July 01, 2013

Ensuring Privacy in the HTML5 Age, Can it be Done?

The latest HTML version, HTML5, was designed specifically with consideration for Web applications. There are a lot of new application programming interfaces (APIs) that have been intended to give the Web developer easier access to hardware and software through the use of JavaScript.

This easier access that HTML5 provides is especially true on mobile devices. While the World Wide Web Consortium (W3C (NewsAlert)), which is the main international standards organization for the Web, is taking privacy seriously, it is not an easy task.

Image via Shutterstock

The W3C is putting some finishing touches HTML5. It is looking to make it as secure as possible. However, it seems that with the good always comes some bad. Some of the items that have been listed as “exciting” for HTML5 specifications are:

  • Geolocation API lets the browser know where you are
  • Media Capture API lets the browser access your camera and microphone
  • File API lets the browser access your file system
  • Web Storage API lets Web applications store large amounts of data on your computer
  • DeviceOrientation Event Specification lets Web apps know when your device changes from portrait to landscape
  • Messaging API gives the browser access to a mobile device’s messaging systems
  • Contacts Manager API allows access to the contacts stored in a user’s contacts database

As you can see from this selected list, the APIs allow a great deal of access to the software and hardware on your mobile device. These are definitely the type of functions that hackers and identity thieves can take advantage of. It’s almost like their job is being made easier for them.

One of the things that is supposed to make HTML5 safer is the elimination for the need of plug-ins. As it stands now, the Web includes tracking cookies, Flash cookies and hacked websites capable of distributing malware. That is how things already are without factoring in HTML5.

Two of the most heavily installed browser plug-ins are Java and Flash. Unfortunately, these are also listed as two of the biggest security holes in any Web browser. They are written for multiple operating systems which makes them more widespread.

Since a large percentage of installed plug-ins don’t have the latest security patches, that just adds another layer of insecurity. By eliminating the need for these plug-ins, HTML5 is actually supposed to be designed to make the mobile browser more secure.

There was a New York Times article in 2010 titled “New Web Code Draws Concern Over privacy Risks,” which talked about the additional tracking capabilities enabled by new HTML5 browser storage capabilities.

One example used was Evercookie. Evercookie is a JavaScript API that produces “zombie cookies” in a Web browser, which are intentionally difficult to delete. In fact, Evercookie will recreate all cookies if it discovers that they have been removed. The zombie effect – bringing the cookie back to life!

This particular cookie was designed to demonstrate how easy it would be to exploit new storage mechanisms by marketers to track users. It took marketers the blink of an eye to quickly adopt Evercookie to track their users.

The items in the list mentioned above store and make available a lot of information. Bringing what can be considered "extra" functionality to the browser which includes approved standards, security and privacy is one of the ways that HTML5 can be useful.

Consent is the process of obtaining a user’s permission before an API to access the device. If you press a "Take a Picture" button, you’re implicitly giving permission for the app to use the camera. On the other hand, if you click an "Email a Friend" button, you’re not implicitly giving the Contacts API permission to spam everyone in your contacts database. Each HTML5 API assumes that explicit permission is required by default but defines circumstances in which implicit permission is acceptable.

W3C has its hands full. As it is its function to maintain international standards, security is always leading the pack. While everyone does want an easier way to do most things, if the result is going to be more “zombie cookies” then what is the point.

W3C’s Privacy Interest Group and Tracking Protection Working Group represent just two of the ongoing efforts to increase and standardize security and privacy on the Web and in HTML5. The most notable advance in browser privacy in recent months might be the implementation of the Do Not Track (DNT) specification by all major browser makers. Some browsers, including Internet Explorer 10, have gone so far as to enable DNT by default.

Edited by Alisen Downey


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More