Mozilla to Modify How CSS :visited Works

If you know CSS, then you know that the :visited pseudo-class is a method to determine if a user has already been to the link it targets. For example, you may have styles for a:link and a:visited in your CSS file to help users see a difference between links they've clicked and links they haven't. Combine this with the getComputerStyle method in JavaScript and an author can conceivably figure out all the sites you've visited. This issue has prompted Mozilla to announce changes to how the :visited selector will work.

The Mozilla Hacks blog outlines how these changes will affect web sites and web developers. At the high level:

• getComputedStyle (and similar functions like querySelector) will lie. They will always return values as if a user has never visited a site.
• You will still be able to visually style visited links, but you're severely limited in what you can use. Mozilla is limiting the CSS properties that can be used to style visited links to color, background-color, border-*-color, and outline-color and the color parts of the fill and stroke properties. For any other parts of the style for visited links, the style for unvisited links is used instead. In addition, for the list of properties you can change above, you won't be able to set rgba() or hsla() colors or transparent on them.

They also note some subtle changes to how selectors will work. Mozilla acknowledges that these two items might be confusing and has promised some examples in the near future.

• If you use a sibling selector (combinator) like :visited + span then the span will be styled as if the link were unvisited.
• If you're using nested link elements (rare) and the element being matched is different than the link whose presence in history is being tested, then the element will be drawn as if the link were unvisited as well.

The blog post points out a couple of areas that will probably require changes to existing sites:

• If you're using background images to style links and indicate if they are visited, that will no longer work.
• Mozilla won't support CSS Transitions that related to visitedness (I think they made that word up). There isn't that much CSS Transition content on the web, so this is unlikely to affect very many people.

Right now Mozilla cannot say what version of Firefox will get this change, but the post is intended to get us all ready for the impact in advance of that release.

Mozilla does admit that this won't fix all the potential security leaks of your browsing history (see the bug report). They do offer an option for minimizing your exposure to the other leaks, or to minimize yourself in your current release of Firefox until they get the fixes out:

...[V]ersion 3.5 and newer versions of Firefox already allow you to disable all visited styling (immediately stops this attack) by setting the layout.css.visited_links_enabled option in about:config to false. While this will plug the history leak, you'll no longer see any visited styling anywhere.

Read more:

• privacy-related changes coming to CSS :vistited
• Plugging the CSS History Leak
• Preventing attacks on a user's history through CSS :visited selectors
• Bug 147777 - :visited support allows queries into global history
• What the Internet knows about you. This page checks your browser history and determines which of the 5000 most popular Internet websites you've recently visited.

Read More

Google to Let Users Opt Out of Analytics Tracking

Given all the flak Google has taken recently (see my post yesterday, More Social Media Privacy News), I wasn't too surprised to see this headline come through from ReadWriteWeb: Google Will Soon Allow You to Opt Out of Google Analytics Tracking.

In a blog post from yesterday (More choice for users: browser-based opt-out for Google Analytics on the way), Google announced that it will be offering a browser plug-in to opt out of having their data tracked by Google Analytics. From the blog post:

...[W]e have been exploring ways to offer users more choice on how their data is collected by Google Analytics. We concluded that the best approach would be to develop a global browser based plug-in to allow users to opt out of being tracked by Google Analytics. Our engineers are now hard at work finalizing and testing this opt-out functionality.

I suspect this is more of a PR move than anything. Google Analytics is really just a method to track how anonymous users access your site — from what search terms or related site they came, what pages they visited, how long they spent, their click path, etc. None of this information exposes personal details and is even forbidden by their privacy policies. Check out the Google Analytics product tour for a quick overview.

What Google Analytics offers is not much different than what you get from a WebTrends report. And that data already exists in your own web server logs. In fact, Google Analytics cannot track anything if you don't have JavaScript enabled on your browser, making it impossible to track many mobile devices. Granted, you can get an overlay view of a page showing where users clicked in Google Analytics, which you cannot get in products that rely solely on the web server logs, but that isn't necessarily the key selling point. The fact that it is free is its strongest point. It also has swell reports.

The user who cares enough to download and install the plug-in may come from one of two camps:

1. He/she is already concerned about privacy and may even use anonymous proxy services to surf with an alternate IP address;
2. He/she has been told that Google is tracking his/her every move (again, recent press) and perhaps grabs this as a response (or has it installed by a friend or family member).

