The Calmer Seas of Privacy

A new tide for privacy rights

By no means are we there yet. Facebook is still a tracking company at which some engineers maintain a social network in their 20% time. Google can still track your navigation across an estimated 80% of the Web. And, perhaps more worrying, any number of smaller companies are not household names but know far, far more than the names in any given household — and what they know they will sell. There is still a long way to go for online privacy to meet reasonable expectations.

However, it does feel like we are sailing through a sea-change. Ten years ago privacy suffered from a blistering case of Borg Complex. Even when we organised events to try to lay some groundwork on improving privacy amid revelations from projects like Panopticlick there was a sense that at best only a few of us, probably a set of people strongly overlapping with the fast dying group that still recalled how to properly trim and quote an email, might survive the impending Aprivapocacylypse. (No, we didn't really call it that.) You could go full survivalist and hope you could shoot down Google's drones before they reached your hut or you could surrender your right to define your own personality.

That is the case no more. There is hope. Extreme positions remain, but interesting middle-grounds have been cleared. Part of that stems from the excellent work carried out in the EU crafting the GDPR. For all that some may be fear-moungering around it, the GDPR is nothing more than a sound foundation of good data housekeeping and transparency. Regulatory intervention was both necessary and treacherous, and the GDPR has stricken a balance of rare sanity.

But it is not just that. One of the nasty side-effects of Borg Complexes everywhere they appear is that they polarise the community in ways that prevent progress — essentially guaranteeing their own fulfilment. They engender despair, and with it desperate positions. For the longest time the privacy discussion had radical "Let Publishers Eat Cake" ad-blockers on one side and surveillance capitalists promising World Peace through better targeting on the other just lobbing diagonally opposite dystopian predications at one another.

This too has changed. A more peaceable approach to privacy has led browsers to experiment with more subtle ways of protecting privacy. Safari blazed the trail there with Intelligent Tracking Protection. ITP works by allowing some degree of third-party tracking, notably within the first 24h which should prove amply enough for most retargeting (showing you ads related to, say, a product you were looking at), and the duration of which could be tuned based on experience. In other words it very measurably improves privacy while allowing "reasonable" tracking and, unlike ad-blocking that immediately puts an end to the conversation, it leaves the door open for the ad universe to reinvent itself within red lines it can no longer cross. (Readers of Tim Wu's "The Attention Merchants" will recognise this pattern and know that the ad industry will not die, no matter how loud it screams wolf.) In the same vein, Firefox Tracking Protection (sadly only active by default in Private Browser — turn it on, it just works) will block third parties by default but enable those that respect DNT or that are transparent to their users about opting-in.

Some find these browser moves unilateral, but after twenty years of empty promises to self-regulate, I think advertisers should welcome this mild and nuanced path forward away from blockers. It certainly is an opportunity for reinvention. Both of these approaches are conversation-starters far more than shots across the bow, and I have no doubt that the great teams behind both of these browsers would be open to discussing proposals to improve — and perhaps eventually align — their respective approaches.

There is much work left on the table. Fingerprinting needs to be eliminated (and here too resistance is not futile). Ads need a better way to be distributed than code injection, or at the very least the means to much more strongly sandbox said code. We wait to see what the equally excellent teams behind Edge and Chrome plan to do when they decide to bring their privacy game up to speed and put their innovative power to use in service of their users' rights.

It's still a long road ahead, but no one will get to add my biological and technical distinctiveness to their own.