Me – The intersection of Privacy, Security and Identity on the Web – Part II
In this post we’ll take a look at how the current Do Not Track standard compares to the viable solution list from the last post.
To recap. First and foremost the solution will have four key attributes that promote the following: Confidence, Privacy, Choice and Innovation. In addition it must support the following features. Please note that I added two more, unambiguous and transparent.
- It will be privacy enhancing and voluntary
- It will be cost effective and easy to use
- It will be secure and resilient
- It will be unambiguous
- It will be interoperable
- It will be transparent
So lets go down the list:
Wow, that’s pretty bad. So what if I’m wrong (I can imagine the DNT advocates are shouting at me now). Well how wrong can I be?
- For something to have value you have to believe that it works. If you read the “proposed standard” you’ll see that it has been “engineered” to allow for the status quo to continue. There’s no enforcement – it’s just a recommended practice. Think of it in terms of going through Airport Security – that’s mandatory vs… recommended
- Show me in the spec where it protects my data. In essence it shares all of my data with the content provider and then I have to trust they don’t share that with a 3rd party. So my data is still out there and I cannot verify that it hasn’t been shared
- The default is ??? well I’m not sure because they haven’t decided yet. It should be “On” so that it benefits the consumer, but what are the financial incentives for that to happen. The best bet would be “No Preference” which means in the USA – tracking is allowed and in the EU – tracking is not allowed. Of course you just have to figure out where the Mobile user is so you can make the appropriate response. But that’s tracking right?
- Nothing here. I cannot change anything in the browser. In fact I “may” have to make a lot of changes to all my server scripts. That’s expensive and time consuming. Remember every script or Web page “should” be modified to exclude 3rd party cookies and content if the header is set
- Privacy enhancing
- Again it hasn’t enhanced my privacy, it has enhanced my ability to not have my data shared. For large content aggregators this means nothing as they never share the data anyway with a 3rd party (just themselves)
- This gets a tick box but is actually a fail. Again this is a recommended practice not a mandatory practice. If it was a lot of content providers would go out of business because the ONLY way they can make money is to scrape Web sites looking for personal data that can be shared with 3rd party vendors
- Cost effective
- Only for sites with good data privacy policies. However because there’s no legal compliance here there’s no need to rush to support a recommended practice. For those sites that do have to change the costs can be enormous. Every script has to be updated to support new information arriving at the server
- Easy to use
- Only for the consumer. For the content provider there’s a big cost involved in programming time, server loads, and increased bandwidth
- There is no security involved in this standard
- I think of this as adaptable or extensible. As I can’t innovate around it I don’t see it surviving. How would I differentiate my Web service by improving this standard. You can’t.
- Well for this one I give it full marks – but not for awhile because every browser will have to be updated to support this spec. Currently no browser is capable of sending the required data (e.g. 1, 0 “Null”)
For something to be worthwhile, the general rule of thumb is that you must give more value than you extract. As long as consumers believe that DNT offers more value than it extracts then they’ll be willing to go along with it. However the second they discover that selecting the check box offers no value, then the standard collapses.
DNT is not about privacy – that’s just the magicians illusion – it’s really about Do Not Share my data with 3rd parties – unless I give my permission (which in its self opens up another huge can of worms. Think about the User Interface issues). And that’s something completely different.
So it also fails the tests of being unambiguous and transparent. The good news is that it opens up the chance for new innovation to succeed because believe it or not people really care about their privacy and they want a choice in that process and we’ll talk about that in the next post.