Re: Evercookie: Indestructible cookies

Hello Noah -- 

Unfortunately I must give my regrets for today¹s call as well due to a
family conflict.

However, I am happy to ³take the lead² in organizing this discussion at the
f2f.

Additionally, I have started to reach out to a few people in the bay area to
join us as guests at the tag f2f. Namely: Brendan Eich and Jon Ferraiolo,
Doug Crockford.  The time-frame I have in mind is to take the whole of the
afternoon of the 21st for guest discussions (structured as a "TAG Office
Hours"). 

Dan


On 23/09/2010 14:28, "Noah Mendelsohn" <nrm@arcanedomain.com> wrote:

> You are confirming my intuition that this is very troubling, if not
> entirely surprising.  I think it spans the work that Ashok is doing on
> client-side storage, and the work you are driving DanA on privacy.
> 
> I'm tempted to suggest that we devote some time at the F2F to this
> particular constellation of concerns:  I.e. how the various client-side
> state capabilities of user agents can be used together to thwart the user's
> ability to control identity tracking, other privacy concerns etc.
> 
> What's less clear to me is how to frame this.  I think the best use of F2F
> time is if one or two TAG members work on this actively during the coming
> few weeks, with the goal of having the facts gathered and the issues well
> framed by the time we meet. I know Ashok is traveling for a couple of weeks.
> 
> DanA, do you have the time and interest to take the lead.  If not, anyone
> else?
> 
> If any TAG members feel this is a bad use of time, speak up, or I'll just
> move ahead.  Maybe we'll slip a bit of discussion into today's call if it
> fits.  Thank you!
> 
> Noah
> 
> On 9/23/2010 8:05 AM, Appelquist, Daniel, VF-Group wrote:
>> This is diabolical. It should be a wake-up call to us on Web privacy.
>> 
>> Considering that many of the options listed are ³part of HTML5,² I¹m most
>> worried that HTML5 could become associated with a lack of privacy. If
>> anything, the reverse should be true: we (w3c&  web standards community)
>> should work to ensure that the HTML5 ³brand² stands for _enhanced_ privacy.
>> 
>> Dan
>> 
>> On 22/09/2010 09:49, "Noah Mendelsohn"<nrm@arcanedomain.com>  wrote:
>> 
>>> Following up on [1], I note this [2]:
>>> 
>>> "    evercookie is a javascript API available that produces
>>>       extremely persistent cookies in a browser. Its goal
>>>       is to identify a client even after they've removed standard
>>>       cookies, Flash cookies (Local Shared Objects or LSOs), and
>>>       others.
>>> 
>>>       evercookie accomplishes this by storing the cookie data in
>>>       several types of storage mechanisms that are available on
>>>       the local browser. Additionally, if evercookie has found the
>>>       user has removed any of the types of cookies in question, it
>>>       recreates them using each mechanism available.
>>> 
>>>       Specifically, when creating a new cookie, it uses the
>>>       following storage mechanisms when available:
>>>        - Standard HTTP Cookies
>>>        - Local Shared Objects (Flash Cookies)
>>>        - Storing cookies in RGB values of auto-generated, force-cached
>>>           PNGs using HTML5 Canvas tag to read pixels (cookies) back out
>>>        - Storing cookies in Web History (seriously. see FAQ)
>>>        - HTML5 Session Storage
>>>        - HTML5 Local Storage
>>>        - HTML5 Global Storage
>>>        - HTML5 Database Storage via SQLite"
>>> 
>>> Noah
>>> 
>>> 
>>> [1] http://lists.w3.org/Archives/Public/www-tag/2010Sep/0029.html
>>> [2] http://samy.pl/evercookie/
>>> 
>>> 
>