The Real Deal

Persistent cookies are nothing new. Essentially the strategy works like this: Store data everywhere you can on the users footprint, and if data it deleted in a few locations, you copy it back from another location the next time you can. It’s regenerative by design. A popular example is evercookie which uses:

• Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in and reading out Web History
• Storing cookies in HTTP ETags
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

Note that several of these aren’t HTML5 specific. More than one of which isn’t cleared by just “erasing cookies”.

HTML5 does add a few new possibilities, but they are also by design as easy to control, monitor and restrict as your browser (or third-party add-on) will allow. HTML5 storage mechanisms are bound to the host that created them making them easy to search/sift/manage as HTTP cookies. Much worse are some of the more obscure cookie methods (Flash Cookies, various history hacks). They don’t really provide any more of a privacy risk than what the browser already has been offering for the past decade.

To Shut Up The Geolocaiton Conspiracy Theorists

Before someone even attempts the “Geolocation API lets advertisers know my location” myth, lets get this out of the way. The specification explicitly states:

User agents must not send location information to Web sites without the express permission of the user. User agents must acquire permission through a user interface, unless they have prearranged trust relationships with users, as described below. The user interface must include the URI of the document origin [DOCUMENTORIGIN]. Those permissions that are acquired through the user interface and that are preserved beyond the current browsing session (i.e. beyond the time when the browsing context [BROWSINGCONTEXT] is navigated to another URL) must be revocable and user agents must respect revoked permissions.

Some user agents will have prearranged trust relationships that do not require such user interfaces. For example, while a Web browser will present a user interface when a Web site performs a geolocation request, a VOIP telephone may not present any user interface when using location information to perform an E911 function.

To my knowledge no user agent implements Geolocation without complying with these specifications. None.

No HTML5 Needed For Fingerprinting

Even if you do manage to wipe all the above storage locations, you’re still not untraceable. Browser fingerprinting is the idea that just your system configuration makes you unique enough to be traceable. This includes things like your browser version, platform, flash version, and various other bits of data plugins may additionally leak. The EFF recently did a rather impressive study to learn about the accuracy of this technique. Computers with Flash and Java installed sport 18.8 bits of entropy and result in 94.2% of browsers being unique in the EFF study [cite, pdf]. Of course their data was likely skewing towards more experienced web users who are more likely to have an assortment of customizations to their computer (specific plugins, more variety in web browsers, operating systems, fonts) than the average internet user. I’d wager that their data downplays the effectiveness of this technique.

The idea that HTML5 is a privacy risk is FUD. It doesn’t provide any worse security than anything else already out there. It’s actually easier to counteract than what’s already being used since it’s handled by the browser.

The Future

I still believe all browsers out there can do a much better job of protecting privacy when it comes to local data storage for the purpose of tracking. What I believe what needs to happen is web browsers need to start moving away from the “cookie manager” interfaces that are now a decade+ old and move towards a “my data management” interface that lets users view and delete more than just cookies. It needs to encompass all the storage methods listed above as supported by the browser. Hooks should also exist so that plug-ins that have data storage (like Flash) can also be dealt with using the same UI.

Additionally it needs to be possible to control retention policies per website. For example I should be able to let Google storage persist indefinitely, Facebook for 2 weeks, and Yahoo for the length of my browser session should I wish.

My personal preference would be for a website to denote the longest storage time for any object on a webpage in the UI. Clicking on it would give a breakdown of all hostnames that makeup the page, what they are storing and let the user select their own policy. With 2 clicks I could then control my privacy on a granular level. For example visiting SafePasswd.com would give me a [6] in the UI. Clicking would show me a panel this:

+------------------------------------------------------------------------------+
| My Data Settings for SafePasswd.com:                                         |
|                                                                              |
|  Host                        Longest Requested Lifespan    Your Choice       |
|                                                                              |
| *safepasswd.com              2 years                       [site default]    |
| googleads.g.doubleclick.net  6 years                       [browser session] |
|                                                                              |
|                                                                              |
|                                                       (Done)  (Cancel)       |
+------------------------------------------------------------------------------+

I could then override googleads.g.doubleclick.net to be for the browser session via the drop down if that’s what I wanted. I could optionally forbid it from saving anything if that’s what I wanted. I could optionally click-through for more detail or view the data to help me make my decision. Perhaps this would also be a good place for P3P like data to be available. One of the notable failures of P3P that impeded usage was it was never easy to view so it never caught on.

