eBay

otherego · ‎18-02-2017

Privacy remains one of my most unfashionable concerns - especially when I'm using a computer online.

Among other things, I loathe the thought of my browser gathering and retaining information which can be used not only for useful purposes, but for more nefarious ones eg allowing the marketing industry (I'm not a fan) to track and profile my browsing.

A by-no-means exhaustive list of things which could be useful but which can also be abused to store information about users and possibly abuse that information for tracking and profiling includes third party cookies, flash cookies and (vaguely) "local storage."

The latter is additonal to the storage previously made available by browsers for cookies, and allows substantial quantities of information about my site visit to be stored.

The only way I know to disable this is to disable "dom.storage" (whatever exactly that might be.) By default, it is set - in Firefox - to allow 5MB of storage per site. Since the old HTML cookies were set at something like 4kb, later increased to 10 (I think - someone might have the actual numbers to hand), this allows a vast amount of information about me to be stored by my browser and sent back to the originating site on subsequent visits.

This information can be used for good (eg security stuff) but given human nature, will almost certainly end up be used for evil (tracking, profiling etc).

I use a pre-paid card for online purchases. It lacks the protection of a conventional credit or debit card, but at least no bad guy can get at anything other than the money currently "loaded" on the card - top the thing up using cash rather than a bank account or debit card, and there is simply no link for anyone to follow back to your funding source.

Paranoid? Sure, but that's my prerogative, is it not?

I've been impressed with the "Cashplus" card for years now. One of its strongest points, for me, has been a very easy to use online interface - which needs no javascript, nor any other potentially vulnerable or snoopilicious stuff - no persistent cookies, for instance.

They are in the process of introducing a new site, and guess what? I thought I'd try it and a) needed to enable at least some javascript (ugh) and b) then received an error message which included the following gem:

Your browser or your private/incognito mode appears not to support some features. Please try turning private mode off or use a different browser.

Interestingly, I don't bother with incognito mode (right or wrong, I prefer to limit stuff manually and clear everything possible as frequently as possible.)

A closer look at the URL of the offending page said something about "error nostorage" (or something - I forgot to copy it.)

Enabling dom.storage caused the log-in page to come to life.

Now, I realise it's just a matter of enabling dom.storage every time I want to use the site, then clearing everything afterwards and disabling dom.storage again - but that is going to become a little tedious.

It also seems very sneaky to introduce something like that without making it very clear on the website that dom.storage is now a feature the site needs in order to function as desired. Really just as sneaky as the old flash cookies.

Certainly, I'm concerned about my security online.

However, I think I'm still slightly MORE concerned about my privacy, especially in our age of marketing snooping and tracking and profiling, not to mention Snoopers' Charters and goodness knows what other dystopian horrors lie ahead.

Come back, the Twentieth Century - all is forgiven...

Meanwhile, perhaps the good folk who occasionally visit this board might continue to alert the rest of us to any potential threats to our privacy and security which they come across online - ideally along with any solutions.

I remain hopeful that privacy is dead only if we agree to that disastrous leap back for civilisation.

cee-dee · ‎19-02-2017

An iteresting post there OE.

However.... (there just has to be a however?)...... Have you ever had any contact from those supposedly mopping up all this data? Has any of the data resulted in any problem or.... has paranoia completely taken over?

Now, all this browser tracking, what can they actually do with it? Surely there's so much data that it becomes far too much for anyone to do much with it? Have you ever been targeted "out of the Blue" by any af the data trackers?

It's life Jim, but not as WE know it.
Live long and prosper.

antipasta · ‎20-02-2017

Have you seen

https://webdevwonders.com/clear-dom-storage/

You need to update the details for new versions.

I'm not clear whether CCleaner clears dom.storage. My browsers seem set be default to clear when getting rid of cookies etc. - maybe an effect of CCleaner?

angrydrag0n · ‎21-02-2017

There was an article in the register (I think) which covered security worries about dom storage and evercookies. It was probably about 4-5 years ago. If I remember it correctly the evercookies dont naturally have an expiry date and they forecast that there would be problems getting shot of them, and highlighted both as possible security risks.

Ebay have been "playing" with dom storage for a while. We had an interesting fault about 3 years back (?) before we changed to lithium boards (I think - sorry granny memory). Members were complaining that bits of IE were missing, namely the lD sign out and there was nothing in the All categories drop down box.

