Security news that informs and inspires

Better Privacy Through Collaboration

SAN FRANCISCO--As useful as it is, the web also can be a manifestly frustrating and unsafe place for many people. While the last 10 years have seen significant improvements in online security, the privacy side of things has not caught up yet, and changing that requires the attention of not just technology companies and browser makers, but also of policymakers and regulators.

“We’ve dug a pretty deep privacy hole on the Internet and we’re trying to dig out of it. But we can’t do it alone. Browser vendors need to work together, and legislators and regulators need to step up as well,” Tanvi Vyas, principal engineer at Mozilla, said during a panel on browser privacy at the Enigma conference here Tuesday.

“For us, our highest priority is privacy. We need a combination of technology and policy to protect privacy on the web.”

The concept of online privacy has always been an amorphous one, and different people have different definitions for it, depending upon their vantage point, background, and threat model. For some it may mean the freedom to move around the web unobserved by their government, while for others it may mean the ability to protect themselves from unwanted tracking by advertisers, platform providers, and other parties. It’s a broad spectrum and it’s not easy for even the most sophisticated users to navigate.

For browser vendors, privacy is an especially difficult challenge that requires careful thought about not just users, but also state and federal laws and technical considerations. Most of the major providers have made broad improvements to their browsers in recent years to give people more privacy protections by default, such as blocking third-party cookies and other trackers, or making HTTPS the default mode of transport.

But those changes only go so far, as ad tech companies constantly adapt and shift tactics, too. Advertisers want the user data they’re paying for, and it is still quite difficult to prevent or even minimize web-scale tracking for most people.

“For all of the good that the web has brought, it’s also come at a significant cost. Too much data is being exchanged and it isn’t a good thing. Today it’s happening at a scope and scale that nobody could ever predict,” said Justin Schuh, engineering director on the Chrome trust and safety team at Google.

“The rise of covert tracking is about connecting your data across devices and platforms. But it’s also about bypassing anti-tracking mechanisms.”

For meaningful improvements to privacy to take hold, the burden must be shared among the technology providers, policymakers, and legislators, a mix that hasn’t always gone well in the past. The United States currently doesn’t have a broad data privacy law akin to the General Data Protection Regulation (GDPR) in Europe, so individual states have had to take up the slack. That’s worked to a point, but developing and implementing legislation and regulation are long processes that don’t work at the speed of technological change.

“If you build a technical mechanism that relies on the law to enforce, it’s going to take a long time to have an effect. We need a hybrid approach,” said Eric Lawrence, a program manager on the Edge team at Microsoft. “We need collaboration among the browsers, because if we don’t have that, we have outliers.”

“If you build a technical mechanism that relies on the law to enforce, it’s going to take a long time to have an effect."

This becomes even more challenging in an environment where many people are moving to mobile devices as their primary computing platforms. Mobile platforms are much less open and transparent than the web is at the moment, making it more difficult for the browser makers and users alike to understand what’s going on in terms of privacy.

“The web doesn’t exist in a vacuum. People have choices for what platform they target. If we do things in privacy that hurt the open web, we could push ppl to less privacy preserving ecosystems. Mobile platforms are more opaque than web platforms. If we drive people in the wrong direction, bad things may happen,” Lawrence said.

Finding the right mix of technical and policy to improve privacy is no mean feat, and Google’s Schuh said it’s important that the technical community not simply rely on Washington to deal with privacy problems.

“What concerns me is when we have the opportunity to build strong technical measures and instead we choose to build soft ones because of legislation or regulation. I want us to build robust technical measures. I’m very much worried when I hear something that sounds like pushing a problem off to regulators,” he said.