The browser would then remember I forbid googleads.g.doubleclick.net from storing data beyond my browser session. This would apply to googleads.g.doubleclick.net regardless of what website it was used on.

This model works better than the “click to confirm cookie” model that only a handful of people on earth ever had the patience for. It provides easy access to control and view information with minimal click-throughs.

It also makes a web page much more transparent to an end-user who could then easily see who they are interacting with when they visit one webpage with several ads, widgets, social media integration points etc.

One click to view data policies, two clicks to customize, three to save.

HTML5 is not a risk here. The web moving to HTML5 is like going from the lawless land to a civilized society where structure and order rule.

I just noticed that the Acid2 test is today’s featured article on Wikipedia. It is a well done article that even shows a timeline of when browsers became compliant and screenshots of various browsers status. The Acid3 article is also rather good.

IE8 is the last version of the Internet Explorer Web browser. At least, that’s what I’m hearing through the grapevine. It seems that Microsoft is preparing to throw in the towel on its Internet Explorer engine once and for all.

There were rumors earlier this year that the IE team was looking at WebKit a few months ago. I said then and I still think that’s a real perilous approach considering the legacy they need to somehow support. The other approach is to start over, something that’s possibly on the works.

Any truth to these claims? I don’t know. Though I’d be curious to see how Microsoft handles it’s customers who expect old applications to keep working and others who want Microsoft to catch up with progress. I doubt they can go either way 100%. Which way will they lean? I think that’s anyone’s guess.

