Deep Session Control – proposed browser feature to increase privacy

As you probably know, a Web cookie is a small bit of information (typically a server-generated ID number) a Web site can store on your computer to read back on any subsequent visits, even years later. Currently, the major browsers support making all cookies “session-only” (even if the site sends them with an expiration date 200 years into the future), where a session is defined as the time from when you open your first browser window to when you close the last one (i.e. terminate the browser completely). In my book, this is the best thing to happen to browser privacy settings in years. With this setting, when you close the browser at the end of the day, all the tracking cookies used by marketing sites, etc., go away. Every logon is a fresh start.

Google Chrome and IE add a tab-grouping feature, in which the browser maintains awareness of the path you took to get to a particular page (shown in a tab) – if you click a link from one page to another and open it into a new tab, the tabs are grouped next to each other. If you created a new tab from scratch for some unrelated surfing, it’s not grouped with any existing tabs. This makes sense.

It also begs a logical extension. If the browser can now differentiate between related and unrelated “threads” of surfing, it could also allow enhanced privacy by preventing sites from sharing information between threads. (By “thread”, I mean an uninterrupted stream of link clicks in a single browser window/tab or its parent tabs.) Typing a new URL into the address bar, being diverted to a different site via non-click means (e.g. Javascript tricks), or closing the window/tab, ends the current thread and begins a fresh new thread. In this proposed feature, ending a thread destroys any information (cookies, etc.) it contains, at least from the Web site’s point of view. (This is the exact opposite of Chrome’s current “incognito mode” behavior, which prevents history and other data from being saved on your machine, but doesn’t do anything to limit 3rd-party sites from cross-service and cross-domain sharing.)

Currently, any Web site can store and retrieve any cookie data (as long as it originated from its own domain), at any time. A common scenario: The first thing you do in the morning is open a browser and log into your GMail account. Throughout the day, you’re performing various unrelated Google searches, all in different windows/tabs. You could have even read 1 email and then closed the mail window/tab early in the day. All of your search history is now permanently tied to you via your GMail account (if you have a login for GMail or other Google services, have a look at http://www.google.com/history/?hl=en). Persistent user data is tied to the browser as a whole, not the browser window. In other words, the page loaded in window #2 can see what you’re doing in window #1, so long as the domain-access rules are met. Remember, any *.example.com page/site/service can retrieve data (e.g. a uniquely identifying cookie) set by any other *.example.com page/site/service – and if it can tie any one of these bits to a more stable form of identification (in this example, your email login), all of it now can be tied there. It’s entirely possible that you don’t want all these unrelated bits of information collected permanently, in a trivially subpoena-able form, securely notarized (via your login/password and most likely SSL) as uniquely and provably your own. Anymore, many sites absolutely require cookies to function, so blocking them outright is not a solution.

2nd example: You’re reading an article on some medical site about some arbitrarily embarrassing personal malady. The site has ads, which are embedded into the page from a large 3rd-party ad conglomerate (say “evilclick.net”). You close this window and go about your daily surfing. Three hours later, you’re showing a cluster of co-workers something you found on Spamazon.com and still all the ads being served up are for embarrassing personal cremes and lotions. Spamazon.com, like 90% of web sites, uses evilclick.net as its ad provider. Since the ads themselves all come from the same place (regardless of all the different sites they actually appear on), evilclick.net has permissions to read/write cookies and track the user’s movement across all these sites. The proposed approach would help curtail such cross-site sharing.

This concept, although not foolproof, would provide enhanced privacy and deniability for Web usage data. A service would then be limited to trying to correlate data to a user’s IP address, which is harder to hide, but also is much less reliable at identifying a specific user. Currently, via proxy servers and proxy-based anonymizers (such as Tor) a user’s IP could change on every request, and thousands of users could share the same IP (e.g. through an ISP’s caching proxy, or any NAT such as a home wireless router, etc.). A service could at best “guess” an x% probability that various requests might come from the same user, but could not verify it.

Leave a Reply