- From: Karl Dubost <karl@la-grange.net>
- Date: Wed, 1 Jul 2015 08:42:08 +0900
- To: Nick Doty <npdoty@w3.org>
- Cc: Eric Rescorla <ekr@rtfm.com>, "Mike O'Neill" <michael.oneill@baycloud.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Jan-Ivar Bruaroey <jib@mozilla.com>
- Message-Id: <3430725A-DA93-445F-AFD5-E9A67E218132@la-grange.net>
Nick,
(digression below)
Le 1 juil. 2015 à 06:49, Nick Doty <npdoty@w3.org> a écrit :
> I don't think there's currently very effective transparency about cookies or other forms of local storage either.
I guess because partly it's dealt as a storage issue instead of a trust issue.
The question is not necessary
"Does this site store data inside my browser to track me?"
(this is very technical and doesn't make sense for most people.)
but more something along
"Does this site is tracking me?"
"Which information does it track?"
"Which information can I block?"
Note that each time we pay with a credit card in a shop, we do not know which data are being stored about ourselves at the shop, at the bank, at VISA, but we have an alternate solutions in most cases, which is to pay cash.
Privacy on the Web is a bit trying to emulate the "pay cash" of our daily life. It doesn't solve everything but can help.
> (For an empirical study of one -- me -- I can find the cookies stored in my browser for a domain after a few clicks, but I don't have any ambient awareness of them and I'm not sure where I would find localStorage entries or IndexedDB, etc.)
Currently in developer tools, but these data are not necessary meaningful. The same way that cookies do not tell us which things they are tracking (often a series of numbers and letters, which has privacy benefits against MITM type of attacks.)
> Letting users know that a site is storing data (including a tracking identifier that will recognize them on subsequent visits) is a task for user agents with many different mechanisms, including cookies. It might be nice to write up advice for that in general, especially if you could get browser vendors interested in it. Personally, I would be more interested to know the binary "is data being stored by this site?" rather than trying to decipher the meaning of cookie values, local storage entries, or the values of exposed identifiers.
This is happening somehow but I don't think it's the right question/UI to show that.
Let's start with a clean profile. You can see that in the preferences there is a warn the user if the site is putting content. And it's happening on some sites.
http://la-grange.net/2015/07/01/storage/firefox-storage-prefs.png
I went to visit a couple of sites. And specifically this demo.
http://appcache-demo.s3-website-us-east-1.amazonaws.com/localstorage-cache/
I didn't get any warnings. I guess because I asked to be stored. Not sure. (local storage should be ditched soon in profit of Service Workers, a polyfill will be created so it can continue to work). Anyway going the devtools to inspect the content, the data have been stored.
http://la-grange.net/2015/07/01/storage/firefox-stored-data.png
For the UI helping the users to understand a bit more what is happening, I think the UI showing the source and destination of tracking data is maybe more important. I go shop to the local bakery and I'm fine being tracked on the sense that the bakery owner remembers I prefer the baguette instead of the loaf bread, but I don't want VISA or Walmart to know that. The data are just kept by the shop owner and will be forgotten as soon as I'm not a customer anymore.
--
Karl Dubost 🐄
http://www.la-grange.net/karl/
Received on Tuesday, 30 June 2015 23:42:27 UTC