These users make up such a small portion of the surfing world that it probably won't impact the typical site. I doubt there will be a noticeable drop in data points in the Analytics reports of many sites. Others have posited that this move might make it easier to block internal users data from a company site (which can skew results) as opposed to blocking the IP range in the Analytics configuration screen. They fail to take into account how unpleasant it will be to administer (install and support) all those random plug-ins. No IT guy should be interested in that model at all.

The paranoid out there may feel that Google is tracking enough information about everybody, and while I don't disagree, trusting Google to release a plug-in to stop Google in Google's tracks seems like a flawed and circular argument. The truly paranoid shouldn't trust the plug-in to do what it says. I genuinely hope those conspiracy theorists aren't running Google Chrome, because the same argument applies.

If you really want to surf anonymously, run Netscape Navigator 2 or version 3 with JavaScript disabled through an anonymous proxy. From a cave. Perhaps Google will release a plug-in for those browsers?

ReadWriteWeb included this Onion parody in their story, and I just had to steal it to post here. It's too good to pass up (sorry about the scaling).

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Read More

More Social Media Privacy News

Yesterday the Wall Street Journal technology blog posted an article titled Google Buzz Exemplifies Privacy Problems, FTC Commissioner Says. The outgoing FTC Commissioner said that technology companies, specifically Google, are being too cavalier with the personal data of consumers. While qualifying her remarks as not official FTC comments, she said that the launch of Google Buzz was irresponsible conduct on the part of Google.

If you don't know to what she is referring, here's the greatly simplified breakdown. When Buzz launched, Google wanted to get people into it quickly and get them connected to their friends. To do this, Google essentially scoured your Gmail contacts and set them up as "friends" in this new service, allowing them to be seen as such by the general public. The awkward social case where this is a problem is when you use your Gmail account to court someone who isn't your spouse or significant other. In the professional world, reporters could instantly have their connections to otherwise anonymous sources or informants exposed. There was a firestorm of anger from users and Google quickly scrambled to close that gaping hole, as well as some others.

That the FTC commissioner specifically calls out Google, so recently in the news for this fiasco, doesn't let others off the hook. Facebook has been through its share of privacy dust-ups with users as it keeps pushing to make everything public.

Google Buzz also got its share of abuse at the SXSWi keynote speech by Danah Boyd, a Social Media Researcher at Microsoft Research New England and Fellow at Harvard University's Berkman Center for Internet and Society. SXSW is precisely the event where a product/service like Buzz should be shining, as was the case for Foursquare last year, and not getting panned. Facebook got its share of a thumping in her speech, too, as she cited users who inadvertently adopted more public settings.

Meanwhile, in the world of sharing too much for robbers and stalkers, the world of geo-tagged and location-aware services saw a bit of a jump. Mashable reports that Foursquare Adds Almost 100,000 Users in 10 Days. To be clear, there weren't 100,000 people at SXSW, and many of those people already had Foursquare accounts anyway.

Apparently people have no problem sharing personal, potentially risky, bits about their lives. Just as long as they pick and choose what to share, that is. The FTC cannot regulate poor decision making skills by consumers, but it can at least step in when a company goes too far and just burps out lots of private data. For everyone else, I recommend you read the safety tips in my post Don't Let Social Media Get You Robbed (or Stalked) from earlier this month.

Related news bits:

• Google Buzz: Privacy nightmare at Cnet on February 10, 2010.
• WARNING: Google Buzz Has A Huge Privacy Flaw at Silicon Alley Insider on February 10, 2010.
• Facebook's Privacy Changes Draw More Scrutiny at the New York Times technology blog on December 10, 2009.
• Facebook Privacy Complaint Ignites War of Words at PCWorld on December 17, 2009.
• Google Buzz Gets Some Serious Privacy Tweaks at Mashable.
• FTC on Google Buzz: Consumer Privacy Cannot Be Run in Beta at Mashable.
• SXSW 2010: Google and Facebook failed on privacy, says Danah Boyd at the Telegraph blogs on March 14, 2010.
• Facebook To Pay $9.5 Million in Privacy Settlement at ReadWriteWeb on March 18, 2010.

Read More

Bar Codes as Web Portals

The same night my article about QR codes (Real World Hyperlinks) goes up on evolt.org, TechCrunch posts an article about a company using bar codes in a novel way — The Secret Lives Of Objects: StickyBits Turn Barcodes Into Personal Message Boards.

StickyBits, the name of the company and product, is based on the ubiquity of bar codes in everyday life. If you have an iPhone or Android phone, you'll be able to download an app that reads bar codes off anything and allows you to attach notes (comments, videos, URLs, etc.) to that bar code. If you are the first person to scan that code, then all new scans can only add to that, allowing for some interesting community discourse. This is a different implementation than a QR code, which doesn't come on every item on earth and must be generated and printed with a certain value (such as a URL) already embedded.

In the TechCrunch article, the author gives an example of scanning a bar code off a greeting card and attaching a note for the recipient to find. What the example doesn't mention is what happens when you have millions of cards using the same code and a few people trying to post his/her own message "on" one particular card.

Each scan is also geo-tagged, which means the location where you scanned the code will be tracked. You can track the movement of an item, if not the people who held on to it. Think Where's George?, but easier to implement (since currency doesn't come with bar codes).

StickyBits also sells packs of vinyl bar code stickers so that you can tag things in the real world, too. The advantage to using them is that people will likely understand that there is a reason someone posted one, and will hopefully scan it to check it out.

In my article on QR codes I talked about the Google Favorite Places stickers and how those would be a great way to hook into Foursquare and other geolocation social media applications. The StickyBits app will give you the option to check into the place where you are standing (or sitting) by scanning the bar code. This assumes there is a place in Foursquare and the bar code is also checked in there. StickyBits also supports broadcast to Twitter and Facebook.

I'll reserve comments about how the StickyBits web site has very little plain-text content on it, violating lots of accessibility rules, along with other best practices in web development failures...

Read More

FourWhere: The Spawn of Google Maps and Foursquare

Both ReadWriteWeb (FourWhere Mashes Up Foursquare and Google Maps) and Mashable (Foursquare + Google Maps = FourWhere) are covering the emergence of a new service/site/product called FourWhere. The concept here is very simple — take Foursquare locations and feed them into Google Maps, providing a simple view of all the venues in an area.

Click for a larger view.

FourWhere takes it a little further, however, and allows you to filter venues so that you only see venues with tips. This is particularly handy to help filter out all the gas stations and office locations that I just don't care about. In addition, I can click on a venue to see all the tips/comments associated with it, making it much easier to make a decision about where I might want to go (or avoid).

Click for a larger view.

The site launched today and is running slowly, probably owing to a spike in traffic from the press it received and/or my browser's distaste for Java.

If you read my post Don't Let Social Media Get You Robbed (or Stalked), then now might be a great time to make sure people aren't submitting your home address to Foursquare and leaving tips about your nice new TV.

Read More

"Real World Hyperlinks" Article at evolt.org

You may be wondering what this graphic means. Perhaps it's your first time seeing it, but perhaps you've seen it here and there and not understood its significance. It is called a Quick Response Code, or QR code. If you've got a cell phone camera and a reader (many already do), then you can use this little guy as a hyperlink in the real world.

I've got more history, examples, suggestions, and even a glimpse at the competing code Microsoft is pushing all in my new article over at evolt.org: Real World Hyperlinks

Read More

YouTube Opens Auto-Captioning to All

Image of the captions in use on President Obama's speech about the Chile earthquake.

If you've been reading my blog for a while now then you may have noticed my post back in November titled YouTube Will Automatically Caption Your Video. In that post I talked about YouTube leveraging Google Voice and its speech recognition features to automatically generate video captions. That feature was only available to a subset of all YouTube users, a "small, select group of partners."

On Thursday YouTube announced it will open that feature to all YouTube users (The Future Will Be Captioned: Improving Accessibility on YouTube). In reading the post on the YouTube blog, it looks like they will be working through all the videos on YouTube. Video owners who want to speed up the availability of auto-captions on their videos can click a "request processing" button, hopefully dropping it into a queue. However, since it's a free service, I wouldn't expect them to set a deadline with you.

The blog post lists a few things to keep in mind:

• While we plan to broaden the feature to include more languages in the months to come, currently, auto-captioning is only for videos where English is spoken.
• Just like any speech recognition application, auto-captions require a clearly spoken audio track. Videos with background noise or a muffled voice can't be auto-captioned. President Obama's speech on the recent Chilean Earthquake is a good example of the kind of audio that works for auto-captions.
• Auto-captions aren't perfect and just like any other transcription, the owner of the video needs to check to make sure they're accurate. In other cases, the audio file may not be good enough to generate auto-captions. But please be patient — our speech recognition technology gets better every day.
• Auto-captions should be available to everyone who's interested in using them. We're also working to provide auto-captions for all past user uploads that fit the above mentioned requirements. If you're having trouble enabling them for your video, please visit our Help Center: this article is for uploaders and this article is for viewers.

The obvious benefit here is the ability to satisfy accessibility requirements and open your content to a broader audience. This also can help in your ability to search for videos with appropriate content since the captions live in a separate text file that is pulled into the video, all powered by Google. In addition, with Google's free translation services, it will be far easier to translate videos into multiple languages, reaching an even larger audience.

Read More

W3C Releases 7 HTML-related Documents

The W3C has announced today that it has published seven documents related to HTML. I'm going to cheat and just bring in their description:

• HTML 5 and HTML5 differences from HTML4. In addition, some content that was part of the HTML 5 specification has been published in two new standalone drafts: HTML Canvas 2D Context and HTML Microdata.
• HTML: The Markup Language, a first draft. This document describes the HTML markup language and provides details necessary for producers of HTML content to create documents that conform to the language. By design, it does not define related APIs, nor attempt to specify how consumers of HTML content are meant to process documents, nor attempt to be a tutorial or "how to" authoring guide.
• HTML+RDFa, which defines rules and guidelines for adapting the RDF in XHTML: Syntax and Processing (RDFa) specification for use in the HTML5 and XHTML5 members of the HTML family.
• Additional Requirements for Bidi in HTML, a first draft. Authoring a web app that needs to support both right-to-left and left-to-right interfaces, or to take as input and display both left-to-right and right-to-left data, usually presents a number of challenges that make it an especially laborious and bug-prone task. Some of these are due to browser bugs, but some can be traced to a gap in the specification of the bidirectional aspects of a given HTML feature. And some of these challenges could be greatly simplified by adding a few strategically placed new HTML features. This document proposes fixes for some of the most repetitive pain points.

Don't let this trick you into thinking that HTML5 is official. It's not. HTML5 is still a draft. Let me repeat. HTML5 is still a draft. However, knowing the direction of HTML5 will make it easier for you to implement it, convert sites, and ultimately convert your existing skills. If you are already building sites using this draft of HTML5 for a browser market that doesn't yet support it, then good for you. Regardless, the two documents that you should pay attention to as you go down this path are HTML5 differences from HTML4 (W3C Working Draft 04 March 2010) and HTML: The Markup Language (W3C Working Draft 4 March 2010).

Related post:

• Too Soon to Advocate HTML5?, posted on this very blog.

Read More

RIP IE6 (Not Really, But Here's to Hoping)

CNN is reporting on a funeral today for Microsoft Internet Explorer 6. The funeral is in Denver, Colorado, so I will not be attending.

That the mainstream press is covering this is good news — somebody out there in the non-tech world understands that is newsworthy, even if only to a niche audience. Not that the funeral is newsworthy, but that causes pushing for the demise of IE6 is newsworthy. Granted, this is not tied to any official campaign to kill off IE6, but it is a fun way to draw attention to an annoyance many of us face.

Many people (web sites, developers, forums, etc.) have been calling for the demise of IE6 in some way for quite a while now. Google joined the fray (Modern browsers for modern applications, from the Google blog) when they announced that they would phase out support for IE6 in Google Docs and Google Sites as of March 1 (just a few days ago, the date on the grave stone). You can see other sites (far smaller, for the most part) who are trying to push IE6 out to pasture, just visit ie6nomore.com. Whether or not this will speed the end of IE6's reign is to be seen. Catch up on some anti-IE6 articles at Mashable using their IE6 Must Die tag. My post showing January 2010 browser stats broke down the IE versions thusly (what a fun and odd word):

Internet Explorer is the troubling one in the mix. IE8 is now up to 22.31% of the market, but IE6 still beats out IE7 (20.07% and 14.58%, respectively). That equates to 1 in 5 users is still surfing on IE6, known for its security holes and buggy rendering.

That I haven't seen this event fly through my regular flurry of tweets and RSS updates from web developers and developer sites is a bit startling, but this is a small, very local affair after all.

If you are interested in attending (and are in Denver), or just want to enjoy the humor, go visit the IE6 Funeral site. There is a Twitter feed (@ie6funeral) in case you are interested what I can only hope are live tweets throughout.

Read More

Don't Let Social Media Get You Robbed (or Stalked)

If you are one of the millions of people using social media to report where you are, you may have been tuned in to all the buzz lately about the site Please Rob Me. The concept is very simple, when you use applications like Gowalla, Foursquare, Brighkite, Loopt or anything else that broadcasts your location, you run the risk of telling the world that you aren't at home and it's ripe for the picking. You can compound it by advertising to potential stalkers (not much of an issue for me, but certainly if you're popular).

The geolocation features built into these applications not only tell people where you are, but if they have any familiarity with you, the area, or just spend a few minutes reading your history, they can pretty quickly posit for how long you will be away. This isn't limited to just geolocation-broadcasting services — you can just as easily use Twitter or Facebook (among others) to inadvertently tell people you are away from home or at a particular place.

That it took all the press around the Please Rob Me site to cause people to consider this is almost laughable. Granted, the site is pretty overt in how it conveniently aggregates all the data for visitors, but it's not doing anything that an interested party couldn't do on his or her own in a few minutes. All the site does is show all the Tweets from Foursquare users as they check in — not very complex. To quote from its Why page:

The danger is publicly telling people where you are. This is because it leaves one place you're definitely not... home. So here we are; on one end we're leaving lights on when we're going on a holiday, and on the other we're telling everybody on the internet we're not home.

So how can you enjoy social media with geolocation features and still minimize your risk?

Techniques for Safe Check-ins

These are just three options. I employ each of these and find them fairly easy to follow. None of these will stop the old fashioned thief (who doesn't use social media), but they can make it a little harder for those casing you online.

Time Shift

Remember, you don't have to check in to a location as soon as you get there.

Let that sink in for a moment. I see people check in to locations as soon as they walk in the door, but they don't need to. Sure, you may not get the immediate benefit of knowing which of your friends might be nearby, but maybe you should sort that out in advance.

For example, I am known among my friends for posting photos of my meals through Brightkite. What many of them don't realize is that I often check in to a location after I have already left or (if it's near my house) as I am leaving. This has caused a couple awkward moments when a nearby friend is notified of my proximity and comes looking for me.

Hide Your Check-ins

Hide your check-ins from all but your trusted friends. And I don't mean those Facebook friends who you met once while in a mosh pit or that you haven't seen since second grade.

You don't need to Tweet to the entire world where you are. Sure, if it's a major event and you want to brag then go for it, but understand the risk. If you Tweet or check in for every morning visit to the local coffee hut, not only will people know where you are right now, you will be telling them where you are tomorrow or next week. Establishing a pattern of behavior makes it easy for someone to predict your moves.

Consider hiding your Foursquare check-ins and not Tweeting every one; you can still participate in the overall game. Lock down your Facebook profile from the general public. Consider disabling the geotagging from third-party applications that feed to Twitter.

Get a House Sitter

Some of you may be aware that I was just in Houston speaking at a conference. I was more than happy to post my progress via Foursquare check-ins, Brightkite photos, and an assault of Tweets. Anybody could have wandered over to my house for some pillaging, but would have been surprised to find that someone was already there. In fact, I was able to split the duties across two people, so it was better populated than when I am in town.

If you have the luxury of a roommate, house sitter, guard dog, militia, etc., then you may be in good shape already. But consider whether that person at your house is someone you want to put at risk (granted a rather remote risk), or if that person is comfortable with being on watch.

Related articles:

Continue to read up, you may come up with some ideas that work better for you than my suggestions.

• The dark side of geo: PleaseRobMe.com at CNET.
• Are We All Asking to Be Robbed? at Mashable.
• Google Buzz: Privacy nightmare at CNET.
• Facebook Privacy Complaint Ignites War of Words at PCWorld.
• Twitter Your Way to Getting Robbed at Mashable.
• HOW TO: Make Your Small Business Geolocation-Ready at Mashable.
• How Robbers Did Their Dirty Deeds Before Foursquare at Mashable.
• Friday Poll: Do Location Check-In Services Freak You Out? at Mashable.

Read More