[IP] Re: PRIVACY ISSUE WITH the new White House web site? CORRECTION

[David Farber <dave@farber.net>]

Begin forwarded message:

From: Steven Champeon <schampeo@hesketh.com>
Date: January 21, 2009 1:49:42 PM EST
To: David Farber <dave@farber.net>
Cc: Karl Auerbach <karl@cavebear.com>
Subject: Re: [IP] PRIVACY ISSUE WITH   the new White House web site?  
CORRECTION


For IP, if you wish.

on Wed, Jan 21, 2009 at 11:38:23AM -0500, David Farber forwarded:
> From: Karl Auerbach <karl@cavebear.com>
> Date: January 21, 2009 11:09:30 AM EST

<snip>

> That's a lot of stuff, much of it. Some of it obvious - such as my
> screen resolution, whether I've got Microsoft Silverlight. But a lot
> of it is opaque to me. Webtrends gets to see this, to keep it, to
> aggregate and cross-link it with other data, and to sell it to others,
> with no visible constraint from the whitehouse.gov privacy policy.

I'm not arguing with the question of whether or not it's a privacy
violation or worthy of documentation for Web Trends to know your
browser window size at the time of a visit to whitehouse.gov, but if
you're curious about the gory details being leaked, it's all in the
Javascript file used to create the string:

http://www.whitehouse.gov/includes/webtrends.js

dcssip: the window.location.hostname (whitehouse.gov)
dcsuri: window.location.pathname (the bit after the / in the URL)
dcsref: the referring URL (the URL that linked to this page)
dcscfg: always set to '1', apparently
WT.co_f: if you have a WebTrends cookie, this contains its id
WT.vtid: also the id
WT.vtvs: time since last visit
WT.tz: your time zone
WT.bh: the current hour
WT.ul: "user language", or what your browser is set to accept
WT.cd: color depth in bits
WT.sr: screen resolution
WT.jo: is Java enabled?
WT.ti: the title of the current page
WT.js: is Javascript enabled (kind of a stupid data point, really)
WT.jv: javascript version supported by the browser
WT.ct: connection type, if known (wireless?)
WT.bs: browser viewport size
WT.fv: Adobe Flash version
WT.slv: Microsoft SilverLight version
WT.tv: always "8.6.0", probably Web Trends script version
WT.dl: always 0, not sure what this is
WT.ssl: whether the site was accessed using SSL / https
WT.es: full hostname and path (dcssip + dcsuri)
WT.vt_f_tlh: the current time

Also, if you have a query box, the script will include whatever string
was in the box (presumably to correlate search terms and the sites that
you navigate to subsequently). That's pretty much the *only*
privacy-cringe-inducing thing I see aside from the pure aggregate
information you can presumably derive from this (being able to track
your visits online via advertising network cookies being a much more
serious issue, IMHO).

And frankly, that Javascript can access the text in the query box is
more a serious security flaw in Javascript; that the White House Web
developers might want to know when it's safe to use Flash or whether
they should bother to use the 216-color Web-safe palette when designing
their images, or what search terms are being used to find what content
on the site is part of how any sane and effective Web developer
operates. Yes, it should be acknowledged in the privacy policy. But
I don't see, query box issue aside, what the big deal is.

Steve

--
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/




-------------------------------------------