1. Use SSL When Available – Many sites offer SSL interfaces to make them more secure. Sometimes it’s used by default, sometimes it’s not. You can often test yourself by just changing the http:// in the url to https:. For example, you can do this for virtually all Google services including, Google Docs, Gmail, Google Calendar, etc. For Gmail there’s even an option to force SSL. If you still haven’t enabled this, do so now. Many non-Google products offer this too, for example Meebo.
2. Be Cautious Of Open Networks – Just because you see a WiFi hotspot doesn’t mean it’s safe. It’s trivial for someone to sit in a coffee shop with a laptop and pretend to be free internet access. Once someone connects they can essentially snoop on all that persons traffic. Connect only to networks you know and only use services over a VPN or HTTPS so that your traffic isn’t in plain text. To be extra cautious limit the amount of high risk activities you do on these networks (do your banking from home).
3. Don’t Connect To The Internet Directly – Even if you have only one computer, it’s still advisable to have an access point between you and your internet connection. Virtually all access points today provide decent firewall protection that will shield you from any of the horrors that exist on the internet. Any NAT device will provide a degree of protection (though NAT isn’t a firewall replacement). Access points can often be found for under $50 making this a very sound investment. Yes there are software firewalls, but they have downsides. The minimum is a hardware device between your computer and your broadband modem
4. Use Encryption For Your Home WiFi – If you have a home wireless network, make sure you have encryption enabled and use it. Ideally you should be using WPA2/AES since it’s the most secure at this point, though anything is better than nothing. While sites you browse over HTTPS are encrypted, you still want the entire tunnel encrypted. This does hurt performance slightly but most modern hardware (even the cheap stuff) is more than capable of handling this. Odds are you run an 802.11g network and your wireless is way faster than your broadband anyway. If you don’t have this enabled or don’t know how, check the manual, the manufacturer’s website or call tech support for help. You should be doing this.
5. Don’t Trust IM or Email For Confidential Information – IM and Email aren’t very secure mechanisms for sending information. They should never be trusted for things like sending credit cards, social security numbers, medical information, etc. If you ever see a merchant using IM to process a credit card (so they only need 1 terminal rather than one per location), pay cash or walk away. Sadly it happens. It’s perfectly fine for chatting with your friends, but not good for secure information. It’s possible to encrypt email with PGP or GPG, and IM’s with OTR or an encryption certificate but they require both parties to utilize them and are somewhat technical in nature and therefore few actually use them.
6. Only Download From Trusted Sources – Download only from trusted places. Download software only from the developer’s website, not just any place that has it. Look for software at places like Tucows, FileForum, download.com (operated by my employer) and other well trusted download locations. There’s a lot of hoax sites out there trying to distribute malware (malicious software). Also be suspicious of anyone offering commercial software for free.
7. Keep your AntiVirus Up To Date – Just installing AntiVirus software isn’t enough. The program is useless unless you keep the virus definitions (the files which tell the software what is a virus and what isn’t) up to date. All modern AntiVirus software does this automatically for the duration of the subscription. When your subscription expires either upgrade to a new version or renew the subscription. There are enough free AntiVirus solutions out there for Windows to make it inexcusable to not have protection. For paid AntiVirus, Norton AntiVirus 2009 is pretty good (I use it and reviewed it myself). So is Kaspersky. Avast and AVG would be my personal recommendations for free.
8. Use AntiSpyware – AntiVirus products go a long way, but you’re much better off if you use an AntiSpyware product as well. Many of them are free downloads, just make sure you get them from reputable places. I’d recommend Spybot S&D, AdAware and Windows Defender. Make sure to run the updater within the product at least once a week, and scan on occasion (weekly, biweekly, whatever). Mac users don’t really need to do anything here as Spyware isn’t much of an issue thus far.
9. Be Aware Of Phishing – Never open links in email unless you’re sure of its origin. If your bank wants you to login and do something, visit the banks website by going to the site yourself rather than clicking on a suspicious link. No business will ask you to verify your password. Microsoft has some more tips.
10. Use A Secure Browser – Firefox 3, IE 7+, Safari 3.2 all offer Phishing protection. This isn’t perfect (nothing really is), but it can greatly reduce your chances of being a victim of a phishing attack. Enough browsers support protection that you shouldn’t be browsing without it. Firefox 3 also includes malware protection. I have a Firefox bias though that doesn’t mean you can ignore this. Use a modern browser with phishing protection.
11. Secure Your Computer – If you have a laptop you should have a password when logging in. If you don’t, correct this. It’s easy to do on Windows or Mac OS X. This will at least stop dumb thieves, which are fairly numerous. Even if your laptop never leaves your home this is still a good idea. It’s not impossible for the cable guy, phone guy, refrigerator repair man, etc. to try and steal something like a laptop. This is such a small step that can save you some trouble later on.
12. Secure Your Cell Phone – It’s not going overboard to secure your cell phone. If you’re like a growing number of people, your cell phone is a much more complicated device than it was just a few years ago. It can contain a lot of data including phone numbers, your calendar, photos, browsing history, email, even financial data. Just this week someone sued because they lost their cell phone, which happened to contain nude pictures that they claim were leaked online. Most phones include the ability to add some form of a password or passcode. The iPhone even has an option to wipe data after a certain number of unsuccessful attempts. Securing this compact hard drive isn’t a bad idea.
13. Don’t Put Things Online You May Regret – People who do this admittedly deserve what they get. Posting information regarding your personal lows may work out to your advantage in the future. Already 1 in 10 college admissions officers check social networking profiles according to Kaplan. When I graduated college in 2006 I could tell who actually looked at my job application by looking at the log files for this blog. All but one or two potential employers went to Google to screen me. In more than one case I actually used tail -f and watched them (live!) browsing this blog from their corporate network while they screened me over the phone. Only one actually brought it up in an interview (and he said he was impressed by depth of my technical posts). That was way back in 2006. Employers and colleges are much more savvy now. I get emails from headhunters constantly because of this blog. Because of this I know it’s not scaremongering. People out there really do use the Internet to screen strangers. This is standard practice, especially if you’re under 30 (and more likely to have some digital trace online) or if you apply for a tech/internet job.
14. Backup – Backing up is important. Get an external hard drive and backup all data you care about on a routine basis. I’d suggest at least once a week. I’d also suggest having some sort of off-site backup for things you wouldn’t want to loose in the event of a fire or natural disaster (email, financial records, etc.). You could use online services like Amazon’s S3, though make sure to use encryption, or the offline method of saving them to a disk and putting that disk either at a parents home, safe deposit box, etc. Just make sure that disk is either encrypted or in a secure location where it won’t fall into the wrong hands. A fireproof safe is another way to go though you’ll want to make sure you use a UL Class 125 safe rated for at least 1hr. They can withstand fire and keep the internal climate at no more than 125°F and 80% humidity, suitable for magnetic media. If it’s not UL tested make sure it’s suitable for the media you are trying to store for at least 1hr, preferably more.

