Why is Privacy such a hard problem to solve?
by Peter
Back in October I wrote a blog post titled “Privacy on the Internet is NOT “binary” Since then i’ve been giving Privacy a lot more thought. And so it seems has the IETF (The Internet Engineering Task Force)
From the IETF draft document published, November 14, 2011… (link)
[snip]
The goal ( of this protocol ) is to allow a user to express their personal preference regarding cross-site tracking ( using an HTTP X request header ) to each server and web application that they communicate with via HTTP, thereby allowing each server to either adjust their behavior to meet the user’s expectations or reach a separate agreement with the userto satisfy both parties. Key to that notion of expression is that it MUST reflect the user’s preference, not the preference of some institutional or network-imposed mechanism outside the user’s control.
[/snip]
In short they want the browser to send a message to the server that says don’t track me. So I thought I would check back in to see how much progress they are making? It’s a little techie but worth a read.
Privacy is a really tough problem to solve. My personal opinion is that the W3C is on the right track, however without the ability to influence to the Browser manufacturers there is little chance for implementation. It’s going to require changes to the browser and to the Web server. Changing the HTTP protocol doesn’t solve anything – as it’s just a communication mechanism. What you have to change is both end of the pipe – and that is going to take some real innovation. (hint www.3pmobile.com)
Here’s the closed issues with some notes to follow along with.
ISSUE-2: What is the meaning of DNT (Do Not Track) header?
[CLOSED] “Does the presence of a DNT header field on requests always indicate an explicit choice”.
The answer we agreed upon is “yes”.
[Peter notes]… means that if the Web server sees this header in the browser requesting the page then the user has said explicitly that they do not wished to be tracked.
ISSUE-50: Are DNT headers sent to first parties? Yes
ISSUE-70: Does a past HTTP request with DNT set affect future HTTP requests? No
ISSUE-40: Enable Do Not Track just for a session, rather than being stored
[CLOSED] Resolved in DNT Call 2011-10-26: The user agents are free to send different DNT values for different sessions. We agreed that this is a user-interface issue and out of scope on its own.
[Peter notes…] this means that the browser can send a do not track header for one session but then change to another value in another session – obviously the hard part is figuring out how to implement this. Think of a whitelist (which would need to be added to the browser) so that the user can select which Web sites that can track them. This is beyond the scope of the W3C to implement – the browser OEM’s will have to do it.
ISSUE-68: Should there be functionality for syncing preferences about tracking across different browsers?
[CLOSED] Resolved in DNT Call 2011-10-26: The user agents may or may not sync. However, this is out of scope for this spec.
[Peter notes…] this is a big problem – what happens if I switch browsers? How does it remember my privacy settings?
ISSUE-42: Feedback to the user from the browser when Do Not Track is turned on
C. Postponed Issues
ISSUE-44: Ability to measure/detect who is honoring Do Not Track at a technical level
[POSTPONED] The info at the well-known URI declares whether a server promises to follow DNT. Whether it actually does (or just pretends to do so) is hard to determine and should be addressed later.
[Peter notes…] This one is really difficult. How do you know at the technical level if some is really honoring your request for privacy or is just pretending?
ISSUE-64: How does site preference management work with DNT
[POSTPONED] To what extent cookies can be used for preference management (such as storing a language preference) will be resolved later.
[Peter notes…] This is another tough one. On Mobile cookies do not work very well. And the problem then becomes how do it store privacy data in them for a later use?
Posted in: Enterprise Mobility, Privacy