Re: Client side storage: Flash storage used to preserve/recreate deleted cookies from Noah Mendelsohn on 2010-08-30 (www-tag@w3.org from August 2010)

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Mon, 30 Aug 2010 15:34:22 -0400
To: Julian Reschke <julian.reschke@gmx.de>
CC: David Booth <david@dbooth.org>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4C7C07BE.8050405@arcanedomain.com>

I'm curious: in considering these API's, what's the conceptual line between 
"cookies", which are to a significant degree intended for tracking, and 
other client-side storage that might be used for, say, my email?

Let's say a vendor A creates a storage system, with the intention that it 
be used primarily to store things like email.  "Malicious" Web site M 
writes code that copies my HTTP cookies into the A-store.  Now, when I use 
the API to delete "cookies", does that copy go away?  Does my email go 
away?  How in practice do we create user interfaces and APIs that 
moderately naive users will succeed at using to delete tracking 
information, while not unintentionally losing all their email?

Noah

Julian Reschke wrote:
> On 30.08.2010 17:11, David Booth wrote:
>> On Sun, 2010-08-29 at 16:35 -0400, Noah Mendelsohn wrote:
>>> This article [1] suggests that at least some organizations are using 
>>> Flash
>>> client side storage to preserve and recreate browser cookies.  Not quite
>>> sure what this is pertinent to TAG work on client-side storage, but 
>>> it's at
>>> least worth noting.
>>>
>>> Noah
>>>
>>> [1]
>>> http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss 
>>>
>>
>> Wow, that's a *major* privacy violation and security hole.  I'm
>> surprised Adobe has not yet been sued about it, but perhaps the
>> attorneys are going after the lower hanging fruit.
>>
>> And BTW, the whole idea of users having to use Adobe's web site to set
>> the security controls on their own personal computer is completely
>> absurd.  That aspect in and of itself is totally broken and would seem
>> to me to be grounds for a lawsuit regardless of the other issues.
> 
> I think people rightfully expect that they can use their browser's 
> privacy settings to clear collected data, be it in cookies, in HTML5 
> local storage, in Silverlight Local Storage, or in Flash Client Side 
> Storage.
> 
> To make this happen, an API is needed so that UAs can manage the date.
> 
> A proposal for that API has been made several months ago, see 
> <https://wiki.mozilla.org/Plugins:ClearPrivacyData>, but unfortunately 
> *both* UA implementers and plugin implementers are very very very slow 
> in making this happen.
> 
> Just saying.
> 
> Best regards, Julian
>

Received on Monday, 30 August 2010 19:34:52 UTC