As I was still using IE9 (on the vista machine) I still had the option to switch dom storage on and off, whereas IE10 users didn't see the option. I discovered I could toggle the missing items on/off by turning dom storage off/on.

It lasted for about a month until ebay fiddled again. I think it was caused by an MS IE update which set dom storage off by default.

otherego · ‎27-02-2017

I've been doing a little more reading around.

Just - yikes.

Meantime, I discovered another site that needed it (I think it was Whatsapp - so that one's off the list for now...)

Have you ever had any contact from those supposedly mopping up all this data? Has any of the data resulted in any problem or.... has paranoia completely taken over? (cee-dee)

No and no (I think). Hey, just because you're paranoid doesn't mean they're not out to get you...

As far as evidence of being tracked and profiled is concerned - I suppose I might have found some if I actually ever saw advertisements. So far, so good.

I'm not clear whether CCleaner clears dom.storage. Nor am I, anti. TBH, it's years since I last used it. There are all sorts of add-ons to clear dom.storage/local storage, but for the moment I'm happy to disable/clear it manually.

My concern is that there is no simple mechanism in browsers allowing it to be controlled in the same manner as traditional cookies. I get the uncomfortable feeling that site owners might be relying on users being unaware of the existence of dom.storage in order to circumvent those preferences already shown by conventional cookie settings.

There was an article in the register (I think) which covered security worries about dom storage and evercookies. (angrydrag0n)

Ah, yes. Evercookies (Chap called Samy Kankar, IIRC.) A diabolical mix of ordinary cookies, dom.storage, e-tags and goodness knows what else. And that's part of the problem - so many ways for the knowledgeable to watch us.

Much as I despise excessive regulation, I do feel that The Powers That Be need to get together and outlaw any form of tracking/data gathering etc which is not completely transparent to and controllable by the ordinary user. It's hopeless being specific, as a new method simply jumps up to replace any sneakiness which happens to have been caught out.

Of course, with more and more happening in "the cloud," and with storage being relatively cheap, one worries about what is being stored server-side now. I'd honestly like to see this brought strictly under the control of the user, too.

And one day, pigs might fly.

angrydrag0n · ‎28-02-2017

I guess using inprivate browsing may be some sort of defence, though I dont think it actually blocks them, it just prevents storage outside of the session.

otherego · ‎08-03-2017

With a bit of luck, browser developers will get round to providing users the sort of controls currently available for controlling ordinary cookies.

If I could be sure that anything in local storage had no ability to connect to or allow connections by third parties, and that everything would be cleared every time the browser was closed (as well as being manually clearable at any time), then I'd probably be quite happy to accept the security and other advantages (apparently) offered by dom.storage/local storage.

In the meantime, I suspect we're in a similar position to that pertaining to flash cookies in the Bad Old Days of a few years ago. Site owners set flash cookies, and until Adobe came up with a control panel for Flash Player, these were simply set irrespective of users' wishes.

They could be used to "reconstitute" ordinary HTML cookies blocked/cleared by privacy-conscious users. I may be wrong - but get the distinct impression that local storage could be abused similarly.

I would happily bet a fiver that most people don't even know about local storage yet. I would also bet that web sites using it are well aware of this.

The fact that they still use it suggests a certain sneakiness to me - a distinct lack of trustworthiness. If somebody's allowed only first party session cookies in their browser's cookie settings, that suggests they don't want anything retained locally. Trying to override that wish with a "feature" most users are almost certainly still unaware of would be pretty unscrupulous, IMHO, and perhaps we should all start moaning a little more publically about sites which use/rely on local storage without specifically warning users and explaining what's involved - and of course, how to clear it once the desired task has been accomplished.

The latest addition to my personal Hall of Shame would seem to be the Windows Update Catalogue. It refused to work. I looked up the error message that was shown. A forum showed that someone had found that enabling dom.storage "cured" the error.

That's Cashplus, Whatsapp Desktop and Microsoft that have tried to inflict this on me over the past couple of weeks. I suspect the avalanche is just beginning.

I'm sure HTML5 will offer all sorts of improvements, but users obviously need to watch out for potential abuses within the new standards.

And let's hope that browser developers recognise the urgent need for users to be able to control all local storage (and anything else potentially allowing information to persist between sessions or to be used for functions which users would not appreciate) with the same ease and "granularity" currently available for the control of ordinary cookies.