This of course raises an interesting question. How do tabs influence this metric? Take the following situation as an example. A user visits a home page, and opens a link in a new tab. Then finds another link and opens it in a new [background] tab. That’s 3 tabs in 1 visit (assume visit to be 30 minutes).

Before tabs, most browser sessions would look like this:

There’s now an increasing number that will look like this (gray is a tab not in view):

If we assume total time on the site is time between the first and last page, we potentially undercount the total time on sites that list information (for example Digg). The total time to make those clicks could be < 10 seconds, but the time spent reading those two page alone might be > 10 minutes. Many tab power-users from what I’ve read around the web over the years essentially use them as a way to bookmark their “to read” list (including myself). It also undercounts sites like Gmail which are ajax based (1 page) but can be used for several minutes.

If we use javascript to “ping” (call back by placing a tracker gif) the analytics service every x seconds to see if the page is still open, we potentially double count since a user can’t be in 3 tabs at once. The clock would be counting 3 seconds for every 1 second the user is actually looking at the page.

This raises the question: are sites that are heavily used by Firefox, Safari, Opera and IE7 site underestimated or overestimated because of the way users browse the site? How do you accurately tell how long a view is when a user can have multiple tabs?

Another example is someone who keeps their webmail open in a tab all afternoon for easy access. They may only check it 1x measuring no more than 1 minute in actual attention. But it’s open for 5 hrs. What is the real time on the page? You can measure my interaction (opening/closing mail). But what if I’m reading an email for an hour (it’s a really complicated one)? How does that compare to just leaving it open in the background?

This is really no different than using new windows, the difference being that most people seem to have found windows to be annoyance, while tabs are a “feature”. The increase in usage and popularity in a time where visit length matters raises an interesting question. How do you measure it?

One assumption is that it’s just a small percentage of the population, which is likely true. The problem with this assumption is that it’s one subject to change as the browserscape matures and users learn about new features. Another assumption is to just account for all time a page is open, even if it’s not visible. The downside I see here is that it’s pretty inaccurate. As a content producer I’d like to know if my content is used, or just loaded on a users computer. If I were an advertiser I’d care even more.

I’m not sure how analytics firms approach this. In a sense it’s similar to the “hotel problem“. Perhaps just something you need to decide upon and live with.

Their scheme essentially works by coloring the URL bar based on how suspicious the website is. Known scammers get red, suspected get yellow, and a potential good site would be green. This is obviously modeled after a traffic light.

What I dislike is how that can be confusing to the end user. Right now, the colored URL bar technique is used by Firefox and Opera to distinguish a secure website (since it’s more obvious than the little lock). Take a look at the little demo I have here:

Good Site Opera 9

Good Site Firefox 1.5

Bad Site Internet Explorer 7

Screenshot from IE Blog.

For an end user, who doesn’t follow browser changes, and perhaps first encounters IE 7 at work, or in a public terminal. Seeing the yellow bar is familiar. We know that as being safe. I think many wouldn’t even notice the “Suspicious Website” text on the right side. The shield even looks a bit like the Lock icon in Firefox. Very confusing.

My suggestion is to use another color, in particular, one that I call “orange”. I release the color “orange” under a Public Domain License. Anyone may use it, however they may wish, no need to credit me (though I’d appreciate it).

Bad Site Internet Explorer 7 + My Solution

This would distinguish the site as a possible fraudulent website, but still avoid using Yellow, which many users now view as “secure” aka “safe”. This solution solves the problem of conflicting UI design between browsers.

First downloads were the big risk. Then email became the big target. Now it’s the browser. What next?