W3C home > Mailing lists > Public > www-html@w3.org > December 1999

security problem in emailing HTML

From: Larry Masinter <lmm@acm.org>
Date: Sat, 4 Dec 1999 14:33:01 -0500 (EST)
To: <www-html@w3.org>, <html-editors@w3.org>
Cc: "Dan Connolly" <connolly@w3.org>, "Keith Moore" <moore@cs.utk.edu>
I don't think that the problem people are complaining about is
primarily a cookies problem; I believe that the difficulty comes
with using HTML in email, since bulk emailers could track what
user's do with their bulk email just by using unique URLs in
HTML document sent.

I recommend that the "Notes on Security" in
be updated to warn about this possibility. All
it says is "In this case, the security issues of [RFC1738],
section 6, should be considered. "  But neither RFC 1738
nor its replacement RFC 2396 (section 7) suggest the
possible privacy risk associated with the privacy risk
that occurs when a HTML interpreting agent automatically
dereferences URLs for embedded data without an explicit
acknowledgement of the user who caused such action.

Groups can petition the FTC to create regulation to prevent
such activity, but I think it's the responsibility of the
standards group to at least give advice on how to avoid
the security loophole technically.

draft-connolly-text-html-02.txt could also mention the
issue; I'd originally thought it was already covered in
the W3C HTML recommendation, but it's not.


Groups petition FTC over e-mail loophole
Privacy and consumer groups are complaining that the flaw allows companies
to put cookies on e-mails and follow users around the Web.

By Margaret Kane, ZDNet News
UPDATED December 3, 1999 5:21 PM PT

Consumer and privacy advocates on Friday asked the Federal Trade Commission
to close software loopholes that potentially allow bulk e-mailers to
identify consumers by exploiting 'cookie' technology.
Received on Monday, 6 December 1999 02:38:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:05:52 UTC