New web code has ways to see what users do online

Worries over Internet privacy have spurred lawsuits, conspiracy theories and consumer anxiety as marketers and others invent new ways to track computer users on the Internet. But the alarmists have not seen anything yet.

In the next few years, a powerful new suite of capabilities will become available to Web developers that could give marketers and advertisers access to many more details about computer users’ online activities. Nearly everyone who uses the Internet will face the privacy risks that come with those capabilities, which are an integral part of the Web language that will soon power the Internet: HTML 5.

The new Web code, the fifth version of Hypertext Markup Language used to create Web pages, is already in limited use, and it promises to usher in a new era of Internet browsing within the next few years. It will make it easier for users to view multimedia content without downloading extra software; check e-mail offline; or find a favourite restaurant or shop on a smart phone.

Most users will clearly welcome the additional features that come with the new Web language.

“It’s going to change everything about the Internet and the way we use it today,” said James Cox, 27, a freelance consultant and software developer at Smokeclouds, a New York City startup company. “It’s not just HTML 5. It’s the new Web.”

But others, while also enthusiastic about the changes, are more cautious.

Most Web users are familiar with cookies, which make it possible, for example, to log on to websites without having to retype user names and passwords, or to keep track of items placed in virtual shopping carts before they are bought.

The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user’s hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.

The new Web language “gives trackers one more bucket to put tracking information into,” said Hakon Wium Lie, the chief technology officer at Opera, a browser company.

Or as Pam Dixon, the executive director of the World Privacy Forum in California, said: “HTML 5 opens Pandora’s box of tracking in the Internet.”

The additional capabilities provided by the new Web language are already being put to use by a California programmer who has created what, at first glance, could be a major new threat to online privacy.

Samy Kamkar, a California programmer best known in some circles for creating a virus called the “Samy Worm,” which took down in 2005, has created a cookie that is not easily deleted, even by experts – something he calls an Evercookie.

Some observers call it a “supercookie” because it stores information in at least 10 places on a computer, far more than usually found. It combines traditional tracking tools with new features that come with the new Web language.

In creating the cookie, Kamkar has drawn comments from bloggers across the Internet whose descriptions of it range from “extremely persistent” to “horrific.”

Kamkar, however, said he did not create it to violate anyone’s privacy. He said was curious about how advertisers tracked him on the Internet. Kamkar, whose 2005 virus circumvented browser safeguards and added more than a million “friends” to his MySpace page in less than 20 hours, said he had no plans to profit from the Evercookie and did not intend to sell it to advertisers.

A recent spate of class-action lawsuits has accused large media companies like the Fox Entertainment Group and NBC Universal, and technology companies like Clearspring Technologies and Quantcast, of violating users’ privacy by tracking their online activities even after they took steps to prevent that.

Most people control their online privacy by adjusting settings in today’s most common Web browsers, which include Internet Explorer by Microsoft, Firefox by Mozilla, Safari by Apple and Opera, which is used mostly in Europe and Asia and on mobile devices.

Each browser has different privacy settings, but not all of them have obvious settings for removing data created by the new Web language. Even the most proficient software engineers and developers acknowledge that deleting that data is tricky and may require multiple steps.

Kamkar and privacy experts say that companies like Microsoft and Firefox should agree on one control for eliminating all tracking capabilities at once. “There should be simple enough controls to take care of every single thing,” said Dixon, who added that some browsers automatically collected large amounts of data unless a user told them not to.

Lie acknowledged that such companies “do have a lot of power.” But he said they worry that if the privacy settings they develop are too strict, they could make it difficult for users to see things like movies. For example, he said Opera once tried to put more controls on certain types of cookies, but users in Russia complained that the controls prevented a popular social networking site from working properly.

Representatives from the World Wide Web Consortium say they are taking questions about user privacy very seriously. The organization, which oversees the specifications developers turn to for the new Web language, will hold a two-day workshop on Internet technologies and privacy.

Ian Jacobs, head of communications at the consortium, said the development process for the new Web language would include a public review. “There is accountability,” he said. “This is not a secret cabal for global adoption of these core standards.”

Support local journalism. Subscribe to the all-access pass for the Cayman Compass.

Subscribe now