Private Enough

I recently attended a discussion of The Smart Enough City, which got me thinking about what "private enough" online services might mean to people. Privacy is an admittedly slippery concept and your idea of privacy may differ dramatically from mine. Privacy as "contextual integrity" is one concept that helps address the definitional inconsistencies by focusing on information transfer. However, the scholarly literature which I have great respect for won't be particularly useful in explaining what I'm working on to my relatives at Thanksgiving dinner. A look at some everyday online activities will demonstrate how the battle to make the Internet private enough is coming from many directions.

The first elephant in the room is online advertising, which is something I'm not entirely opposed to. It's just the undisclosed third party data sharing without anything that feels like meaningful opt out that’s too invasive. My views lean towards those articulated by David Heinemeier Hansson of Rails fame recently, where he notes the acceptance (or even desirability) of contextual ads and wonders how things went so horribly wrong with behavioral profiling (for individual privacy and the web ecosystem overall).

I've long been a user of various ad- and content-blocking extensions, or sometimes putting in place network level blockers, primarily because ads destroy my ability to actually read or focus. ("Reader View" is another great help in this respect.) Preventing data about my browsing activity from going to unknown places is a very close second though. Would you walk into a physical store or news stand knowing dozens of barely disclosed parties were tracking your every move, classifying your emotional state, bidding on you in real time? So there's one thing for me, the web as it currently sits on a bed of undisclosed advertising and nonconsensual data aggregation obviously isn't private enough.

While quality content is hard to come by and should be supported whether via subscriptions, donations, or even a little bit of advertising, the current user data tradeoff for browsing the web isn't nearly private enough. Despite past attempts like DNT that never materialized, there's great progress being made in browsers to move us toward an opt-in world too. With Firefox's built in protections, WebKit's Intelligent Tracking Prevention and even moves by Google (discussed in detail here), plus an ad blocker here and there, you can do a decent job of cutting down the number of stray requests to sites you've never heard of while cleaning up your viewing experience. Brave is also pioneering a new model that aims to be private enough by default and the results are promising, a good non-technical write up is here. Whether Brave's model of revenue sharing or WebKit's Ad Click Attribution take off is yet to be seen.

As the browsers change, many sites are also doing a better job of disclosing which third parties data is shared with, either as part of cookie preference management options or in privacy policies. In some ways this might be driven by vendors moving aggressively into the space, which isn't necessarily a bad thing. For example, if you visit and click on Manage Cookies, you'll see a OneTrust modal to manage cookies which lays things out much more clearly than the banner notices we commonly see. (Don't forget to scroll through the list of Targeting Cookies. Gross.) At the same time, there are still far too many vague, "we may share your data with our third party partners for marketing and/or other purposes" clauses out there. These privacy policies definitely aren't private enough. Fortunately it seems like we're on the edge of laws like GDPR and CCPA forming enough common ground that it's becoming easier to broadly comply than try and parse out regulations per consumer, per transaction, per jurisdiction, etc. That's a good step.

Beyond browsewrap disclosures with some preference toggles, some sites that require registration still don’t feel private enough. For example, I subscribe to some news sites' "ad-free" options. While this prevents ads from displaying and cuts down on the number of scripts loaded onto the page, there are still a bunch of trackers and constant pings monitoring my behavior on the site. In the examples I've looked at, there's no separate privacy policy prohibiting that info from being used for advertising purposes, i.e. a third party company compiling it into a behavioral profile that follows me around elsewhere. (Looking at you, Wired.) Sure, I might be one of the few people who actually read the policies, but the connection between the way services are marketed and run still isn't private enough. It'll be interesting to see how companies present the CCPA's notice requirements will be presented to explain things like "ad-free but we still track you a little bit." 

Zooming back out to the network, ISP data collection definitely isn't private enough. While Maine has a law prohibiting ISPs from selling consumer data without consent, and California's law will apply to ISPs, other states should step up here. Then again, would this be something tucked into a national privacy law? There have been plenty of those proposed recently. I found this list of topics from the EFF to be a reasonable wish list, though I'm not sure a lack of federal preemption would bring the certainty businesses are looking for. Then again, considering the difficulty in futureproofing any federal language, it might be necessary to let states keep experimenting on top of a federal baseline. A couple of the recently proposed federal bills are discussed here and here, it seems a new one pops up every few days!

So there's some holiday food for thought on privacy. This year, try asking some family members about the privacy tradeoffs made while browsing or conducting other online activities. Or maybe ask if they've noticed anything changing about disclosures. If you’re of my distinguished generation and have some Boomers or even Greatest Generation members at your meal, ask them about how marketing has changed over the years, you might be surprised by what you hear. Some eyes will roll or be too focused on the stuffing to care, others might be shocked to know how much of their info is given up. Many might not have even realized there are other options or choices. Most will have too little time or too much FOMO to opt out across the board. All should agree things still aren’t private enough.

As usual, the views expressed here are strictly personal and don't reflect the views of any past or present employers or clients.

Popular posts from this blog

Thinking About BIPA and Machine Learning

Changing PDF Metadata with Python

A New Serverless Look