HyperText Transmission Protocol

World Wide Web Consortum: The maintainers of the HTTP standard

Back to catalog

HTTP is a protocol usually used for transferring HyperText Markup Language documents accross the internet.

Spyware Level: Medium

HTTP is a protocol that is not designed with the privacy of its users in mind. The language used in the HTTP specification explicitly says that the protocol was designed with enabling the datamining of its users in mind, and contains features that are not absolutely necessary for the purpose of the protocol, but allow the protocol compromise user privacy.

"User-Agent" Datamining feature

Section 14.43[1] of the HTTP specification details the "User-Agent" spyware feature of the protocol that, when implemented, will attach information about your computing enviroment that can be used to track you. The biggest danger of the User-Agent spyware is that there is no way to anonymously opt-out of this- even if you do not provide a user-agent, because almost everyone else does, you will be tracked by the fact that you do not provide that information. There are many strategies to mitigate this spyware, with only varying levels of success, but the problem is that this is the acceptable standard of how HTTP is used- and not the forgotten feature that it should be. Not only does the User-Agent feature collect this unncessary information, its purpose is explicitly stated in the protocol specifications to aid in datamining.

"The User-Agent request-header field contains information about the user agent originating the request. This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. "

Acknowledgement of HTTP's privacy problem

In the HTTP specification, the W3C explicitly acknowledges the serious privacy violations that implementations of this protocol are capable of comitting. Section 15.1[2] of the HTTP specification has a very detailed analysis of the implications of the comprimization of privacy that the User-Agent spyware allows to happen and suggests how to use the User-Agent feature: as an opt-in feature where the privacy concerns of using such a feature are properly explained to the user. Even though this is a good section, it shows a very naieve viewpoint from the W3C- the expectation that this feature would not be abused, and the expectation that implementers of this standard would respect the privacy of their users and would not use these features of the protocol to datamine users.

At best, you could call this mindset naieve. Or, you could call it negligent. If you want to hold the W3C in contempt, you could call it malicious. It's easy to write in your standard that while you could use this protocol to monitor the behavior of users, you should ask for their permission. But once that standard is widely implemented, and is widely used for the exact malicious purpose that was acknowledged in its specification, who's fault is that?


1. Section 14 of the HTTP/1.1 Specification [webarchive.loc.gov] [web.archive.org] [archive.is] [webarchive.nrscotland.gov.uk] [www.webcitation.org] [arquivo.pt] [veebiarhiiv.digar.ee] [webarchive.proni.gov.uk]
2. Section 15 of the HTTP/1.1 Specification [webarchive.loc.gov] [web.archive.org] [archive.is] [webarchive.nrscotland.gov.uk] [arquivo.pt]

This article was last edited on 5/14/2018

If you want to edit this article, or contribute your own article(s), email me at spyware@aaathats3as.com. All contributions must be liscenced under the CC0 liscence to be accepted.

CC0 Liscence