Since the advent of the first banner ads, web tracking has gradually developed practices that are intrinsically based on a disrespect for peoples privacy, DNT and the EU GDPR will disrupt those practices.

It seems fitting that I write this article on #HumanRightsDay

Privacy is a fundamental human right. It is the right to control to whom and to what information is shared with others. Privacy protects the criteria used to determine how information is deemed private. Simply put, it’s ones right to keep or share information they themselves deem as private; something is private when one deems it thus.

Since the advent of the first banner-ads on the web, advertising has grown to become the most popular business model, and with the growth of advertising there has been an equal expansion of tracking techniques. These techniques include tracking users clicks, the duration of site visits, metrics about device capabilities, the variety of sites visited, and the frequency of these visits are only the bare-minimum for todaysʼ tracking analytics. What is considered “business as usual” today includes a plethora of intrusive techniques that were previously considered to be spyware. This includes techniques such as mouse movement recording, keylogging, geolocation tracking, and even video recording of what the user does on every web site they visit.

Current tracking practices are intrinsically based on a disrespect of peoplesʼ personal and private data. Tracking companies business models are based on the presumption that 1. You forfeits your right to privacy in exchange for ad-subsidized content, and 2. Your personal data belongs to them. These conditions are not sustainable in the long-term if we wish to maintain the right to privacy in the future. Privacy will continue to be erroded for all classes of society, but will especially impact the poor, who cannot afford to opt-out of ads in exchange for a subscription.

Overview of Web Advertising

Tracking practices arose from the last twenty five years of the web, during a time when the vast majority of web content was subsidized by banner ad-based business models. These models naively depended on the collection of increasingly intrusive metrics in order to precisely target consumers. As ad markets became more efficient over time, metrics needed to become more precise in order to keep advertising conversion results positive. Itʼs an arms race between the ad-networks competing to deliver ads with better and better conversion rates. This model of increased tracking and surveillance in exchange for optimized return on investment has been called “Surveillance Capitalism”.

Ad-networks are middlemen who facilitate a “triangle trade” between content-providers, advertisers, and users. In this system, a content provider (e.g. The Wall Street Journal) wishes to publish a news story to their readers. Their costs include paying reporters, hosting the website, and they wish to be paid by an advertiser. The advertiser (e.g. Chase Bank) wishes to get attention to their product (e.g. a new savings account), by placing an ad in front of users likely to open a savings account. The advertisers costs include designing an ad, and paying the ad-network to place the ad on sites within the ad-network (i.e. ad-networks have many sites, one of which is wsj.com). The user wishes to read the latest news (preferably for free). The ad-network is a match-making company, they (via tracking analytics) are able to see which users visit the sites in their network of content-providers, and are able to instantly place an ad for the Chase savings account to the user of the Wall Street Journal who has a metrics profile most similar to other users who have opened a new savings account recently. The ad-network matches advertisers to the users most likely to buy something from the advertiser. When the ad is placed, the user sees the ad, the ad-network is able to inform both Chase bank and the Wall Street Journal that the ad was seen. Finally, the ad-network is paid by Chase, and the Wall Street Journal is paid by the ad-network for hosting the ad.

Users “pay” for the websites they visit in hidden ways. They pay by implicitly allowing ad-networks to build a marketing profile about themselves. Their browser automatically sends information to the ad-networks about their browsing behaviors. This happens without users consent or knowledge. This data is shared between the ad-networks, then aggregated and combined to create detailed profiles containing lists of sites users have visited over time, including what theyʼve done on those sites. This profile is then used to efficiently advertise products and services to the user.

Users also pay for the amount of data ads consume on their smartphone data plans. For example, on TMZ.com[1] there are 47 different trackers, 42 different cookies, and a single page request to the homepage takes 10.02 megabytes of data across 262 requests. This request averages 52 seconds to load. The user-experience is slow, and the homepage doesn’t allow the user to read a single article. With an ad-blocker installed, the site payload was only 3.87 megabytes of data across 104 HTTP requests, averaging 9.76 seconds to load. This is a significant speed and data improvement, and showcases the reduced data savings. Up to 50% of a users mobile-phone data plan is used for serving ads, each ad taking ~5 seconds to load, and decreasing overall phone battery life by ~20%. The top 1-million sites use an average of 25-30 trackers.

Users “pay” for content with their security as well. In 2016 malware being served via ad-networks was up 132%[2].

The problem with current tracking practices is that users are not empowered to make consensual decisions around how their online behavior is collected and aggregated. Users are unaware of the sacrifices they’re making to view content online.

