Security news that informs and inspires

Contract for Web Can’t Fix Privacy Problems If Security Isn’t Included

By

The inventor of the World Wide Web wants the Contract for the Web to be a first step towards addressing problems such as misinformation, mass surveillance and censorship online, but the list is not a realistic blueprint for action.

Tim Berners-Lee's Contract for the Web outlines nine high-level principles for governments, tech companies, and individuals. The contract—which is non-binding—calls on companies to respect consumer data privacy and governments to ensure everyone has access to the internet. The high-level principles were announced last November, and over the past year, the World Wide Web Foundation, a non-profit campaign group set up by Berners-Lee, worked with partners to expand the principles into a framework of 76 detailed clauses.

One of the things the contract calls for is clearly defined national laws that give individuals greater control over the data collected, and for countries to establish independent, well-resourced regulators to offer the public effective means for redress. That works for Europe, with its General Data Privacy Regulation (GDPR), but not for the United States, where different states have enacted their own versions of privacy legislation.

The contract also says governments should make sure everyone has access to the internet and that the internet should be available all the time. This is not as straightforward as it sounds, as countries such as China, Iran, and Russia, have taken steps recently to tighten their control over domestic networks. By restricting all communications leaving and entering the country, these governments can increase censorship and surveillance.

There are a few incentives built into this, but not enough for the vast majority of the world’s governments or corporations to change their behavior or beliefs," said Jason Kent, the hacker-in-residence at Cequence Security. "This is a nice-to-have list of things that would make the Internet a better place for us all, but it isn’t enforceable.

What Does Agreeing Mean?

For the contract to be useful, tech companies, governments, and other groups have to sign up and agree to follow those rules. After signing up, these organizations are expected to show progress towards meeting those principles through regular reports. For example, tech companies that have agreed to the contract would have to show they have created the control panels for consumers to see what data has been collected and is stored about them.

The Contract for the Web is already supported by 160 organizations, including the governments of France, Germany, and Ghana, technology companies such as DuckDuckGo, Facebook, GitHub, Google, and Reddit; and other organizations such as the Electronic Frontier Foundation, Public Knowledge and Ranking Digital Rights, and Reporters Without Borders.

The fact that Facebook and Google signed on and took part in the discussions to shape the cluases for the nine principles suggest the companies are thinking about way to give control of the data back to the individual consumer. On the other hand, their presence could just be virtue signaling, as these are the companies with business models that depend on data-hungry algorithms, Kent said.

“This is just another way for them to say 'See, we care about privacy,' when in fact they benefit more when people give up their privacy,” said Kent.

For the most part, though, most of the Contract is very broad and doesn't include elements that may deter acceptance among different groups. As SecurityWeek noted, there is nothing to prohibit governments from stockpiling zero-day vulnerabilities for offensive or defensive campaigns. This requirement is "probably the main reason" Microsoft's Digital Geneva Convention has not gained a lot of traction, SecurityWeek's Kevin Townsend wrote.

Where Is Security?

The problems Berners-Lee wants to fix are serious. The Web Foundation published statistics noting that a false story reaches 1,500 six times quicker, on average, than a true story, and online scams cost 20 countries around the world an estimated $172 billion in 2017. And the never-ending list of data breaches and data exposures means consumers have lost control of their information.

However, there is nothing in the Contract about information security. If security isn't part of the discussion, then even the organizations focused on privacy will still end up leaking out information they didn’t intend to, Kent said. If the Contract is going to talk about improving privacy online (and two of the nine principles are specifically about privacy rights), then there needs to be some discussion about what security looks list.

"It won’t be possible to create better internet privacy without security," Kent said.