Privacy on the Internet is NOT binary – But what if it was?
by Peter
Back at the end of October last year I wrote a blog post on why Privacy on the Internet is NOT “binary”. So I thought I would follow up with another blog post discussing the alternative viewpoint – What if it was binary?
Well first we need a little context about the Internet and how it works. At it’s core it’s basically two cans and a piece of string. The can (client) on one end talks to the other can (server) on the other end. The string acts as the communication layer (protocol) between the two cans. The protocol that runs across the string is “stateless”.
In short that means that there is no means of storing a users data between requests. The work around for this is…. Cookies which allows the server to track requests from the originating client (can). So how we do we stop one of the cans tracking the other one?
Obviously we cannot get rid of cookies otherwise the Web is going to grind to a halt. So what we need is another “binary” method of allowing me to control my privacy.
Enter the “Do Not Track” option. This is a browser setting that tells the first can (client) to send a message to the second can (server) that it doesn’t want to be tracked. (We’ll discuss how you enforce this in a later blog). Great – I now have a method of communicating with a Web server telling it that I want to remain Private.
Well here’s where it gets interesting or should I say “binary”. Most people think of binary as either a Zero or a One (0,1) however there is actually a third state in the case of the Do Not Track header and it’s called “not set”. So in essence the absence of a Zero or a One is another “state”.
So what does this mean. Actually quite a lot. If the user turns on his Do Not Track option then the answer is obvious. The server MUST not track him/her. If the Do Not Track option is turned off then the server can track away. However if the option is NOT set at all what is the server to do?
Here comes the really big problem – what if the Web service providers are forced either by legislation or by the W3 standards group to start honoring the Do Not Track option? It’s really easy to spot a Zero or a One as part of the communication request. But what if you don’t see anything? Well it means that you have “insufficient data” to make a decision. Which in turn means that you have to send another message back to the client (can) and ask it for more data.
So how does this all work? Well I have to figure out how to send a pop up message to that device and ask the user if they want to be tracked. Well you can guess what the answer will be – no thanks! So in essence we’ve wasted bandwidth, processing cycles, battery life (on a Mobile phone). And at the same time we’re ruining the users experience. The only thing this third “binary state” (which actually doesn’t exist) has done is draw attention to the problem. Think of all the code that is going to be written to solve this problem. What a waste of resources!
Everybody is trying to solve this “Do Not Track” problem through the lens of the “Web server”. (Because it’s where all the content is stored). What no one is thinking about is solving it through the lens of the Browser user i.e. ME. It’s pretty clear that Privacy cannot be binary – there’s simply not enough information to make real decisions which effect my rights.
By making it binary the Web is risking billions and billions in revenue. Why? Because people want a Choice – if forced to pick between Privacy and NO Privacy which one would you pick.
Pretty obvious really.