Do Not Track (DNT)

Do Not Track is a technology and legal framework that enables users to opt out of tracking by ad-networks, analytics services, and social platforms. DNT empowers users with a choice they currently don’t have. It’s a feature in web browsers that allows users to express their preference for not being tracked to the web sites and services they use every day. A new set of laws including the EU GDPR and California AB 370 provide a legal regime to enforce the respect of this new browser preference. Combined, the technology and law provide a viable path forward to reclaim the right to privacy on the web.

DNT is a user making an explicit feature request, I do not want to be tracked. It is a better version of the Do Not Call registry. DNT is a user preference that forces the browser to send an HTTP request to the server explicitly telling that server not to track user behaviors.

Privacy is a Feature

People (generally) don’t care about privacy until they’re affected by its’ loss. A few examples; people provide their email addresses to get a receipt at a brick-and-mortar store after a transaction, but hate when they receive spam. People use credit cards on sketchy websites, but hate when they see fraudulent charges. People reuse the same weak passwords on multiple websites, but hate when they get hacked. The problem is an expectation of privacy when they’ve taken actions that undermine their privacy.

DNT and the laws that enforce respect for DNT enable users to take action to express their right to privacy. Web companies and services that respect it have an opportunity to benefit. Companies like Apple are setting a good example of this mindset towards privacy by building pro-privacy features and services.

Privacy marketing will be an important value-add for Internet commerce. It will be a terrific way to gain market share at the expense of the competition – or to lose much of your market share, if you find yourself on the wrong end of a privacy campaign —Nick Szabo

Organizations that respect and offer a straightforward choice around tracking to their customers will earn their trust and loyalty.

“great experiences don’t have to come at the expense of your privacy and security. Instead, they can support them.” —Apple

Apple seems to have wised-up to selling privacy as a component of a luxury product. They have marketed features like TouchID, ApplePay, encryption and differential privacy as privacy-securing features. At the same time they have undermined privacy in numerous ways.

The EU GDPR and AB 370

Browsers and servers today can implement technological support for DNT, but until recently, ad-networks had no incentives to honor DNT. The ad-networks continue to ignore the DNT request, and continue tracking users either explicitly or implicitly. They had clear disincentives to ignore the user-preference.

California law AB 370 makes it more difficult to continue to ignore DNT without explicitly excluding Californian residents. The law, (regardless of where the website is hosted) modifies the California Online Privacy Act. Under SECTION 1, Section 22575 requires a site to disclose how it responds to the Do Not Track preference.

SECTION 1. Section 22575 (5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection. (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service (7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

This means sites need to explicitly say whether they honor or do not honor the user expression of DNT. This doesn’t go far enough to incentivize companies to actually honor DNT, it merely incentivizes them to disclose how they address the preference. Ultimately this will not empower users in any practical way.

EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. It was approved by the EU Parliament on April 14, 2016 and entered in force on May 25, 2018 - at which time those organizations in non-compliance could face heavy fines.

You may have already seen the preemptive effects of the EU GDPR in the wild, such as the “cookie disclosure” notice on many sites in the EU and UK: “Yes, I accept cookies”.

The EU GDPR law goes much farther in that it gives users actual choice rather than just disclosure. To summarize the law, it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. It also applies to a controller or processor not established in the EU, where the activities relate to: offering goods or services or monitoring of behavior of EU citizens. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) of the previous year. Most serious infringements are not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts. Companies will no longer be able to use legalese terms and conditions, that is to say, request for consent must be in plain language. Any data collection and processing must be directly attached to the point where consent is given. Companies can’t just collect information for any purpose, the purpose must be clearly limited and stated. Finally it must be as easy for consumers to withdraw consent as it is to give it.

The GDPR includes the “Right to be Forgotten”, also known as “Data Erasure”. It entitles the user to have the data controller erase personal data upon demand as well as cease further dissemination of the data. It also forces third parties to halt processing of the data.

“Data Portability” is the right for a user to receive the personal data concerning them, which they have previously provided. It must be in a “commonly used and machine readable format”. The user has the right to transmit that data to another controller of their choosing.

A major component of the GDPR is companies can no longer “Collect it all now, use it later”. Under Recital 39, it notes that “specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection…” Recital 32 notes that “When the processing has multiple purposes, consent should be given for all of them…” If the data is later to be used outside the scope of original purpose, user must receive an explicit opt-out opportunity accoding to GDPR, Article 6, paragraph 4, Recital 50. The language of the original purpose must be in clear, plain language (not legalese) according to GDPR, Article 13, paragraph 1, c.

