- From: Larry Masinter <lmm@acm.org>
- Date: Sat, 4 Dec 1999 11:47:10 PST
- To: <www-html-editor@w3.org>
From: "Larry Masinter" <lmm@acm.org> To: <www-html@w3.org>, <html-editors@w3.org> Cc: "Dan Connolly" <connolly@w3.org>, "Keith Moore" <moore@cs.utk.edu> Subject: security problem in emailing HTML Date: Sat, 4 Dec 1999 11:36:14 PST I don't think that the problem people are complaining about is primarily a cookies problem; I believe that the difficulty comes with using HTML in email, since bulk emailers could track what user's do with their bulk email just by using unique URLs in HTML document sent. I recommend that the "Notes on Security" in http://www.w3.org/TR/html40/appendix/notes.html#h-B.10 be updated to warn about this possibility. All it says is "In this case, the security issues of [RFC1738], section 6, should be considered. " But neither RFC 1738 nor its replacement RFC 2396 (section 7) suggest the possible privacy risk associated with the privacy risk that occurs when a HTML interpreting agent automatically dereferences URLs for embedded data without an explicit acknowledgement of the user who caused such action. Groups can petition the FTC to create regulation to prevent such activity, but I think it's the responsibility of the standards group to at least give advice on how to avoid the security loophole technically. draft-connolly-text-html-02.txt could also mention the issue; I'd originally thought it was already covered in the W3C HTML recommendation, but it's not. =============== http://www.zdnet.com/zdnn/stories/news/0,4586,2403580,00.html?chkpt=zdhpnews 01 Groups petition FTC over e-mail loophole Privacy and consumer groups are complaining that the flaw allows companies to put cookies on e-mails and follow users around the Web. By Margaret Kane, ZDNet News UPDATED December 3, 1999 5:21 PM PT Consumer and privacy advocates on Friday asked the Federal Trade Commission to close software loopholes that potentially allow bulk e-mailers to identify consumers by exploiting 'cookie' technology.
Received on Saturday, 4 December 1999 14:43:51 UTC