HTML5: You’re Not Nearly Frightened Enough

By
Photo: iStockphoto

The New York Times gives The Wall Street Journal's anti-Google privacy coverage a run for its money in today's front-page story about the potential privacy pitfalls baked into HTML5. If all you've ever heard about HTML5 is that it's the latest iteration of the Hypertext Markup Language and that developers are pushing for mass adoption because it does away with outdated code and improves browsing capabilities, well, prepare to soil your Internet pants. "Alarmists have not seen anything yet," starts the Times. Wait, does that mean paranoid people greet change with anxiety, or should we just go ahead and torch our laptop? Existing web language lets sites store cookies on a user's computer, a legitimate tactic that makes it possible to remember passwords or place items in a shopping cart. But because HTML5 uses a process that collects and stores large amounts of data on a user's hard drive, it could bring forth a privacy dystopia where "advertisers and others" have access to a user's location, time zone, items purchased, photographs, e-mails, and web history.

That definitely sounds like trouble. The World Privacy Forum makes the requisite Pandora's box allusions. Ian Jacobs, the spokesperson for the World Wide Web Consortium, tries to assuage fears: "This is not a secret cabal for global adoption of these core standards.” Hmmm, sounds like secret cabal talk to us.

Here to help sort things out is Samy Kamkar, a California hacker best known for creating the "Samy Worm" that took down MySpace in 2005. Using HTML5, Kamkar created a stealth "supercookie" that stores information in at least ten places in a user's computer, much more than the usual amount. Unlike the 2005 worm, which Kamkar used to add more than a million friends to his MySpace account in less than twenty hours, this time he did it for the public good, saying "I think it’s O.K. for them to say we want to provide better service. However, I should also be able to opt out because it is my computer.”

An opt-out clause, while tricky to develop without sacrificing speed, seems essential for consumer-safety concerns. But is there as much to fear as the article intimates? "[Kamkar's] motives may be somewhat mixed, and his concerns may be slightly over-blown," says Fast Company's Kit Eaton, noting that every new online development has been seized on by nefarious types trying to get at your data. One of the benefits from HTML5 is its ability to do away with plug-ins like Adobe Flash and Microsoft Silverlight. But Flash itself has demonstrated security flaws through the years, says Eaton, including a "fake security virus" alert from January.

New Web Code Draws Concern Over Privacy Risks [NYT]
Beware the Supercookie: An HTML5 Loophole To Steal Your Privacy [Fast Company]