The Third Party Privacy Problem
by Peter
In my last post How your privacy leaks out on the Internet I discussed the third party problem. It’s really a difficult problem to solve – especially when you’re not sure who the 3rd parties are. In this example above lets assume for arguments sake that the content provider is ONLY using those companies shown as icons above, as 3rd party advertisers. There are still issues to deal with – but it’s bracketed.
The next situation is more complex. What if there are other 3rd parties on that Web page, or one of the above icons refers to yet another party who in return shares your information. That’s really a tough problem to solve.
Interesting enough there’s a post about this problem up on the Public Do Not Track Mailing list – the title is “tracking-ISSUE-129: Site-specific Exceptions a) Blanket Exceptions (mysite, any-third party) [refining ISSUE-111] [Tracking Preference Expression (DNT)]
Quite a mouthful for sure… however this is a really important topic so lets dig in. Here’s the scenario/use case
SCENARIO/use case:
- User visits a site with DNT;1; by default, third parties fall under the constraints for third parties
- Site needs certain (maybe unknown) list of its third parties to function properly
- Site asks user to provide a site-specific exception to allow all (aka “*”) used third parties to be exempted from the constraints for third parties
So let’s break it down:
- You’re using your standard browser and have set the preference so that you are not to be tracked – as far as you’re concerned that’s it.
Now we switch to the content providers site. They’ve been operating for years and have integrated calls to send data to 3rd parties. Without those calls either their Web site doesn’t work or they don’t get paid. So what happens now? They get a request from a browser that indicates that the user does not want to be tracked – however the Web site cannot return a response to them without tracking them.
So they need an “exemption” – they have to message the user that in order to see this Web site they have to be tracked and need them to agree to it. Well basically there’s only ONE way to solve this problem – you have to send down a page with some JavaScript in it which pops up a dialog box with this request in. The user then has to agree – but now comes the next thorny issue – how long do they agree for? And exactly what are they agreeing to? Does the content provider have to list all the third parties (some of which are unknown to them). What data are you exactly sharing with these unknown 3rd parties. Are those cookies going to remain on my device for others to see and use?
In a previous blog post: Me – The intersection of Privacy, Security and Identity on the Web – Part II I used the following graphic to illustrate the issues with DNT.
The issue we’re discussing in this post “Site-specific Exceptions a) Blanket Exceptions (mysite, any-third party)” hits right in the “Innovation” category.
In an attempt to make Privacy binary (0,1, Null) we’ve made it very easy for a user to send his Privacy status. What we haven’t done is make it easy for the content providers to comply. Think about the above issue for a moment. Think of it in man hours, lines of code, regression testing, and most importantly “expectation setting”.
There’s simply a ton of work to do to make this right. The user has a very clear expectation – anything that changes that expectation must be transparently and unambiguously conveyed to the user. This is NOT trivial – because you have to get it right immediately, and it must be right all the time. DNT is not cost effective for sites that have “unknown 3rd parties who they share data with.
Of course fixing that will affect your revenue numbers.