HTTP, IPv4, and SMTP cared about privacy.

Get over of the privacy FUD and face the reality: We the programmers who design the architecture of the Internet don't care about privacy. Tell me brilliant slashdotters, if you have the manpower and time, how would you redesign IPv6, Semantic Web, or any other protocols from the ground up to protect users' privacy, and whether you would or should care about privacy protection within the protocols?

The age of privacy is over, the Internet is all about publicy [youtube.com] . I might get troll for saying this, but privacy is more like copyright protection and censorship rather than freedom and openness. For those of you who are still open minded towards the discussion on privacy and publicy, please do visit Jeff Jarvis' blog [buzzmachine.com] and reconsider whether you'd like to join the publicy camp instead.

Scene from an old movie (0)

Anonymous Coward | more than 4 years ago | (#33859410)

Runners better start running, now..

Turning on privacy breaks the web (3, Interesting)

Animats (122034) | more than 4 years ago | (#33860018)

More and more sites just don't work if you enable strong privacy controls. Some of this seems to be deliberate, and it's getting worse.

  • If you don't let YouTube store Flash data, the "Press ESC to exit full screen mode" message will not disappear.
  • If you block third party cookies, CBS TV video won't play.
  • If you block most cookies, many video sites will play the same ad over and over.
  • "511.org", a Government-run site for traffic information, goes into an infinite reload loop if you block Google Analytics.

Cabal, no, oligarchy yes (0)

Anonymous Coward | more than 4 years ago | (#33860102)

HTML5 cloaks itself in the guise of open development but in reality all the work is done by the few companies that are browser vendors and they just are writing down whatever they want anyway.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?