HTML5 Allows Cookies To Rise From The Dead

Eric Doyle, ChannelBiz,

A recent report shows that privacy is an illusion as persistent Flash and HTML5 cookies respawn after deletion, says Eric Doyle

Continued from page 1

Respawning Unique eTags

The US researchers cited different cases that combine eTag tracking and respawning. “ETag tracking and respawning is particularly problematic because the technique generates unique tracking values even where the consumer blocks HTTP, Flash, and HTML5 cookies,” they wrote. “In order to block this tracking, the user would have to clear the cache between each website visit. Even when using “in private” browsing modes, ETags can track the user during a browser session.

The team noted this on Hulu.com’s video rental service using Kissmetrics’ advertising. They wrote: “Additionally, the ETag respawning we observed set a first party cookie on hulu.com. This means that other sites subscribing to the kissmetrics.com service could synchronise these identifiers across their domains.”

The Hulu site now asks for permission to use Adobe Flash’s storage space. However, it also states: “Local Shared Objects are similar to browser cookies, but can store data more complex than simple text. By themselves, they cannot do anything to or with the data on your computer.”

The report hits hard: “We object to this last sentence in particular. While it is technically true that by themselves Flash cookies cannot do anything to the data on a user’s computer, in reality, Flash cookies never are used by themselves. It is the code accompanying Flash cookies that enables them to mirror other data, and can be used to reinstantate that data when deleted by the user.”

Hulu also states that “unless you accept cookies, you will not have access to certain Hulu Services”. Which is fair enough to point out but could be construed as a form of emotive blackmail that the user may be missing out on something important.

Google Is Watching You Closely

The report concludes by pointing out that HTTP cookies are by no means dead and that Google has the ability to track user behaviour across nearly all top sites – 97 of them.

It admits that the advertisers have a point when they say there is potential for privacy-enhancing applications in HTML5 local storage, but warn that it may still emerge as a new tracking vector.

Seventeen of the top 100 sites surveyed employed HTML5 local storage and several did so in order to mirror a tracking identifier from a third party, the report concluded.