HTML5 Allows Cookies To Rise From The Dead


A recent report shows that privacy is an illusion as persistent Flash and HTML5 cookies respawn after deletion, says Eric Doyle

When it comes to persistence, the new league of cookies take the prize. Flash cookies are, fortunately on the decline but that may be because HTML5 cookies are much more difficult to get rid of.

Researchers Mika Ayenson from Worcester Polytechnic Institute, Massachusetts, and Dietrich Wambach at the University of Wyoming have found that HTML5 cookies not only stay for as long as possible but, like Adobe Flash-based cookies, even regenerate when they are removed. Deleting HTML5 cookies triggers a “respawning” reaction that reinstates the cookie, redefining the term “perisitent”.

More Space Means More Power

The new cookies are seen by the cookie cutters as being far more useful than HTTP cookies, which are limited to around 4KB of data. Despite this limit, the cookies are a bigger nuisance to websites than might be imagined because they are included with every HTTP request and slow down the website “experience”. They are also unencrypted and could be intercepted.

The Flash plug-in for browsers displays animations, web apps, text and images and uses local storage to speed things up. Adobe claims this capability is required to give a “better user experience” – which is fine but anyone can use it for whatever purpose. The original idea was to provide a buffer so that animations and video could be played without interruptions or sticking and jumping effects.

With people refusing cookies and laws coming into force, such as the EU regulations on cookies, advertisers and others are looking for new ways to track users. Flash cookies proved to be an answer because the apps can be set there and are not flushed away by user preferences or through time settings. The default setting for a Flash cache is 100KB, 20 times the amount that HTTP offers and, even though Adobe condemns the practices, advertisers find this space compulsive.

The use of Flash has dropped, according to the researchers report, Flash Cookies And Privacy II: Now With HTML5 And eTag Respawning. One of the reasons for this is that victimised users in the US have started to threaten court action for inserting “spyware” on their computers. Another reason is that many users have found the Global setting on the Flash player that allows them to limit or cancel the space allotted to local storage – despite any inconvenience this may cause – while others, notably Apple users, don’t have flash browsers.

A third, and possibly more compulsive reason is that HTML5 allows far better facilities for cookie cutters. This is also enhanced by the majority of browsers currently in use, including Apple’s Safari, have HTML5 support.

Five Megabytes Of Storage

Web Storage on HTML5 offers 5MB of persistent storage, which proponents argue will allow advertisers to add extra privacy controls. Security professionals attack this facile viewpoint by pointing out that not everyone will obey the rules.

The main worry is that the storage space allows enough space for respawning, which has been a feature of Flash cookies but also the ability to store and reinitiate substantial amounts of previously-gathered information.

In the US, Ringleader Digital, was hauled up in court for using respawning. It used HTML5’s client-side database storage capability in the iPhone browser, Mobile Safari. Users visiting sites carrying Ringleader ads were assigned a unique ID number which was stored and recalled on visits to Ringleader ad sites.

The RLDGUID app persisted even when the browser’s cookies were deleted but even users who knew how to delete the app found it would magically return with the same ID number as before. The attorney’s prosecuting the case said that the company could track users, their phones and viewing habits on the net and there was nothing the average user could do about it. This was a violation of federal privacy laws and an out of court agreement saw the advertising company part with $30,000 (£18,400) and a promise to allow users to opt out of the tracker – designed to offer targeted ads to the users.

Continued on page 2

Read also :
Click to read the authors bio  Click to hide the authors bio