back to article HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens

HTML5 is a boon for unscrupulous web advertising networks, which can use the markup language's features to build up detailed fingerprints of individual netizens without their knowledge or consent. In a presentation at Usenix's Enigma 2018 conference in California this week, Arvind Narayanan, an assistant professor of computer …

  1. Will Godfrey Silver badge
    Unhappy

    Bar-stewards

    I don't know if it does much good, but I've got into the habit of always closing then restarting the browser between website changes, and have it configured to delete all cookies.

    Hopefully, although they can track my movement around their site, they won't know what my next site is.

    1. Martin Gregorie

      Re: Bar-stewards

      I think anything that severely restricts cookie lifetimes is useful.

      I'm achieving the same thing, but without having to restart the browser all the time by using the Cookies Exterminator add-on. This auto deletes cookies, localStorage and IndexedDB objects as soon as they become unused. I see it burst into life each time I leave a website. Its configurable enough to not delete stuff left by nominated sites.

      There are other add-ons that do more or less the same thing, though there may be tricks that the add-on of your choice doesn't know about. All I can say is that I haven't (yet) spotted anything the Exterminator should have deleted but didn't.

      1. Nate Amsden

        Re: Bar-stewards

        I'm sure it's not perfect but for me I use the firefox(now palemoon) per-site cookie stuff, and have been for as long as I can remember, I'd say at least 10-12+ years now. I do use an ad blocking extension on firefox/android just because it is less flexible. Sometimes I have to spend some time to undo one of my cookie choices, but I'm used to that.

        Currently I have 19,830 sites in my permissions.sqlite file which goes back to the beginning (migrating to palemoon had to do some manual data injections into the sqlite as the full profiles weren't totally compatible, something I had done with one or two firefox upgrades over the years).

        Tried to use waterfox but the cookie stuff there was broken too.

        Palemoon is a good setup for my main browser anyway. I have firefox 5x ESR in a windows VM which I can leverage in the very odd case where Pale moon doesn't work (maybe 0.01% of the time so far in the past month). 99% of the stuff in that VM is work related(VPN etc).

        1. DropBear

          Re: Bar-stewards

          I have a very different experience with Palemoon - apparently related to the presence of "Goana" in some of the relevant strings, quite a number of sites treat it like a mobile browser, without any option to override that; and more often than not, the result is utterly broken even as a mobile web page. Also apparently, a simple user agent changer doesn't fix this. That is not to say Palemoon isn't quite useful most of the time, but site incompatibility due to this or other causes is not an occasional but a permanent annoyance for me...

    2. ecofeco Silver badge

      Re: Bar-stewards

      Private mode browsing, ad blockers, do not track, firewall, anti virus, and then CCleaner (old version) after browsing. And that's on a good day.

      Soon I'll HAVE to get VPN.

      It's fucking ridiculous.

      1. Adrian 4

        Re: Bar-stewards

        Palemoon mostly works well for me. But Google seem to be going out of their way to break gmail on it.

    3. This post has been deleted by its author

  2. JohnFen

    Yep

    Pretty much everything about HTML5 makes me not want to use an HTML5 compliant browser.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yep

      I want to deactivate Web Assembly, because it is a security risk (Meltdown, Spectre).

      Running untrusted bytecode in the browser is insane these days!

      But of course Google deactivated the option to disabled Web Assembly in Chrome just right ahead of the announcement.

      1. disinterested observer
        WTF?

        Re: Yep

        > I want to deactivate Web Assembly, because it is a security risk (Meltdown, Spectre).

        Web Assembly is not assembly. It does not directly address your CPU. That would be impossible.

        1. JohnFen

          Re: Yep

          It doesn't have to in order to present a security risk. Meltdown can be performed with Javascript, after all (at least it could, until the spat of browser patches were issued to mitigate).

    2. Charlie Clark Silver badge

      Re: Yep

      Seems you don't know much about HTML 5 if you're spouting that crap. I certainly don't want the stasis of 2003 - 2010 to come back. HTML 5 means fewer plugins, plugins being both attack vectors and spyware. Add a good blocker to your browser and you're in pretty good shape. This isn't to say that the browser makers can't do more because they can. But actually going after the advertisers, and by extension their customers, for the abuse of privacy laws is the best way to go and GDPR is a good place to start.

      1. JohnFen

        Re: Yep

        I know HTML5 extremely well, thank you.

        There are certain things that HTML5 improves, but for every one of those it makes other things worse. For my tastes, it's a pretty large step backwards on the whole. I would strongly prefer the "stasis" of 2003-2010 over what we have now.

        You may disagree -- that's fair -- but don't for a moment think that the reason I disagree with you is because I don't know what I'm talking about.

  3. Lord_Beavis
    Linux

    Yes, but

    did they try it with Lynx?

    1. Alister

      Re: Yes, but

      I find the default colour palette on Lynx is a bit restrictive...

  4. jake Silver badge

    Lovely.

    That was sarcasm, if anyone was wondering.

