Tuesday, November 2, 2010

Web Upgrade HTML 5 May Weaken Privacy

... Samy Kamkar, a California programmer best known in some circles for creating a virus called the “Samy Worm,” which took down MySpace.com in 2005, has created a cookie that is not easily deleted, even by experts — something he calls an Evercookie.

Some observers call it a “supercookie” because it stores information in at least 10 places on a computer, far more than usually found. It combines traditional tracking tools with new features that come with the new Web language.

In creating the cookie, Mr. Kamkar has drawn comments from bloggers across the Internet whose descriptions of it range from “extremely persistent” to “horrific.”

Mr. Kamkar, however, said he did not create it to violate anyone’s privacy. He said was curious about how advertisers tracked him on the Internet. After cataloging what he found on his computer, he made the Evercookie to demonstrate just how thoroughly people’s computers could be infiltrated by the latest Internet technology. ...

Mr. Kamkar, whose 2005 virus circumvented browser safeguards and added more than a million “friends” to his MySpace page in less than 20 hours, said he had no plans to profit from the Evercookie and did not intend to sell it to advertisers.

“That wouldn’t have been difficult,” he said. Instead, he has made the code open to anyone who wants to examine it and says the cookie should be used “as a litmus test for preventing tracking.”

A recent spate of class-action lawsuits have accused large media companies like the Fox Entertainment Group and NBC Universal, and technology companies like Clearspring Technologies and Quantcast, of violating users’ privacy by tracking their online activities even after they took steps to prevent that. ...

via Web Upgrade HTML 5 May Weaken Privacy - NYTimes.com.

Details:
if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available.

Specifically, when creating a new cookie, it uses the
following storage mechanisms when available:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite ...


... using Private Browsing in Safari will stop ALL evercookie methods after a browser restart.

No comments: