#whatwg
2011-06-03
plaintext logs
prev next
source on github
00:58
<Hixie>
foolip: yt?
00:58
<Hixie>
or anyone who has opinions on video really
00:58
<Hixie>
consider a video that has one frame per minute
00:58
<Hixie>
with lots of audio
00:59
<Hixie>
the UA manages to download half of this file, but stops exactly on the boundary between two frames
00:59
<Hixie>
so it has frames 1 and 2, say, along with their audio, but doesn't have frame 3 or any of its audio
00:59
<Hixie>
where should playback stop? as frame 3 starts, or as frame 2 starts?
01:00
<Hixie>
i presume "as frame 3 starts"
01:00
<Hixie>
hmm
01:07
<nessy>
yes, I think so
01:07
<nessy>
what's the consequence? where are you changing things?
01:07
<zewt>
Hixie: you should print all of your batch emails and sell the Hixie-opedia
01:09
<Hixie>
nessy: just trying to clean up a mess i did a few months ago
01:09
<Hixie>
zewt: he
01:09
<Hixie>
h
01:09
<nessy>
yeah, your batch emails are epic :-)
01:10
<Yuhong>
I posted a bit about the history of presentational markup on Slashdot:
01:10
<Yuhong>
http://slashdot.org/comments.pl?sid=2201100&cid=36304692
01:17
<zewt>
quote on the left page, hixie response on the right; flip through and see how many pages just say "indeed" :)
01:20
<Yuhong>
zewt: What are you referring to?
01:20
<zewt>
just the hixie-indeed :P
01:21
<nessy>
Hixie: as you just looked at chapters/captions etc - I just noticed in http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#sourcing-out-of-band-text-tracks a weird action
01:21
<nessy>
where chapters are turned on, it says:
01:21
<nessy>
"If there is a http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#text-track in the http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#media-element's http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#list-of-text-tracks whose http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#text-track-mode is http://www.whatwg.o
01:22
<Hixie>
um
01:22
<Hixie>
can you paste that without hte urls? :-)
01:22
<nessy>
ah damned Adium
01:22
<nessy>
If there is a text track in the media element's list of text tracks whose text track mode is showing by default, the user agent must furthermore change that text track's text track mode to hidden.
01:23
<nessy>
I read that as: when a chapter track is turned on it turns off all other tracks
01:23
<nessy>
no matter what kind they are
01:23
<nessy>
is that intended?
01:23
<Yuhong>
zewt: I mean, what page are you referring to?
01:24
<zewt>
err, any of hixie's Big Emails
01:24
<zewt>
(it was just a random comment as I'm reading through one of said Emails, there was no deeper meaning, heh)
01:25
<Hixie>
nessy: looking
01:26
<Hixie>
nessy: hm yeah that's bogus. will fix.
01:26
<nessy>
ta
01:28
<Hixie>
fixed.
01:30
<nessy>
also a question: what happens when there are more than one chapter track - is none of them enabled or the first one?
01:38
<Yuhong>
". They seem to work with HTML, because text/html user agents are lenient and try to cope with broken HTML. The most common mistakes involve not escaping markup-significant characters or escaping them twice."
01:39
<Yuhong>
What do you think most XSS attacks come from?
01:39
<Hixie>
nessy: that seems to be defined by those steps already
01:39
<Hixie>
nessy: is it not clear?
01:40
<nessy>
Hixie: I assume when there are more then one, none is active - that's how I read it
01:40
<Yuhong>
Of course, there is also the U+FFFF problem in XML.
01:40
<nessy>
Hixie: but I think if we turn one on when there is only one, we should also turn one on when there are several
01:41
<nessy>
Hixie: or we should allow the default attribute on them to choose it, in addition to a subtitle/caption track
01:41
<Hixie>
nessy: i don't understand how you read the current text to mean what you describe
01:42
<Yuhong>
hsivonen: I think you should mention U+FFFF in http://hsivonen.iki.fi/producing-xml/
01:42
<nessy>
Hixie: I'm also taking in the information from the bug 11842 that you posted: "For "chapters", one chapter track is always enabled regardless of the "default"
01:42
<nessy>
> attribute, so adding this doesn't seem useful."
01:43
<nessy>
Hixie: I read this to mean that one chapter track is always showing
01:43
<Yuhong>
considering it is common even in application/xhtml+xml
01:43
<nessy>
Hixie: maybe I am misreading - what is your intention?
01:43
<Hixie>
nessy: the spec is all that matters, don't listen to what i say :-)
01:43
<nessy>
lol
01:44
<nessy>
Hixie: so I cannot turn a chapter track on by default as well as a subtitle track using the default attribute?
01:44
<Hixie>
"default" can only be set on one text track at a time
01:44
<Hixie>
but there's no need to set a chapter track to be the default track
01:45
<nessy>
why not?
01:45
<nessy>
if I want one of a set of chapter tracks to be on as well as one of a set of subtitles?
01:46
<Hixie>
it'll be one anyway
01:46
<Hixie>
s/one/on/
01:51
<nessy>
Hixie: and what will be on when there are several chapter tracks?
01:52
<Hixie>
whichever is the most appropriate one for the user
01:52
<Hixie>
is the spec really not clear about this?
01:52
<Hixie>
i don't understand what is confusing about the spec text
01:55
<nessy>
Hixie: it's when you have multiple tracks of the same language and the UA cannot decide which one is most appropriate for the user that it becomes a random decision and incompatible between browsers, IIUC
01:55
<nessy>
(possibly incompatible)
01:56
<nessy>
I assumed it meant that none is active
01:57
<Hixie>
it wouldn't be random
01:57
<Hixie>
why would it be random?
01:57
<Hixie>
the spec is completely deterministic here
01:58
<nessy>
re-reading… : the first one of the appropriate language?
01:58
<Hixie>
right
01:58
<nessy>
OK, my bad :-) thanks
04:59
<eboyjr|mobile>
Does anyone know what software is used to create this? http://hixie.ch/specs/html/server-sent-events/server-sent-events
04:59
<eboyjr|mobile>
Just like the w3c specs
05:00
<eboyjr|mobile>
Hixie: hello :)
05:15
<heycam>
eboyjr|mobile, http://anolis.gsnedders.com/ I believe
05:17
<eboyjr|mobile>
heycam: yeah that looks like that's it, thanks for finding it
08:21
<MikeSmith>
so the new Google +1 button relies on an "g:plusone" element?
08:48
<hober>
yeah, groan
08:54
<nessy>
does somebody here have access to the whatwg mailing lists and can make sure the "video feedback" email from Hixie is archived?
08:54
<nessy>
I can only find Glenn's answer in the archives, but not Hixies original one on that thread: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-June/031898.html
08:54
<nessy>
I think it may be stuck in moderation because it's very long
08:58
Ms2ger
sets mode: +b webben!~benjamin⊙1scc
09:00
<foolip>
Hixie, I think it should stop on the (time of) last frame it actually has, otherwise it doesn't make sense to display that last frame, which we certainly want to
09:20
<zewt>
i'd expect playback to stop as soon as something is needed for playback that isn't there
09:21
<zewt>
which would be when frame 3 starts
13:11
<smaug____>
Hixie: ping
13:22
<smaug____>
Hixie: just curious why any other interface than Function uses FunctionOnly.
13:44
<hsivonen>
why did Google switch from hyphened-words to camelCase for Rich Snippets?
13:46
Ms2ger
sets mode: -b webben!~benjamin⊙1scc
15:10
<hsivonen>
does anyone know if rel=pgpkey is supported by anything other than Jacques Distler's blog?
15:18
<matjas>
hsivonen: Thanks for your comment. I simply forgot to register apple-touch-icon-precomposed as well; my bad. Registering now.
15:20
<matjas>
hsivonen: Oh and since you asked, -precomposed actually works. Android doesn’t fully support that one though. Read http://mathiasbynens.be/notes/touch-icons#effects if you’re interested.
15:20
<hsivonen>
matjas: ok.
15:21
<hsivonen>
so which UAs actually implement rel processing per spec?
15:21
<matjas>
hsivonen: just edited http://microformats.org/wiki/existing-rel-values#HTML5_link_type_extensions
15:21
<hsivonen>
if IE and Mobile Safari don't
15:21
<hsivonen>
is correct processing a Gecko & Opera thing or something?
15:21
<matjas>
That’s a good question.
15:23
<hsivonen>
matjas: the validator will be aware of -precomposed once it finishes its deployment dance
15:24
<matjas>
hsivonen: yay!
15:24
<matjas>
I’ve also added openid.delegate and openid.server; have you added those as well?
15:24
<hsivonen>
matjas: yes. I also added the openid2 thingis
15:24
<hsivonen>
*thingies
15:25
<hsivonen>
even though it's not a good sign that a group (OpenID) is so quick to push an incompatible version of their initially successful protocol
16:23
<MikeSmith>
hsivonen: the openoffice user experience is so painful that I find a hard time caring who's in charge of it
16:48
<sephr>
Hixie: why do some events use detail:any and some use data:any? e.g. MessageEvent.data:any vs CustomEvent.detail:any
16:50
<smaug____>
sephr: in that particular case, .detail makes IMO more sense for CustomEvent since it is "detail" of that event. Messages need some data, so .data
16:50
<smaug____>
sephr: also, in practice CustomEvent interface is really old
16:50
<sephr>
yeah, but why was detail chosen to begin with?
16:50
<sephr>
because MessageEvent.data is "detail" of message events too
16:50
<sephr>
but it's data, not detail
16:51
<smaug____>
sephr: ask someone who edited DOM 3 Events 10 years ago
16:51
<sephr>
heh
16:52
<smaug____>
.detail feels quite natural in DOM 3 Events, since also UIEvents have .detail
16:52
<sephr>
yeah
16:52
<sephr>
maybe it's messageevent that is "wrong"
16:52
<smaug____>
.data sounds right in message events
16:52
<smaug____>
message events are containers for some data
16:53
<sephr>
smaug____: then .message would make the most sense
16:53
<sephr>
with customevents you don't know anything about what they will contain, so data seems more generic
16:54
<Ms2ger>
Meh, names
16:54
<smaug____>
anyway, these interfaces are something which probably can't be changed anymore
16:54
<smaug____>
at least their .data/.detail attributes
16:56
<MikeSmith>
earthquake
16:56
<MikeSmith>
5.
16:57
<MikeSmith>
5.9 u Fukushima
16:59
<karlcow>
hmm
17:05
<karlcow>
http://www.jma.go.jp/en/quake/2/20110604010419391-040100.html
17:07
<Philip`>
Their colours for "4" and "1" look almost identical to me :-(
17:14
<karlcow>
ah interesting
17:14
<karlcow>
I would have thought 3 and 2
18:19
AryehGregor
notes that Gecko and WebKit accept {delete: 1} as a valid object initializer, but IE and Opera throw a syntax error
18:20
<AryehGregor>
I'm pretty sure ES5 supports Gecko and WebKit.
18:20
<AryehGregor>
Actually, almost totally sure.
18:21
<AryehGregor>
No, wait, my bad, IE supports it.
18:22
<AryehGregor>
Only Opera doesn't.
18:23
<AryehGregor>
Opera also seems to not like x.delete.
18:25
AryehGregor
would file a bug at this point if he were able to track its progress, since it seems like something that would be relatively likely to get fixed soon if reported, but . . .
18:29
<Philip`>
AryehGregor: The likelihood of it getting fixed is probably independent of your ability to track its progress, if it's something simple like that, and merely satiating your personal curiosity over progress seems less important than leading the web to its full potential by getting such bugs fixed
18:31
<AryehGregor>
Philip`, getting such a bug fixed is a sufficiently small contribution toward leading the web to its full potential that I have no qualms about not doing it if I don't have a more personal stake in the matter. Particularly since a) I would have to interrupt work I'm being paid for on an hourly basis to file the bug; and b) I mentioned it in a channel where lots of Opera employees hang out, and they would in fact be able to file it on paid ti
18:31
<AryehGregor>
me.
18:34
<othermaciej>
AryehGregor: ES5 has the concept of contextual keywords
18:35
<othermaciej>
AryehGregor: ones that are not treated as keywords when they appear in a position like a property name in an object initializer
18:35
<AryehGregor>
othermaciej, really? Where does it say that? As far as I can see, it's more like *nothing* is a keyword when used as a property name in an object initializer, because it's an IdentifierName instead of an Identifier.
18:35
<othermaciej>
that might be true
18:36
<AryehGregor>
Actually, if I read the spec correctly, {null: "a"} is the same as {"null": "a"}. Which is slightly confusing.
18:36
othermaciej
has no idea
18:36
<othermaciej>
why is that confuing?
18:36
<othermaciej>
property names are always strings, so obj[null] is by definition the same as obj["null"]
18:36
<AryehGregor>
Because I'd expect that {null: "a"} means "use the special value null as a key", not "use the string 'null' as a key and just don't bother with the quotes".
18:36
<AryehGregor>
Oh, I see.
18:37
<othermaciej>
it would only be confusing maybe if there was a keyword that has a different value than its own stringification
18:37
<AryehGregor>
So it's like PHP, foo[1] is the same as foo["1"].
18:37
<othermaciej>
yes
18:37
<AryehGregor>
That's not confusing, then, no.
18:37
<othermaciej>
though of course implementations optimize the heck out of numeric property names, at least for arrays
18:37
<AryehGregor>
Well, that's not like PHP, then. ;)
18:38
AryehGregor
has not noticed anything optimized the heck out of in PHP
18:38
<AryehGregor>
Tim Starling is MediaWiki's resident PHP performance guru, and he tells everyone not to use objects, strings, numbers, arrays, or booleans, because all of them are horribly inefficient.
18:39
<AryehGregor>
Instead, we should use MySQL result resources, because those are actually efficient.
18:39
<zewt>
(i just threw up a little in my mouth)
18:39
<AryehGregor>
(this is taken slightly out of context and may be overgeneralized compared to his original statement)
18:39
<AryehGregor>
(but MediaWiki does try to use MySQL result resources whenever possible instead of converting them to arrays, because they use ridiculously less memory than any built-in type)
18:40
<AryehGregor>
(e.g., we have Title objects to represent page titles, and instead of keeping arrays of Titles, we have a TitleArray class which just keeps a MySQL result resource you feed it and generates the Title objects on the fly as you request them)
18:40
<AryehGregor>
(I think I remember hearing that minimum size of an array in PHP is something like 80 bytes per item)
18:41
AryehGregor
gets curious, tests
18:43
<AryehGregor>
http://pastebin.com/2WwB83k2
18:44
<AryehGregor>
This outputs 103.5 on my 32-bit desktop, and 199 on my 64-bit server.
18:45
<AryehGregor>
That's the number of megabytes PHP uses when I create a million-element array whose keys are the integers from 0 to 999999 and whose values are all 0.
18:45
AryehGregor
tries something like that in JS
18:47
<AryehGregor>
A similar-ish test in Chrome suggests around 4.5 MB, although it's not really an apples-to-apples comparison.
18:47
<AryehGregor>
But 4.5 MB is only slightly more than you'd get in C, so pretty good.
18:47
AryehGregor
gets back to work
19:07
<rudak>
http://d-cent.org/fsw2011/
19:36
<Hixie>
foolip: yt?
19:46
<AryehGregor>
Does Opera not yet support SVG in <img>?
19:47
<AryehGregor>
It seems like it does, but it's not working on this page, hmm.
19:48
<AryehGregor>
Oh, it seems to not like it if I set width/height on it.
19:48
<AryehGregor>
No, that's not it . . .
19:49
<AryehGregor>
Oh, now it's working. Oh well.
20:31
<AryehGregor>
Opera also doesn't let var parent shadow window.parent, which all other browsers do.
20:33
<Hixie>
there's some bug on exactly how to specify that
20:35
<Hixie>
AryehGregor: see bug 12100 for a question (at the bottom)
20:38
<AryehGregor>
Hixie, I don't see where you changed atob()/btoa().
20:39
<AryehGregor>
Basically DOMStrings are arrays of 16-bit integers, and btoa()/atob() should work fine as long as you don't do anything silly like assume DOMStrings have anything to do with UTF-16.
20:39
<AryehGregor>
Probably everything that references to characters and code points should be ripped out of all DOM-related specs.
20:40
<AryehGregor>
s/references/refers/
20:40
<AryehGregor>
(except where the string actually needs to be displayed, then you need to convert it to Unicode somehow for display)
20:40
<AryehGregor>
(also maybe during parsing or something)
20:41
<AryehGregor>
(but not regular old DOM methods, those don't deal with Unicode at all in practice)
20:41
<Hixie>
what i did was remove the stuff that said to "convert DOMString to unicode"
20:42
<AryehGregor>
That should make everything correct, except maybe for stuff that actually displays things on the screen.
20:42
<AryehGregor>
Like alert(). Although I don't know if that uses the spec's algorithm or some other algorithm.
20:42
<Hixie>
yeah i don't know what to do about that
20:42
<AryehGregor>
When you parse a document, does all the text wind up being valid Unicode in the DOM?
20:43
<Hixie>
what do you mean by "valid unicode"?
20:43
<AryehGregor>
It doesn't matter, you can always get a DOM that contains invalid UTF-16 by setting it programmatically.
20:43
<Hixie>
what do you mean by "UTF-16"?
20:44
<AryehGregor>
I mean you can set a text node's content to contain arbitrary DOMStrings, including unpaired surrogates.
20:44
<AryehGregor>
And browsers have to deal with that anyway.
20:44
<Hixie>
yes
20:44
<AryehGregor>
So presumably, however they deal with it, they deal with alert() the same way.
20:44
<AryehGregor>
I imagine alert() is actually displayed using the DOM in at least some browsers.
20:44
<AryehGregor>
Not if they use OS modal pop-ups, I guess.
20:45
<AryehGregor>
But it seems fair to say that unpaired surrogates in alert() get handled the same as unpaired surrogates in text nodes, as Henri says.
20:45
<AryehGregor>
Is behavior defined for the latter?
20:45
<Hixie>
not as far as i can tell
20:46
<The_8472>
utf-16 strikes me as an odd choice considering that it's 32bit wide now. you have no character-counting benefits or anything from wasting those bytes. might as well use utf-8...
20:46
<AryehGregor>
So then we're probably fine, unless we want to define that behavior.
20:46
<AryehGregor>
Which is low-priority at best, since it only matters in weird situations and the effects are only visual.
20:47
<AryehGregor>
As long as browsers don't do something stupid like throw an exception or refuse to display anything at all, interop is unlikely to be essential here.
20:47
<AryehGregor>
The_8472, yeah, we'd all love it if JavaScript used UTF-8, but it's way way way too late to change, so here we are.
20:47
<Hixie>
what is 32 bit wide?
20:47
<The_8472>
the unicode planes
20:47
<Hixie>
unicode is 21 bit wide
20:48
<Hixie>
(with holes)
20:49
<The_8472>
well, the point is that with utf-32 you at least have 1 word per character, which makes some calculations easier. utf16 doesn't have that benefit
20:50
<AryehGregor>
Yes, UTF-16 was a terrible mistake and should never have existed. UTF-8 is superior in essentially all respects.
20:50
<Hixie>
yeah, utf-16 is pretty much pointless. but we're like 15 years too late to fix that.
20:50
<The_8472>
yeah :/
20:50
<AryehGregor>
So everything new uses UTF-8 only.
20:50
<Hixie>
(for the web)
20:50
<AryehGregor>
Like WebSockets, right?
20:50
<AryehGregor>
But old stuff is stuck.
20:50
<Hixie>
websockets is complicated in all manner of ways but i'll let the hybi people deal with that
20:50
<Hixie>
their encoding issues are Not My Problem
20:51
<The_8472>
websockets are crazy anyway. using http means you can't just implement old protocols in javascript... they should have specified a proper socket API, including listening ports
20:51
<The_8472>
then we could run IRC in javascript or fun things like that
20:52
<AryehGregor>
Um, WebSockets doesn't use HTTP.
20:52
<The_8472>
really? maybe i was thinking of the wrong standard then
20:52
<AryehGregor>
At least last I checked.
20:52
<Hixie>
arbitrary sockets in JS would be such a security disaster
20:53
<Hixie>
websockets can be viewed as using http and viewed as not using http
20:53
<Hixie>
if you're an ietf person, you will view it as using http
20:53
<The_8472>
http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-07 <- sure looks like HTTP to me
20:53
<Hixie>
in reality it's just a lie though
20:54
<Hixie>
it's really just doing stuff that vaguely looks like http
20:54
<The_8472>
same difference
20:54
<The_8472>
the point is that you have to deal with those pre-defined headers
20:56
<Hixie>
if you mean "there's a handshake", then yeah, there'd better be
20:56
<Hixie>
otherwise like i said, security dis-as-ter
20:56
<The_8472>
i don't see how
20:57
<Hixie>
say you're in an intranet environment
20:57
<The_8472>
unless someone would be so silly and would automatically let all sites use sockets. operating systems don't do that either (anymore)
20:57
<Hixie>
and you go to hostile.com
20:57
<Hixie>
now hostile.com can read your intranet
20:57
<The_8472>
well, i didn't allow hostile.com to make any connections
20:57
<Hixie>
how do you propose to prevent it?
20:57
<The_8472>
just like i didn't allow gimmickyprogramijustdownloaded.exe to go through my firewall
20:57
<zewt>
your mom probably does
20:58
<The_8472>
my mom doesn't sit in my company's network
20:58
<zewt>
so?
20:58
<Hixie>
no but she sits on her network and it's just as bad, because now any website can use your computer to launch a worm against any vulnerable services on your network
20:58
<Hixie>
s/your/her/
20:58
<The_8472>
again, this is a solved problem
20:59
<The_8472>
just like we have software firewalls in the operating system you can have the same type of whitelisting in the browser
20:59
<AryehGregor>
The_8472, we're talking about letting any website you visit open a connection.
20:59
<The_8472>
add a blacklist for the local network to protect yourself
20:59
<The_8472>
AryehGregor, no we aren't
20:59
<AryehGregor>
We are. Maybe you aren't.
20:59
<AryehGregor>
Any website can use WebSockets.
20:59
<The_8472>
some people here don't seem to understand the concept of "opt-in"
21:00
<AryehGregor>
That's not what WebSockets is designed for.
21:00
<AryehGregor>
If you want that, write a browser extension and use real sockets.
21:00
<AryehGregor>
Or just write a real program.
21:00
<The_8472>
designing web APIs on an opt-out basis have lead to such things as ever-lasting tracking cookies. someone should have realized by now that that's a bad idea
21:01
<zewt>
having the user decide whether to allow a site/program to open a socket to a particular host is guaranteed not to work; users don't know what sockets are
21:01
<AryehGregor>
The entire point of WebSockets is that any website can use them. Thus they have to be safe.
21:01
<Hixie>
software firewalls whitelisting apps is _not_ a solved problem
21:01
<Hixie>
it's a huge problem
21:01
<zewt>
you can do that for some things (users understand "let this website know where I am" for geoip), but for network communications? not a chance
21:01
<Hixie>
users do not understand the prompts and allow everything
21:01
<AryehGregor>
What alternative do you propose to allowing tracking cookies, asking the user whether they want to accept every single cookie that a site tries to set?
21:01
<zewt>
(geolocation, rather)
21:01
<The_8472>
well, then they shot themselves in the foot
21:01
<AryehGregor>
That's just not sane as default behavior. You can configure your browser that way if you want.
21:01
<The_8472>
their own problem
21:01
<zewt>
asking the user permission for everything is the worst last-ditch almost guaranteed-failure security mechanism
21:01
<AryehGregor>
No, not their own problem, it's everyone's problem.
21:01
<Hixie>
The_8472: it's OUR problem
21:02
<zewt>
no, having a platform where every user is expected to be a network security expert would not be their problem
21:02
<AryehGregor>
Our goal is to design standards that make the web better and safer, not push all responsibility off to the user.
21:02
<Hixie>
The_8472: being responsible stewarts is what makes it our problem
21:02
<zewt>
the web is not only for programmers and netadmins
21:02
<The_8472>
well, you failed. *points at tracking cookies*
21:02
<zewt>
...
21:02
<Hixie>
The_8472: having their networks become spam sources makes it our problem
21:02
<zewt>
(troll?)
21:02
<AryehGregor>
What alternative do you propose to allowing tracking cookies?
21:02
<The_8472>
no, i'm serious
21:02
<Hixie>
The_8472: having their networks become sources for DOS attacks makes it our problem
21:02
<AryehGregor>
Sites need a way to track the user so that they can, e.g., remember that the user is logged in.
21:03
<AryehGregor>
Any such mechanism can necessarily be used for tracking too.
21:03
<Hixie>
you don't need cookies for tracking
21:03
<The_8472>
AryehGregor, the problem is that this feature is always on and not just when you actually need it
21:03
<AryehGregor>
That too, you can use all sorts of fingerprinting.
21:03
<The_8472>
so even sites where you don't want to log in can use it
21:03
<AryehGregor>
You can track just fine without cookies, cookies just make it easier (but they're not as reliable as other methods).
21:03
<The_8472>
just more things to fix
21:03
<AryehGregor>
The_8472, https://panopticlick.eff.org/
21:04
<AryehGregor>
No cookies needed.
21:04
<AryehGregor>
What do you propose, the browser provide a prompt every time a site tries to set a cookie?
21:04
<AryehGregor>
Prompts are annoying, users don't want them. Also, most users won't understand and will make a more or less random choice.
21:04
<AryehGregor>
After they figure out that sites break if they say no, they'll just say yes all the time.
21:05
<The_8472>
AryehGregor, it could do something smart. maybe only store cookies for sites that you also store passwords for or something like that
21:05
<AryehGregor>
"Do something smart" is not a particularly useful suggestion.
21:05
<The_8472>
just a "remember me on this site" button going along with logins
21:05
<Hixie>
it's trivial to make the browser store a password for a site
21:05
<AryehGregor>
Sites need to legitimately store info about you even if you don't enter a password or such.
21:05
<The_8472>
i have cookies off by default
21:05
<AryehGregor>
For instance, say you rearranged some things on the site without logging in.
21:06
<The_8472>
you can use sessions for that
21:06
<AryehGregor>
vBulletin's forum home page lets you collapse sections of forums, and remembers what you collapsed using cookies.
21:06
<AryehGregor>
Um, sessions use cookies.
21:06
<The_8472>
or session IDs
21:06
<AryehGregor>
Which are stored in cookies.
21:06
<The_8472>
or in the url
21:06
<AryehGregor>
Unless you mean appending to the query string?
21:06
<AryehGregor>
Then it only works until you leave the site and come back again.
21:07
<AryehGregor>
Tons of sites allow non-logged-in users to save some types of preferences using cookies.
21:07
<The_8472>
that's the idea
21:07
<zewt>
(not to mention all the other horrible problems of storing session IDs in the URL; go back a decade or so and see how bad it was)
21:07
<Hixie>
turning off cookies is just silly, it doesn't help anything and it just breaks sites
21:07
<The_8472>
i have them off and most things work just fine
21:07
<AryehGregor>
Great, so you're saying websites should not be able to store info for non-logged-in users beyond one session, and should only be able to store the info within a session by appending query strings everywhere?
21:08
<AryehGregor>
Hixie, it does stop tracking if sites assume that cookie-based tracking works and don't bother with more sophisticated methods, which is doubtless the case.
21:08
<The_8472>
AryehGregor, some properly managed session cookies might be ok too
21:08
<Hixie>
specifically, sites that want to track you against your will still can, and sites that want to provide you with personalisation will break
21:08
<AryehGregor>
The_8472, what's "properly managed"?
21:08
<Hixie>
AryehGregor: hostile sites don't just use cookies
21:08
<Hixie>
AryehGregor: only benign sites rely on cookies for tracking
21:08
<The_8472>
i have flash, local storage and cross-domain requests off too
21:08
<AryehGregor>
Hixie, some users don't want to be tracked even by "benign" sites.
21:08
<AryehGregor>
Cross-domain requests? Like all cross-domain loads?
21:09
<AryehGregor>
Doesn't that break any site that uses a CDN?
21:09
<The_8472>
it does
21:09
<Hixie>
e.g. if you turn off cookies, your google results will get measurably worse
21:09
<AryehGregor>
Okay, so do you see why this is totally not a viable solution for the average web user?
21:09
<Hixie>
AryehGregor: that's silly
21:09
<Hixie>
AryehGregor: if they're benign then by definition it doesn't matter if you're tracked by them
21:09
<AryehGregor>
Hixie, that's why I said "benign".
21:09
<AryehGregor>
I agree that there's no reason to worry about tracking, but not everyone agrees.
21:10
<Hixie>
there's plenty of reasons to worry about tracking
21:10
<AryehGregor>
Some people would view any statistics-gathering as non-benign.
21:10
<Hixie>
i'm just saying that turning off cookies doesn't help
21:10
<The_8472>
AryehGregor, if it were the default the CDNs would just run on the sub-domain and you could easily use the same-domain policy instead of a same-host policy
21:10
<The_8472>
anyway, i know i'm slightly paranoid
21:10
<AryehGregor>
The_8472, yes, and all the tracking stuff would just run on a subdomain too, so you've made things harder for authors and gained nothing.
21:10
<The_8472>
but most things still work. maybe with 1-2 extra clicks
21:10
<The_8472>
AryehGregor, it wouldn't work across domains
21:11
<AryehGregor>
Why would it have to?
21:11
<The_8472>
e.g. i have zero google analytics, anywhere
21:11
<zewt>
... 1-2 extra clicks adds up to a lot of pointless UI noise
21:11
<AryehGregor>
Things like Analytics would just tell you make a CNAME pointing to their domain, and load Analytics off a subdomain of your own site (which actually points to Google's servers).
21:11
<AryehGregor>
So if cross-domain loads didn't work at all by default, everything would just be "same-domain".
21:12
<AryehGregor>
It would only stop you from including content from parties that didn't cooperate, which isn't the use-case you're worried about at all.
21:12
<AryehGregor>
And again, normal users don't have any idea what a "domain" is and don't want to, and the web is not meant to be something only nerds can use correctly.
21:12
<Hixie>
The_8472: how do you have zero analytics?
21:13
<AryehGregor>
We can't dictate what the web looks like, we're limited to what browsers can feasibly implement, and they're restricted by user demand.
21:13
<The_8472>
yeah, they want their data harvested and sold by facebook and google instead.
21:13
<AryehGregor>
Correctg.
21:13
<AryehGregor>
Correct.
21:13
<Hixie>
The_8472: (and what harm does google analytics do to you? just curious)
21:13
<AryehGregor>
The large majority of users would prefer that data about them be collected and sold, than that they have to put up with extra hassle or confusing dialogs.
21:13
<Hixie>
or having to pay to view the sites :-)
21:13
<AryehGregor>
That too.
21:13
<The_8472>
i don't know. that's the issue. maybe it's completely harmless. maybe they sell that information to advertisers... maybe they use it to create personalized profiles. who knows.
21:14
<AryehGregor>
They do have a privacy policy, you know.
21:14
<AryehGregor>
You can read it.
21:14
<Hixie>
The_8472: i don't understand (a) how you prevent it and (b) what the harm is in having more targetted ads
21:14
<The_8472>
as if companies ever adhere to their own privacy policies
21:14
<AryehGregor>
Perhaps they don't follow it, but that's pretty unlikely, given the liability it would expose them to.
21:14
<AryehGregor>
Large companies do, because otherwise they'll get sued and take a huge PR hit.
21:14
<AryehGregor>
Small companies, yeah, probably they aren't so careful.
21:15
<zewt>
(or they just follow the Dropbox model, and quietly change their privacy policy when it's inconvenient)
21:15
<AryehGregor>
But if Google were flagrantly ignoring its own privacy policy, all it would take is one employee to anonymously leak the story to the media.
21:15
<AryehGregor>
Then of course people would sue them and find out the truth during discovery.
21:15
<The_8472>
or someone to lift the database and dump it on bittorrent *cough*sony*cough*
21:15
<AryehGregor>
Sure.
21:16
<The_8472>
data avoidance helps with that
21:16
<AryehGregor>
But that hasn't happened, and Google has very good reason to not to want it to happen, so it's pretty safe to assume they're following their privacy policy.
21:16
<AryehGregor>
Which you might not like, of course.
21:16
<The_8472>
Hixie, by blocking cross domain requests.
21:16
<AryehGregor>
I'm pretty sure it says they can release data to other parties as long as those parties also agree to keep it secret, or something to that effect.
21:17
<The_8472>
AryehGregor, also. google has handed over search records to the govt several times. they fought to anonymize them, but other search companies just caved in.
21:17
<AryehGregor>
But anyway, there's no way we can prevent tracking by default. If you care about being tracked, you should prefer the status quo, because it makes it much easier for you not to be tracked.
21:17
<AryehGregor>
Well, yeah, any data is going to be subject to subpoena.
21:17
<Hixie>
The_8472: you block cross-domain requests? how?
21:17
<The_8472>
and considering that the US has a court that can hand out such orders *in secret* i have no certainty that they aren't forced to do so without disclosing it.
21:18
<The_8472>
Hixie, request policy addon for firefox.
21:18
<AryehGregor>
Entirely possible.
21:18
<AryehGregor>
If you never learn about it, though, it's kind of unlikely you were materially harmed by the disclosure. Possible, but quite unlikely.
21:18
<The_8472>
so why let google track me if all that could possibly happen is that data somehow getting in the wrong hands.
21:18
<Hixie>
The_8472: either your addon is broken, or you must have a pretty warped experience browsing the web, because pretty much EVERYTHING on the web uses cross-domain requests
21:19
<The_8472>
or you must have a pretty warped experience browsing the web <- that
21:19
<AryehGregor>
Hixie, these things typically prompt you when you load the page.
21:19
<AryehGregor>
At least NoScript does.
21:19
<AryehGregor>
Or can be configured to.
21:19
<The_8472>
it's in the addon bar, so i can manually allow requests
21:19
<AryehGregor>
So you use a whitelist.
21:19
<AryehGregor>
Which you build over time.
21:19
<The_8472>
yeah, like amazon -> amazon-images
21:19
<AryehGregor>
Analytics and ads and so on get knocked out very early, others get permanently whitelisted if they look reasonable.
21:19
<The_8472>
yep
21:20
<AryehGregor>
For random sites you might have to click a few times, but they'll work.
21:20
<AryehGregor>
Just a bit of extra inconvenience.
21:20
<The_8472>
and it also has a "add exception temporarily" thing
21:20
<The_8472>
i have the same for cookies, flash, etc.
21:20
<AryehGregor>
The_8472, anyway, I hope you realize that most people are not interested in going to all this effort to avoid tracking, and it doesn't make sense to try setting up the web to work like this by default.
21:20
<AryehGregor>
And also that it only works so well for you because it's *not* set to work like this by default.
21:20
<AryehGregor>
Because if most users did it, sites would work around it.
21:21
<AryehGregor>
Like by putting Analytics on subdomains that point to Google's servers, etc.
21:21
<Hixie>
given how much more pleasant the web is with well targetted ads than with untargetted ads, that seems like a whole lot of pain for nothing
21:21
<AryehGregor>
Hixie, um, I assume he blocks all ads.
21:21
<The_8472>
what ads?
21:21
<AryehGregor>
Those are generally cross-site.
21:21
<_bga>
gsnedders http://www.dark-masters.tk/index.php/articles/8-fulldisclosure/15-stealing-files-using-a-malicious-html-file
21:22
<AryehGregor>
Also, I find that targeted ads tend to be more amusing than actually helpful, like ads for Microsoft SQL Server training and things like that in my case.
21:22
<Hixie>
well let's hope you stay in the minority, otherwise the web will become economically unsustainable :-/
21:22
<AryehGregor>
Technically it's *close* to appropriate, but in fact it's about as useful to me as ads for 18,000-square-foot mansions in Madagascar.
21:22
<AryehGregor>
I.e., it's not.
21:22
<The_8472>
most ads i've seen are completely pointless. advertising stuff sold on the wrong continent.
21:23
<Hixie>
The_8472: not surprised, if you block tracking!
21:23
<AryehGregor>
You don't need tracking to do geolocation.
21:23
<Hixie>
AryehGregor: then it's not a well targetted ad
21:24
<The_8472>
for ads to be well-targeted they'd need a personal profile of me. and i don't see why whole ad-networks supplying thousands of companies worldwide should know about me.
21:24
<AryehGregor>
Hixie, sure. But almost none of the ads I see are well-targeted. Google isn't smart enough yet to distinguish essential subtleties like "Windows sysadmin" and "Linux sysadmin".
21:24
<AryehGregor>
That's not quite true -- I see Linux ads too, probably disproportionately.
21:24
<AryehGregor>
But most of those are useless to me too, like ads for IDEs, or . . .
21:24
AryehGregor
looks at Gmail
21:24
<AryehGregor>
"Server Protocols - License Our IP - Make Your Software Work with Microsoft Protocols! - www.Microsoft.com/Protocols";
21:24
<AryehGregor>
That's just *so* ironic.
21:24
<The_8472>
well... gmail... i don't use that. that's like handing google the key to the town
21:25
<AryehGregor>
"GoDaddy #1 domain names - $7.99 .COM Domains - Save Today Free Hosting, Blogcast, Email, More - GoDaddy.com" Like I wouldn't know where to go if I wanted domain names.
21:25
<Hixie>
AryehGregor: yeah. it's early days yet.
21:25
<AryehGregor>
"Google NY is Looking For - Software Engineers with great aspirations. Send your resume now! - www.google.com/jobs"; Definitely close to the mark, but not usefully so in my case. :)
21:25
<The_8472>
for targeted advertising to work they basically have to strip you naked
21:26
<Hixie>
AryehGregor: that seems pretty perfect to me :-)
21:26
<AryehGregor>
"Compare to GMC Sierra - Compare the GMC Sierra to the Competition. Get Details. - www.GMC.com/Sierra"; Don't have a driver's license.
21:26
<AryehGregor>
Etc.
21:26
<Hixie>
early days
21:26
<Hixie>
it'll get better
21:26
<AryehGregor>
Yep.
21:26
<AryehGregor>
As long as they can build up sufficiently detailed profiles.
21:26
<AryehGregor>
Which, fortunately, the large majority of people will let them do.
21:26
<AryehGregor>
While people like The_8472 will just freeload.
21:27
<The_8472>
but hey, people are getting conditioned. feeling your crotch at airports? no problem. having your boss see your party pictures on facebook? every weekend...
21:27
<AryehGregor>
Well, this is unless data tracking laws get out of hand.
21:27
<zewt>
well, the basic problem is that's such a blatant violation of privacy
21:27
<AryehGregor>
Assuming you think privacy is worth caring about, which I don't.
21:27
<AryehGregor>
Lots of people do, so we'll have to see how it goes.
21:27
<The_8472>
mind if i film you with your girlfriend?
21:27
<Hixie>
The_8472: i have a huge problem with the airport "security" stuff, and don't have a facebook account. But I don't think those even compare to analytics.
21:28
<AryehGregor>
Sigh.
21:28
<The_8472>
Hixie, the difference is not so big. the latter just requires more data mining
21:28
<jgraham>
AryehGregor: Should be a known bug. At least I ran into it in the past so I guess I reported it
21:28
<Hixie>
The_8472: i don't even see any similarity
21:28
<jgraham>
Maybe I should just try and fix it sometime :)
21:29
<The_8472>
Hixie, i think a sufficiently intelligent GA could learn more about me than an airport screener could
21:29
<The_8472>
especially if i were one of the unwashed masses
21:29
<jgraham>
Is there some Godwins law equivalent for privacy discussions involving the person who brings up cameras in the bedroom forfeiting the argument?
21:30
<jgraham>
Because if not I propose such
21:30
<zewt>
unless it's backdooring my phone it's not likely to get nude photos of me standing in a demeaning pose, as is standard practice in airports now, heh
21:30
<AryehGregor>
I don't care about privacy violations unless they stand some chance of materially harming me, which includes being embarrassed.
21:30
<AryehGregor>
But not things that I won't know about, or things like targeted ads that don't actually harm me.
21:30
<Hixie>
The_8472: why is learning about you a problem?
21:30
<zewt>
(and while my phone might manage to get a picture, I'm probably not going to be in the Airport Backscatter Pose, either)
21:30
<Hixie>
The_8472: my problem with airport security isn't that they learn about me
21:30
<The_8472>
jgraham, if people say "i don't care about privacy" then this argument is simply used to show them that their statement is not correct. they DO care about privacy, they just don't know when they have implcit privacy expectations
21:31
<Hixie>
The_8472: my problem with it is that they touch me, or x-ray me, and make me queue for no benefit.
21:31
<AryehGregor>
Put another way: I don't care about privacy. I care about embarrassment and other forms of harm.
21:31
<The_8472>
Hixie, privacy.
21:31
<AryehGregor>
The_8472, I don't care about the privacy, I care about the embarrassment.
21:31
<The_8472>
well, then just get used to it. after a while you'll stop being embarrassed
21:31
<Hixie>
The_8472: privacy?
21:32
<zewt>
i do care about privacy, but comparing "tracking your amazon searches" to airport security is just overstating the case by orders of magnitude
21:32
<The_8472>
you know that concept, right?
21:32
<AryehGregor>
Maybe so, but until then I'm still going to be embarrassed.
21:32
<AryehGregor>
So I'm still going to have a problem with that.
21:32
<Hixie>
The_8472: sure, what's it got to do with either case here?
21:32
<Hixie>
The_8472: what do _you_ mean by it?
21:32
<AryehGregor>
In some hypothetical future where there are ubiquitous video cameras that post their data publicly to the Internet in real time and everyone can see anything that anyone else does, then maybe I won't be embarrassed and won't care.
21:33
<AryehGregor>
But that's not the world we live in, so it's not relevant to my preferences right now.
21:33
<The_8472>
that my life is my own business and nobody should amass data about me.
21:33
<Hixie>
The_8472: do you have a credit card?
21:33
<AryehGregor>
Right, see, you value privacy per se.
21:33
<The_8472>
i pay cash
21:33
<AryehGregor>
You pay cash online?
21:33
<jgraham>
The_8472: It always struck me that the point of that argument was to derail the conversation by targetting (sterotypically) American prudishness
21:33
<AryehGregor>
Or don't buy things online?
21:33
<The_8472>
AryehGregor, i can pay on delivery
21:33
<AryehGregor>
jgraham, no, it's just an argumentum ad absurdum.
21:33
<Hixie>
The_8472: i don't understand why you care about people amassing data about you
21:34
<AryehGregor>
The_8472, what online merchants let you pay on delivery?
21:34
<The_8472>
amazon does
21:34
<jgraham>
AryehGregor: Yeah, but the absurdity is carefully chosen
21:34
<AryehGregor>
Really? Never knew.
21:34
<The_8472>
well, the delivery service they use in germany does
21:34
<AryehGregor>
Hixie, it's terminal utility, not instrumental utility. He wants privacy for its own sake, not because of any other benefits that accrue from it.
21:34
<jgraham>
It's the privacy equivalent of "won't somebody think of the children"
21:34
<jgraham>
AryehGregor: Also, the bug is already filed
21:35
<AryehGregor>
Most people feel that way to some degree.
21:35
<Hixie>
AryehGregor: apparently
21:35
<zewt>
... i want privacy because it's something that rarely comes back when it's lost, heh
21:35
<AryehGregor>
jgraham, yeah, but any argumentum ad absurdum is going to be chosen to have maximum impact. That doesn't mean it's invalid.
21:35
<The_8472>
<AryehGregor> jgraham, no, it's just an argumentum ad absurdum. <- i'm not the person making the absurd statement. someone claiming "i don't need privacy" is
21:35
<AryehGregor>
zewt, that's not a reason to want privacy by itself. Ignorance also doesn't come back so easily when it's lost, but that's not an argument in favor of ignorance.
21:35
<Hixie>
personally i'm more than happy to trade personal information for making my life better
21:36
<Hixie>
i care about liberty, happiness, being productive
21:36
<AryehGregor>
At least not by itself.
21:36
<Hixie>
privacy is a tool to achieve these things
21:36
<Hixie>
it's not a goal in and of itself
21:36
<zewt>
Hixie: as am I, sometimes, but if I don't have a choice in the matter, it's harder to see it as an even exchange
21:36
<AryehGregor>
The_8472, um, right, that's what "argumentum ad absurdum" means.
21:36
<AryehGregor>
"ad" means something like "to", not "of" or anything.
21:36
<The_8472>
AryehGregor, ah... i was thinking of reductio ad absurdum
21:36
<AryehGregor>
It's the same thing.
21:37
<zewt>
and, unless I'm going to tin-foil-hat like 8472 here, I really don't have a choice
21:37
<AryehGregor>
Probably the latter is a more common name.
21:37
<The_8472>
but i didn't perform any reduction
21:37
<The_8472>
i just provided an extreme case
21:37
<The_8472>
that's a difference
21:37
<jgraham>
AryehGregor: "Invalid" isn't the point. It's generally doesn't move the conversation forward
21:37
<AryehGregor>
Well, that's basically what a reductio ad absurdum means.
21:37
<jgraham>
Everyone cares somewhat about privacy
21:37
<The_8472>
reducing it would mean following down a slippery slope from the original statement
21:38
<AryehGregor>
That you show that if you hold X, then it implies you hold Y, and you clearly don't hold Y, so you can't hold X.
21:38
<AryehGregor>
No, slippery slopes are a different story. They're fallacious.
21:38
<AryehGregor>
Reductio ad absurdum is not.
21:38
<AryehGregor>
Mathematicians usually call the latter an argument by contradiction.
21:38
<The_8472>
well, then i mixed those two up
21:38
<AryehGregor>
It's a perfectly valid type of argument.
21:38
<The_8472>
now we're talking
21:39
<AryehGregor>
Slippery slopes are sometimes valid, sometimes not.
21:39
<AryehGregor>
jgraham, in this case it did move the conversation forward. I clarified what I meant.
21:39
<zewt>
Hixie: and your "early days" only made me think: "we can do better! all we need is even more information about you"--sorry if I'm skeptical :)
21:40
<The_8472>
and that's exactly what i wanted to achieve. for you to step away from such a silly, absolute statement.
21:40
<AryehGregor>
As I said, I do not care about privacy. I only care about privacy violations insofar as they're likely to entail other types of harm, like embarrassment or monetary loss.
21:40
<AryehGregor>
The_8472, it's not silly at all. I stand by it: I don't care about privacy.
21:40
<jgraham>
AryehGregor: If we are going to be technical about it, I think the problem with the statement is that it suffers from the fallacy of the excluded middle
21:40
<AryehGregor>
jgraham, how so?
21:40
<Hixie>
zewt: not necessarily more information
21:40
<The_8472>
AryehGregor, but you can't know in advance what total transparency would entail. so it's saner to default to privacy if in doubt.
21:40
<zewt>
not necessarily, but likely
21:41
<Hixie>
zewt: i'm sure that targetting can be made massively better without increasing the amount of data collected already
21:41
<The_8472>
imagine if everyone had preconceived opinions of you because they know your personal tastes, hobbies, etc.
21:41
<AryehGregor>
The_8472, no, it's just something I have to take into my cost-benefit analysis. There's some chance that using Gmail will cause harm to me down the road, via letting Google have lots of info about me, but I deem that the benefits outweigh the risk.
21:41
<The_8472>
what benefits?
21:42
<jgraham>
Because it is an example of what most people would consider an extreme privacy violation. Using it to argue against lesser violations ignores all the middle ground between the two things
21:42
<The_8472>
i have a mail server, it works just fine.
21:42
<Hixie>
the gmail priority inbox is a huge benefit already
21:42
<Hixie>
man i wish pine had that
21:42
<AryehGregor>
That it's a good e-mail client? And that it's the one I use, and switching is a hassle? And that to get any privacy I'd really have to host my own e-mail, which is much more hassle/less reliable/fewer features/etc.?
21:42
<AryehGregor>
On the other hand, I see extremely little chance of harm from using it.
21:42
<Hixie>
gmail has all kinds of crazy cool features no other mail client does
21:42
<AryehGregor>
Yeah, priority inbox is *awesome*.
21:42
<The_8472>
that's just a reverse spamfilter
21:43
<zewt>
i turned priority inbox on for a minute; it decided that the "WELCOME TO PRIORITY INBOX" mail was "high priority", which I took as ludicrous enough that I turned it off again, heh
21:43
<AryehGregor>
jgraham, but that's fair in this case, because I made a very absolute statement: that I don't care about privacy at all. It's fair to call me out on that and challenge me to back down to a more moderate statement if I didn't mean it.
21:43
<AryehGregor>
zewt, you have to train it.
21:43
<zewt>
(presumably hixie receives ... somewhat more email than I do, however)
21:43
<AryehGregor>
Give it a few weeks of training and it's very reliable.
21:44
<AryehGregor>
The_8472, as for everyone having preconceived notions about me: that would be a cost I'd take into consideration if it were relevant. For instance, I'm careful what I post on the public Internet about myself under names that are traceable to me.
21:44
<The_8472>
see, most people don't even think about that
21:44
<jgraham>
AryehGregor: Fair enough. In most contexts where I see the bedroom example used no one has made such an unreasonable statement
21:44
<zewt>
AryehGregor: yeah, but it was just a really bad first impression that they didn't set it up to not decide that an automated welcome mail was "important", heh (eg. train it against its own automatic mails to start)
21:44
<AryehGregor>
It's not relevant to using Gmail except in the case where Gmail's mail databases get posted publicly somehow, which is possible but exceptionally unlikely, and probably less likely than the database of my own mail server getting hacked.
21:44
<AryehGregor>
jgraham, I don't think the statement is unreasonable, though. :)
21:44
<The_8472>
jgraham, the "i don't have anything to hide" statement comes up pretty often in discussions about privacy
21:44
<AryehGregor>
zewt, it's more or less random at the start, IIRC.
21:45
<Hixie>
i agree with AryehGregor here. I care about privacy only to the extent that it affects my personal liberty, happiness, and productivity (and that of people I care about). I definitely don't care about it as a goal in and of itself.
21:45
<zewt>
someone who has nothing to hide is probably a rather boring individual :P
21:45
<AryehGregor>
Hixie, but we're weird. Most people care about privacy per se at least to some extent.
21:45
<Hixie>
i think it depends on the culture
21:46
<jgraham>
AryehGregor: I expect it is unreasonable because I expect if you talk to some psycologists/anthropologists/whatever they will tell you than some degree of privacy is needed to maintain human social interactions
21:46
<Hixie>
in germany clearly more people care than in america, for example
21:46
<jgraham>
s/whatever/biologists/ I guess
21:46
<zewt>
but if I can't decide what parts of "privacy" are important for what my "personal liberty"--if that decision is taken out of my hands and put in the hands of advertisers and websites--then it's not going to be made in my interests
21:46
<AryehGregor>
zewt, I have nothing to hide in the sense that I would have no problem if all information about me were made available to, say, computer programs run by the government or Google or whatever, if I had good assurance that the information would go no further (which might not be the case in real life). Of course, I have lots of things I'd like to hide *from the general public*.
21:46
<The_8472>
we have some history with intrusive, orwellian govts....
21:47
<The_8472>
now the large corps do the data harvesting and the govt just accesses the data when it seems fit, thus side-stepping laws that forbid the govt to collect unnecessary data.
21:47
<AryehGregor>
jgraham, as soon as we're talking about people I know, embarrassment and similar things immediately mean that I care a lot about what they know about me. Not because of the privacy, but because of the practical implications it would have if people I knew knew all this stuff about me.
21:48
<AryehGregor>
The_8472, ah, you're German?
21:48
<The_8472>
and it's even worse... the US govt could get my data from google despite not being an american citizen
21:48
<Hixie>
zewt: information that could impact my personal liberty would be things like my passwords and bank account details
21:48
<The_8472>
i am
21:48
<AryehGregor>
Makes sense.
21:48
<AryehGregor>
Germans are crazy strict about privacy (understandably . . .).
21:48
<Hixie>
zewt: and i don't give those to advertisers and websites other than those who already have them (e.g. my bank) or who can give me serious benefits from having them (e.g. mint.com)
21:49
<AryehGregor>
Hixie, I bet in the Far East people care less about privacy than in the West.
21:50
<The_8472>
AryehGregor, actually, they're very afraid about "losing face". So they act very strict in public and only "free" at home
21:50
<AryehGregor>
Interesting.
21:50
<The_8472>
so privacy is quite important to them
21:51
<The_8472>
they're coming more from your embarrassment angle
21:51
AryehGregor
solicits MikeSmith 's opinion on whether he thinks privacy is valued more or less in Japan than, say, America
21:54
<The_8472>
anyway. the more "the web" knows about you the more likely it becomes that that information will harm you some day. by accident, due to shady agreements, due to policy changes... whatever. something always happens
21:54
<AryehGregor>
Sure. But I also get benefit from it.
21:54
<AryehGregor>
And the harm is unlikely to be terribly large, in my case.
21:54
jgraham
notes that googling for interesting articles about privacy in primate social structures is hindered by all the sites having privacy policies
21:54
<AryehGregor>
So I'm not going to trade away clear-cut benefit for the sake of long-term hypothetical risk that doesn't seem very large.
21:55
<The_8472>
people have been fired over some information on facebook. what if some embarassing data becomes visible because facebook changes their policies once again? or because someone crawls semi-public and dumps it in a way for google to index?
21:56
<AryehGregor>
I don't use Facebook, and if I did I'd be smart enough not to post anything I didn't want my boss to know.
21:56
<The_8472>
AryehGregor, and they know that and exploit it. they start to make an interesting/beneficial service and then look how much you're willing to put up with to get as much data as they can
21:56
<AryehGregor>
Sure. I'm not claiming there's no risk.
21:57
<Hixie>
privacy is not all or nothing. You have to weigh the risks. In my case, I don't think Facebook's benefits outweigh its risks.
21:57
<Hixie>
In GMail's case, I think they do.
21:57
<The_8472>
and i'm tech-savy enough that the supposed benefits aren't really that big to me
21:57
<Hixie>
In the case of better ads, I think they do.
21:57
<Hixie>
In the case of buying things by credit card on amazon or iTunes, I think they do.
21:58
<The_8472>
ads are totally useless. i want to make informed opinions, not to be manipulated into buying things on a subconscious level
21:58
<The_8472>
*informed decisions
21:58
<AryehGregor>
Incidentally, I find it unlikely that anything I've told people privately would get me fired. People getting fired or otherwise harmed due to what they posted on Facebook is mostly when they do things that are illegal or immoral or reflect very badly on them in others' eyes.
21:58
<AryehGregor>
I'm sure there are exceptions.
21:58
<The_8472>
and as for amazon, like i said... i can pay on delivery
21:58
jgraham
might be prepared to trade cameraa in the bedroom for open-access science journals for everyone :(
21:59
<jgraham>
s/aa/as/
21:59
<AryehGregor>
But I don't do anything I think of that anyone I care about would find really objectionable.
21:59
<AryehGregor>
But I don't do anything I can think of that anyone I care about would find really objectionable.
21:59
<The_8472>
jgraham, open access would be even better
21:59
<AryehGregor>
Of course, people who regularly do things that others would find highly objectionable have a greater need for privacy.
21:59
<AryehGregor>
Like people who lose custody of their children in divorce cases because they posted pictures on Facebook of themselves smoking weed or whatever.
21:59
<The_8472>
well, i do have voiced opinions that i don't want to be associated with my person
22:00
<AryehGregor>
I have too, because some people would find them extremely offensive. Particularly political and religious opinions. But they're mainstream enough that I don't foresee that I'd come to any actual harm if they were known.
22:01
<Hixie>
The_8472: ads don't have to manipulate you into buying things at a subconscious level. The best ones don't.
22:01
<Hixie>
The_8472: useful ads are those that give you information you wanted, when you wanted it, and that you didn't previously have.
22:01
<gsnedders>
AryehGregor: People who post pictures of FB of stuff that's illegal are just stupid.
22:01
<The_8472>
i call that "searching for something"
22:01
<Hixie>
The_8472: some of the best ads around are the ones that appear in response to a search, yes
22:02
<AryehGregor>
The_8472, example of ads that are often useful: Amazon recommendations. Often they're useless, but sometimes I've browsed through my recommendations and found things like that an author I like published a new book in a series I've read, that I didn't know about.
22:02
<The_8472>
well, those don't need profiling, since they have the information right from the search
22:02
<jgraham>
It does sound a bit like Hixie is drinking deeply from the Google koolaid
22:02
<jgraham>
:)
22:02
<AryehGregor>
I wouldn't have searched for it, it wouldn't have occurred to me.
22:02
<The_8472>
i was talking about Hixie's case
22:02
<jgraham>
But Amazon recommendations are a good example
22:02
<AryehGregor>
But Amazon was clever enough to suggest it proactively.
22:02
<AryehGregor>
Google ads are almost never that useful.
22:02
<AryehGregor>
Because they don't have info on what you've bought.
22:02
<Hixie>
The_8472: yeah, i pointed out earlier that improving ads doesn't necessarily mean getting more user data
22:03
<jgraham>
Although I really wish they would stop recommending things I *just bought*
22:03
<Hixie>
The_8472: note though that giving better search results _does_ require user tracking to a large extent
22:03
<AryehGregor>
Google's trying to make them more useful. I don't know how well they'll succeed.
22:03
<Hixie>
The_8472: google results are measurably better if you're logged in with a history than if you are not logged in without a history
22:03
<zewt>
i don't foresee stock google ads ever being useful; if google knows something I want, they'll presumably show it to me when I make a search--there's nothing gained by it being shown by www.randomsite.com as well
22:03
<AryehGregor>
But I think it's safe to say that what Google really *wants* is to show you one ad a week for something you really want but never would have thought to search for, then you buy it and Google gets a $5 commission and everyone wins.
22:03
<zewt>
(google ads on other sites, I mean)
22:04
<AryehGregor>
To do that, though, they need way more info than they have.
22:05
<AryehGregor>
If the ads become useful enough, you won't have to show them to people when they're viewing other sites at all. People will want to view them of their own accord.
22:05
<zewt>
the cases where sites can actually show an ad to me that I'd ever actually find interesting, which I'd actually need to go to that site to see, is exceptionally rare--and in practice almost exclusively tied to searches (again, Amazon)
22:05
<AryehGregor>
Just like I've sometimes read through my Amazon recommendations voluntarily.
22:05
<smaug____>
Google is sure trying to get more data
22:05
<AryehGregor>
Amazon is mostly tied to purchase history, not searches. That's why it's so effective.
22:05
<AryehGregor>
Purchases predict purchases way better than searches predict purchases.
22:06
<AryehGregor>
Plus, ads in search often just suggest the thing you're searching for, which you'd find anyway in the first result or two.
22:06
<smaug____>
I wonder if Google already changes ads if you use speech recognizer. Google could recognize gender etc.
22:06
<karlcow>
if you are logged in, Google will give more expected results, which is entirely different than better results… though we would have to define what we consider better. etc etc etc. yadayada
22:07
<zewt>
the vast majority of sites aren't selling you anything, though--after all, that's usually the point of ads
22:07
<The_8472>
well, yeah. i make a new login every time i buy at amazon. if i could i'd have it delivered to a different address too. but moving for every amazon purchase is quite inconvenient
22:07
<Hixie>
as i understand it you can see exactly what google knows about you for ads by looking at http://www.google.com/ads/preferences/view
22:07
<The_8472>
and i can't use the packet station if i want to pay in cash
22:07
<zewt>
(that is, ad revenue for sites that don't have an end-user-buys-something-from-them business model)
22:08
<zewt>
8472: heh I'm sorry, but you're pretty hard to take seriously :)
22:08
<The_8472>
disposable paypal accounts would be great
22:08
<Hixie>
karlcow: do you have any data to back that up?
22:08
<smaug____>
Google sure knows more than that
22:08
<karlcow>
Hixie: to back up what ?
22:08
<The_8472>
zewt, i am aware that i'm acting quite paranoid
22:08
<zewt>
i just expect the next thing you'll say is "every time I make a purchase I put on a disguise and make the purchase from a randomly-selected internet cafe"
22:08
<Hixie>
karlcow: your last statement
22:09
<karlcow>
Hixie: what have you understood of my last statement?
22:09
<Hixie>
karlcow: did you not mean what you wrote?
22:09
<The_8472>
zewt, it's the least i would do if i were trading illegal goods.
22:09
<zewt>
on amazon? heh
22:09
<The_8472>
not amazon, lol
22:10
<zewt>
their new service, Amazon Controlled Substances
22:10
<The_8472>
well, i guess in some countries you could get arrested for buy stuff from amazon
22:10
<karlcow>
*I* meant what I wrote, which might be different of what *you* think I meant.
22:10
<AryehGregor>
Hixie, if that's *all* the data Google knows about me, I've really lost a lot of respect for them. :)
22:10
<The_8472>
order porn to saudi arabia or something ^^
22:10
<Hixie>
karlcow: if you meant what you wrote, then i am just curious as to whether you have any data to support your statement or not
22:11
<karlcow>
Basically, experiment take two persons with a long history of searches and let them do the same query. Do you get the same results or not.
22:11
<AryehGregor>
It thinks I'm 25-34. I guess I'll take that as a compliment on my maturity. :)
22:11
<Hixie>
AryehGregor: yeah, people don't realise that google doesn't associate the data collected via one's google login with one's activity on the web and thus what google uses for ads on the web
22:12
<Hixie>
AryehGregor: but as far as i am aware, that page lists everything google knows with respect to the showing of ads
22:12
<AryehGregor>
That's silly of them. But I guess they're forced to cripple themselves like that because people are so worried about privacy.
22:12
<Hixie>
karlcow: how would that affect your statement?
22:13
<zewt>
Hixie: fyi, that page just says "click here to opt in" with no info
22:13
<zewt>
for me
22:13
<karlcow>
That Google return results which are targeted to your profile instead of just results.
22:13
<karlcow>
what I call expected results
22:13
<Hixie>
zewt: i guess that means you're not getting any targetted ads :-(
22:14
<Hixie>
karlcow: that statement seems entirely vacuous
22:14
<zewt>
whereas google does seem to have some data; when I disable abp and load a random mail in gmail, it's showing Java ads (and I've been doing a lot of Java searches lately; that language is just as horrible as I remember)
22:14
<karlcow>
do the experiment same IP, same place, different profiles.
22:14
<karlcow>
or Google is delivering a random results page :)
22:15
<karlcow>
based on coriolis movement
22:15
<zewt>
karlcow: the strange thing is when I do a search, some mailing list post by me three years earlier pops up on top, I think "must be targetted", and ... it's not :o
22:15
<Hixie>
karlcow: if a biologist looking for animals searches for "lion", and a mac developer looking for OS X information searches for "lion", then returning big cats for the former and operating systems for the latter is obviously "better"
22:15
<karlcow>
for you
22:15
<Hixie>
karlcow: for them
22:16
<karlcow>
cf my comment of definition of better
22:16
<Hixie>
karlcow: i don't understand what point you were trying to make then
22:16
<karlcow>
as usual
22:16
<Hixie>
karlcow: you might want to consider being clearer :-)
22:16
<karlcow>
I'm clear
22:16
<Hixie>
no, uou're not
22:16
<karlcow>
different wired brain
22:16
<Hixie>
you, even
22:16
<karlcow>
well I'm not clear to you
22:17
<karlcow>
that is obvious
22:17
<karlcow>
but as usual
22:17
<Hixie>
"if you are logged in, Google will give more expected results, which is entirely different than better results [but we don't define better]" is completely vacuous
22:17
<Hixie>
it is an illogical, trollish statement
22:17
<Hixie>
"in condition A, B will occur, and B != C, but we don't define C"
22:17
<The_8472>
but what do you do if you're a mac os developer but are looking for the big cats?
22:18
<karlcow>
it is not trollish, you confirmed it
22:18
<karlcow>
[17:20] <Hixie> karlcow: if a biologist looking for animals searches for "lion", and a mac developer looking for OS X information searches for "lion", then returning big cats for the former and operating systems for the latter is obviously "better"
22:18
<Hixie>
karlcow: it's unconfirmible, since you confirmed it didn't mean anything!
22:18
<Hixie>
karlcow: you specifically said you didn't define the term that you were comparing to
22:18
<AryehGregor>
The_8472, adjust the query so that it clarifies your intent.
22:18
<AryehGregor>
I do that all the time, Google handles it very well.
22:19
<karlcow>
I will use the word that I didn't want to use initially. "Serendipidity".
22:19
<Hixie>
would you like to use that word in a sentence? :-)
22:19
<karlcow>
Discovering, being surprised, etc.
22:19
<Hixie>
i know what it means
22:20
<The_8472>
well, i guess you could do -"os x"
22:20
<karlcow>
basically getting results which are not necessary the ones you were expecting.
22:20
<Hixie>
karlcow: yes, we know what it means
22:20
<The_8472>
i think his issue is akin to groupthink, google being the rest of the group, sortof.
22:21
<Philip`>
Hmm, Google says I like "Beauty & Fitness - Fashion & Style - Fashion Designers & Collections"
22:21
<Hixie>
The_8472: if he has an issue, i'm sure he'll get around to telling us :-)
22:21
<karlcow>
Philip`: which sites did you read lately? :)
22:22
The_8472
hands Philip` a shake-weight
22:22
<Philip`>
Surely Google can't be wrong, so I'll have to start caring slightly more about fashion now
22:22
<karlcow>
ahah
22:23
<karlcow>
The_8472: "his issue" <- me?
22:23
<The_8472>
yes
22:23
<karlcow>
aaaah
22:23
The_8472
assumed context-inference capability
22:23
<Hixie>
The_8472: that isn't a given with karl :-(
22:23
<karlcow>
hmmm it is somehow, on the philosophical level it is about us becoming our own robots.
22:24
<karlcow>
beasically by getting more and more things which are closer to our own initial thinking, we are reducing the accidents
22:24
<karlcow>
and then we answer to our own program
22:24
<karlcow>
we become robots.
22:25
<Philip`>
It's lucky that this unwanted cookie tracking thing has already been solved by new laws as per http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ so we just need to get the rest of the world to adopt a similar approach
22:25
<karlcow>
it works also with maps and direction
22:25
<The_8472>
karlcow, if google becomes sufficiently intelligent it's no different from teaching your own children!
22:25
<The_8472>
until they know more than you do and you're an old man shaking his stick "get off my search results"
22:25
<karlcow>
not exactly the same thing.
22:26
<karlcow>
Usually you should be teaching to a child how to tell you "NO".
22:26
<karlcow>
(gross summary)
22:26
<Hixie>
karlcow: this concept of "filter bubble" as it is more commonly known is pretty widely discussed, but so far i've never seen any evidence that it's a real risk. In particular, I have not seen any evidence that Google's personalisation of search results is resulting in any kind of loss of serendipity, if anything I'd say it was quite the opposite.
22:26
<Philip`>
If Google's algorithms become indistinguishable from our own thoughts, that doesn't mean we're robots, it means Google has become alive
22:27
<The_8472>
karlcow, instead of "no!" it is just more polite and says "didn't you mean to ..."
22:27
<Hixie>
hear hear
22:28
<Philip`>
(Once Google has emulated your brain patterns it will presumably then destroy the more inefficient of the redundant copies, i.e. you, to optimise the world's resource usage)
22:28
<Hixie>
Philip`: surely having lots of redundant copies is better for making money from ads :-P
22:29
<karlcow>
Philip`: heh. (apart of the nice dark side of the fiction) there is a bit of that.
22:29
<The_8472>
Philip`, that would mean a more efficient copy of my brain patterns would run on google. i don't see the problem there
22:29
<karlcow>
I like Wall-E for this. the part where humans had forgotten they had a pool
22:29
<The_8472>
unless they can search through your brain
22:29
<The_8472>
which they probably could...
22:29
<The_8472>
damn
22:29
<Hixie>
lol
22:30
<karlcow>
ah another notion
22:30
<karlcow>
more efficient.
22:30
<karlcow>
I do not always wish to be more efficient.
22:30
<The_8472>
efficiency is important considering limited resources
22:30
<karlcow>
not really
22:30
<The_8472>
just kill another human and you can afford to be inefficient
22:31
<The_8472>
in the grand scheme of things it is important
22:31
<karlcow>
You have to believe in grand schemes :)
22:32
<The_8472>
most ecological issues are essentially caused by human inventions being significantly less efficient than their natural equivalents (just exceling in one aspect) and due to externalized costs
22:33
<The_8472>
so increasing efficiency decreases costs, even if they're "just" external ones
22:33
<Philip`>
Hixie: Google can make money by getting its cloned people to buy things from ads, and those cloned people can get money by doing the same kind of work as their inferior template organisms did but much more efficiently, so it's better to allocate all finite resources to the clones (given that it's trivial to duplicate a clone so you'll never run out and you can easily replace an organism with multiple clones)
22:33
<karlcow>
definitely but humans are basically killing the biodiversity that makes them alive. They will not kill earth (there is still a possibility of major catastrophe)
22:34
<karlcow>
so the risk is that humans might disappeared or reduced a lot at a point. That might happen indeed.
22:34
<The_8472>
of course not, the ecosphere is pretty resilient and will probably survive us. so protecting it in its current state is also a self-interest
22:34
<karlcow>
But not sure I want to be efficient as a program to achieve equilibrium and peace
22:35
<The_8472>
well, that's science fiction at the moment. for now we can concentrate on more mundane efficiency increases
22:36
<karlcow>
R.U.R. (Rossum's Universal Robots)
22:36
<The_8472>
Philip`, i think a human-usefulness-index based on the contribution to civilisational progress would be a crueld and yet very interesting measure.
22:37
<karlcow>
yirk
22:39
<The_8472>
we need some backup-planets so we can experiment more
22:39
<gsnedders>
_bga: https://bugs.opera.com/wizard/ is where you should report security issues in future
22:39
<The_8472>
see what works and what doesn't
22:39
<_bga>
ok
22:41
<karlcow>
The_8472: too far so far
22:41
<The_8472>
sorry, now i'm the one missing context
22:42
<karlcow>
backup planets are too far, so far with our technologies
22:43
<The_8472>
oh. yes
22:43
<The_8472>
before that we need sustainable energy and a space elevator or equivalent technology.
22:43
<The_8472>
almost all problems can be solved by throwing more energy at them
22:44
<karlcow>
I would prefer to grow peas going very high in the sky and so high that they would reach another planet.
22:44
<The_8472>
that has been tried, it didn't seem to work
22:45
<karlcow>
let's try harder ;)
22:45
<The_8472>
maybe if we anchor the beanstalk to an asteroid in GEO and replace the cellulose with carbon nanotubes....
22:58
<Hixie>
anyone remember why i removed "In any case, events targeted at form controls (or other interactive elements, e.g. links) within a label must not be handled by the label itself." from the spec?
23:20
<Dashiva>
Hixie: Wouldn't that lead to double processing otherwise?