W3C home > Mailing lists > Public > www-html@w3.org > February 1996

Re: Automatic Entry and Forms

From: Adam Jack <ajack@corp.micrognosis.com>
Date: Sun, 25 Feb 1996 16:24:04 -0500 (EST)
To: Matthew James Marnell <marnellm@portia.portia.com>
Cc: hallam@zorch.w3.org, Robert Hazeltine <rhazltin@bacall.nepean.uws.edu.au>, Derek Harding <derek@tpdinc.com>, Murray Altheim <murray@spyglass.com>, hallam@w3.org, www-html@w3.org
Message-Id: <Pine.SUN.3.91.960225154001.23361B-100000@singhi>
On Sun, 25 Feb 1996, Matthew James Marnell wrote:

> Back to our developer who is talking to Mr. Greedy Corporation Head.
> 
> "Okay, the scheme here is that we run a promotion at your site.  
> [...] (Scam details deleted)

Scarily this (almost identically) already exist at a public site that
takes your career information and provides you with thier estimate of
what salary you could command. Once they tell you a salary range they
make a supposedly separate offer to e-mail you job information. That
form has all your earlier information in hidden fields! Add your e-mail
address to that -- and your privacy in this area is removed.

The only way one would notice this information is if the user is
to look at the HTML source. (Note : the action method was POST so the
user couldn't even notice an uncoded URL.) Whether this is an intentional 
scam or development accident the end result is a loss of privacy.

Hence -- this style of scam already exists. This proposal doesn't
introduce it.

> 
> Now tell me how you're going to protect against this?  Tell me
> how your proposal is any different than most other proposals that
> make it "easier" for the user, but also, via a loophole make it
> so much easier for the server?  There have plenty of things that
> have been implemented for consumer that actually hurt the consumer
> but help the credit reporting agencies and consumer profiling
> people.  This will be no different.
> 
I agree in theory. I wonder though, what about practicallity? I
would use such a system to set any data that I considered universally
public. I would never allow it to hold any data that I considered
in any way private.

Hence I would allow it to hold my e-mail address but not my salary.
I agree -- that information would be a small subset of the data
that is personal to me -- but it if all it ever held was my e-mail
address then, for me, it would be a useful feature.

Also - note that I accept that I still have the final say. I do not
have to press the SUBMIT button.

Given that this is a feature I could (in theory) control at the
browser then it is significantly less of a privacy leak than 
'HIDDEN'.

Adam
--
+1-203-730-5437 | http://www.micrognosis.com/~ajack/index.html
Received on Sunday, 25 February 1996 16:22:08 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 30 April 2020 16:20:18 UTC