These regulations together provide a much more user-centric set of rights that were previously impossible for users to exert over data collectors. Together with the DNT feature, users can finally push back against online tracking.

Technology Pushes Back Against Tracking

DNT and anti-tracking technologies are making the previously hidden practices of web tracking visible to the end-users. This technology will (hopefully) help shine light on the seedy underbelly of intrusive advertising. It’ll make the invisible visible. These changes will empower users to make informed decisions that were either technically difficult, or outright hidden.

Safari web browser has a new feature called “Intelligent Tracking Protection” or ITP, which purges third-party cookies that are determined to be able to track users across sites. After 24 hours, the third-party cookies can only be used for log-in purposes if the user visits that site as a top-level domain. All cookies are purged after 30 days. The software utilizes a machine learning model to classify which top privately-controlled domains have the ability to track the user cross-site, and those determined to be trackers will be deleted from the browser.

Firefox will soon allow users to prevent tracking cookies in the “Tracking Protection” feature. Eventually, cookies set without explicit DNT consent will be blocked if the user has enabled Tracking Protection. It remains to be seen if this feature will be enabled by default. Firefox 57 introduced a change to how the browser loads scripts matching domains in their Tracking Protection database. This has the effect of reducing the perceptual page load time for the 1st-party site, and making tracking ads load more slowly.

Google Chrome will begin filtering obtrusive ads by default in early 2018.

Chrome filtering will work by the Google search engine conducting an “ad experience review”. Reviews are periodic, and result in a “passing”, “warning” or “failing” grade for the site under review. The ad review engine crawls a subset of site pages, conducts “user-like” interactions, and compares ad experiences to their “better ads standards”. If the site detects violations of the standard, the report will result in a “failure”. Sites with ads with a failing Ad Experience Report will have their ads filtered in Chrome. It remains to be seen if this feature will be enabled by default.

Chrome ad filtering is controversial because Google has a direct conflict of interest in that its ad filtering will punish the ad-networks that are in direct competition to the Google-owned Doubleclick ad-network. It is in Googles’ best interests to filter ads from their competition, such that it incentivizes advertisers to use the Doubleclick network since Chrome would be filtering ads outside the Doubleclick network. This could result in monopolistic behavior on the part of Google.

A new player in the browser market is the Brave Browser. Brave is founded by Mozilla founder and creator of JavaScript Brendan Eich. Brave provides an “ad-less” web experience. It enables a direct monetary relationship between the content-provider, advertisers, and their user audience (replacing existing ad-networks). Brave browser will include a new cryptocurrency called the Basic Attention Token (BAT) that facilitates a marketplace directly connecting content-providers, advertisers and users. Users can opt to directly pay the content-provider for content using the BAT token. Alternatively, users can be paid BAT tokens in exchange for seeing ads placed by the advertisers participating in the Brave ad-network. These BAT tokens can be used to pay for content created by content-providers. Brave has been tight-lipped about how exactly users privacy will be better protected on their ad-network compared to existing ad-networks.

Another recent entrant into the browser space is Better, a browser built according to Ethical Design concepts. This browser eschews “better ads” standards that companies like Google, Brave, Ghostery, and AdBlock Plus are promoting. Instead, it offers a product thats’ interests are aligned directly with consumer interests because they are paid directly by its’ users, and the business model doesnʼt rely on surveillance capitalism in order to make money.

Preparing for the Future

There is potential for the changes described above to have wide impacts on the advertising industry, and I have some recommendations for organizations that wish to get ahead of these changes in order to reduce risk and lower the force of the impact.

Design with privacy as a guiding principal. It’s far easier to handle privacy considerations in the design phase rather than having to backtrack a product once built. Design humane technology that respects users privacy. Consider where users privacy is placed at risk. Design features that achieve a goal with a smaller or no privacy impact. Design data collection features that ask for informed, explicit consent.

Differentiate your organization by highlighting a privacy-respecting approach to data collection.

Be a good corporate citizen by empowering your users with choice around how their data is collected.

Allow users to both export their data, and delete their accounts from the product.

Honor the DNT browser setting according to the EFF DNT Guide.

Describe in plain language how users data is collected and used.

Reduce the amount of metrics stored internally to the minimum possible, and purging that data whenever possible.

With technology and law moving forward in lockstep, I see a positive path forward for the protection of the right to privacy online.

This article is adapted from a series of talks given at Nara Logics in 2015, and later at Cinch Financial in 2017. 0xADADA (name redacted) is a software engineer and consultant. He speaks about the intersection of technology, privacy, law, and cryptocurrencies. You can find him online by the pseudonym “0xADADA”.

References