  5. Anonymous Coward
    Anonymous Coward

    Anyone test-driven Brave or Vivaldi browsers etc?

    https://www.theregister.co.uk/2017/12/18/google_d_vivaldi_adwords/

    1. Martin Gregorie

      Re: Anyone test-driven Brave or Vivaldi browsers etc?

      I tried Vivaldi when it first came out, but didn't like it a lot: I like more control of the fonts, font sizes and controls than it gives and found its text size zoom profoundly irritating. It was part of the Fedora default install for a long time, so I kept trying it and deciding it was still not what I wanted. Then, a year or so ago its Fedora package vanished. I've ignored it since then.

      1. jake Silver badge

        Re: Anyone test-driven Brave or Vivaldi browsers etc?

        In addition to Martin's comments, I'll add that the treatment of bookmarks is abysmal in Vivaldi. I haven't tried Brave yet. I keep meaning to, maybe I'll download it this evening.

      2. Anonymous Coward
        Anonymous Coward

        Re: Anyone test-driven Brave or Vivaldi browsers etc?

        Vivaldi on Windows is a completely different beast to what it was a year ago. Far more pleasant to use now.

    2. a_yank_lurker

      Re: Anyone test-driven Brave or Vivaldi browsers etc?

      @AC - I am using Brave as my default browser and it is a very good browser overall. It does block ads and trackers by default, so I never see any ads on any site. Its look and feel is similar to Chrome. I think it still has a couple of rough edges and has been rapidly improving.

      They also have a feature were you can make direct payments to your favorite sites (I have not used it).

    3. Steve Graham

      Re: Anyone test-driven Brave or Vivaldi browsers etc?

      I switched to Vivaldi when Firefox broke sound on their Linux browser, and have been using it as my main browser since then with no problems.

      I have Privacy Badger, Ublock Origin, Location Guard, Tampermonkey, a User Agent Spoofer and ScriptSafe (which attempts to foil the kind of fingerprinting described in the article, as well as blocking scripts).

  6. 45RPM Silver badge

    Many were increasingly of the opinion that they'd all made a big mistake in moving on from HTML4 in the first place. And some said that even HTML4 had been a bad move, and that no one should ever have left the bulletin boards.

    1. Alister

      @45RPM

      Thanks, Douglas...

  7. Anonymous Coward
    Anonymous Coward

    The issues with HTML5 are real, but if you look at most sites they're just filled with 3rd party scripts. Some have first party tracking (twitter, youtube, facebook I imagine), but most use doubleclick, google-analytics, and amazon-adsystem. Yes, I'm looking at you El Reg.

    These days cookies are among the bare minimum used to track you, and javascripts are far more useful to them and just as pervasive. Unfortunately they also require the most work to block. uMatrix is probably the best option these days since the new version of NoScript is a bit busted. The benefit of using uMatrix in this case is that you can block everything except css, images, media and frames (even then, most websites only need css and images). How much it helps against HTML5 features I don't know, but it's something

    Personally I also block 1st party by default so I don't get thrown onto a site I don't want -- installers seem to do this all the time, drives me crazy, but I imagine most would want to leave 1st party enabled and just block the individual elements, like this:

    * * * block

    * * cookie block

    * * css allow

    * * image allow

    * * frame allow

    * * media allow

    * * script block

    * * XHR block

    * * other block

    * 1st-party * allow

    1. Mayday
      Thumb Up

      uMatrix

      Thanks for this! Never heard of it until now, I know what I'll be using from now on.

    2. Martin an gof Silver badge

      uMatrix is probably the best option these days since the new version of NoScript is a bit busted

      Never used uMatrix - thanks for the heads-up, I'll have a look - but after a couple of weeks of really not working at all well, now that it seems to have settled down I am actually getting to quite like the new NoScript UI.

      Like most of these things though, getting NoScript or any other blocker to work the way you want it, and not "break" too much of the web does take some effort, and I know very few people who are willing to put that effort in. Even at home, the others all moan when they go to a new website which doesn't work first time because of NS's default block policy.

      M.

  8. Charles 9

    I was beginning to wonder if the only way to stop this tracking would be to turn off all active elements of the World Wide Web and go back to the bad old ways where only the most basic HTTP stuff was sent. But after seeing all the ingenuity being put into side-channel tracking, I'm beginning to wonder if the ad people are ready to construct profiles based on timings and other side channels associated with even the most basic HTTP stuff, like round-trip responses to auto-redirects and so on (which incidentally would probably even work on Lynx). Let's face it. The ad companies want our profiles by hook or crook, and they're getting VERY good at finding ways to sniff us out without having to ask. They're also probably much aware of laws and sovereignties, meaning any attempt to push would simply see them pack up and move someplace friendlier. It's not like they have a whole lot of physical real estate to move around, is there?

    1. Doctor Syntax Silver badge

      "The ad companies want our profiles by hook or crook, and they're getting VERY good at finding ways to sniff us out without having to ask. They're also probably much aware of laws and sovereignties, meaning any attempt to push would simply see them pack up and move someplace friendlier. It's not like they have a whole lot of physical real estate to move around, is there?"

      Whether or not the ad companies are located somewhere legally accessible there are other entities at the ends of their chain who might not be so mobile.

      In order to do any profiling they have to get access via the web sites. If a web site allows some profiling link to be installed on it I think it likely that the operator could be classed in the EU and the UK as a data controller and the hosting company could also be classified as a data processor. At the other end of the chain the company whose products or services are being advertised is also likely to be scooped up.

      Where the web site is being run as the window on some business such as an estate agency or a car dealership they can hardly avoid having a legal presence in the countries in which they operate. The same applies to businesses placing adverts. A small business engaged in selling by post might be able to avoid these constraints; even so such a business with ambitions to grow might foresee the need to establish such a presence in the future.

      Hosting companies, however, are likely to have interests in the EU and/or UK. Running a web site on Amazon's infrastructure? If they think they're likely to get roped into this you're going to find they are pretty insistent on what you can do in terms of placing trackers on your pages.

      I think I can guess where Schrem's new organisation is going for its initial targets.

  9. Anonymous Coward
    IT Angle

    Server Logs already describe a users browser type and version it would be nothing for a server to process this by PHP and send it to an ADvertiser website to follow you

    1. ecofeco Silver badge

      And that's the real pisser. Why are they using my PC and bandwidth to do their work?

  10. This post has been deleted by its author

    1. Charles 9

      Re: Give me a G!

      Not like they can do much against a company that, say, operates entirely outside the EU except for those ad requests.

      1. Doctor Syntax Silver badge

        Re: Give me a G!

        "Not like they can do much against a company that, say, operates entirely outside the EU except for those ad requests."

        Providing the hosting is also done on a company that operates entirely outside the EU. Forget using the likes of AWS.

        1. Charles 9

          Re: Give me a G!

          Ever thought the savvy ad people keep their OWN clouds?

  11. fidodogbreath

    If?

    “If we move to a state of pervasive surveillance we lose that mobility.”

    If?!? Dude, that train left the station years ago...

    1. Anonymous Coward
      Anonymous Coward

      Re: If?

      "Privacy is dead. Get over it." Whether it's nation state or large advertising concern, we're overmatched. I do love to throw sand in their (advertisers) gears for the Hell of it.

    2. earl grey
      Facepalm

      Re: If

      Always liked that movie.

      Wait, what were we talking about?

  12. Kev99 Silver badge

    One problem with ad blockers is several websites (HGTV / Scripps Broadcasting in particular) will not function properly if an ad blocker is running. Or if do not track is turned on. Might as well leave your blinds up and curtain open when taking a bath.

    1. Anonymous Coward
      Anonymous Coward

      Most adblockers have lists available that block the adblocker-blockers. I just tried HGTV with uBlock and uMatrix, it played the live feed fine.

    2. tiggity Silver badge

      If a site does not work with security precautions taken then the simple solution is ... do not visit that site.

      Some UK TV companies web sites do that, so I do not bother watching their content online, there's plenty of other content out there to keep me occupied

    3. JohnFen

      "One problem with ad blockers is several websites (HGTV / Scripps Broadcasting in particular) will not function properly"

      That's no problem. I just don't go to sites that are so insistent on throwing me under the bus.

      1. Charles 9

        "I just don't go to sites that are so insistent on throwing me under the bus."

        But what if you HAVE to because the show you need (possibly not by your choice, I might add--consider the spouse) is ONLY on one of those channels (like say a show on Food Network, one of the Scripps channels--plenty of exclusives there).

        1. JohnFen

          "But what if you HAVE to because the show you need"

          I seriously can't imagine any show that I need to watch, regardless of the wishes of my spouse (and what, she doesn't have her own computer?). But that aside, if there's a site which is truly invaluable, I suppose that I'd be forced to capitulate.

          Since it hasn't happened to me yet, I'm not sure what my approach would be, but at a minimum, I'd probably use a special browser installation just for that site, running in a VM.

  13. sloshnmosh
    Devil

    Advertisers

    https://www.youtube.com/watch?v=ouE-CcwE8Ls

  14. Anonymous Coward
    Anonymous Coward

    Cynic

    Well it's easy to understand Google's motivation in defeating that kind of tracking. Tracking is their privilege, not anyone else's...

  15. alain williams Silver badge

    Dont forget your IP address

    Even if you don't have a static one, it is not going to change for the duration of your search for a holiday, hotel, car-insurance, ... purchase. If you do this at work: you will be lumped in with everyone else at your company, if you do it at home ... well how many of you are surfing at the same time ?

  16. ecofeco Silver badge

    First it was the virus arms race

    Now it's the malware arms race.

    Ask me if I feel bad about my blockers. Go on, I dare ya.

  17. Mahhn

    Carrot on a stick

    So they waved HTML5 in front of us with the promise of getting rid of the exploit known as Flash, only to fool everyone into installing universal super tracking software.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like