JONATHAN MAYER: I hope the group will come to some kind of a consensus, but I’m not very optimistic that’s going to happen. The leverage used to be on the advertising industry’s side, but it has become clear by virtue of the technologies at the browsers’ disposal that the leverage is now on the consumer’s side.
The advertising side would be expected to reevaluate their hardline “We’re not going to negotiate” stance and rethink their strategy. Unfortunately, that hasn’t happened. So I’m not too optimistic on negotiated terms for Do Not Track, but I’m increasingly optimistic that by virtue of the browsers’ efforts, consumers will get the choices they want. It looks like consumers will get some pretty good privacy in the near term. If the W3C’s process is unsuccessful in developing a consensus on what the standards are, companies could be in a difficult spot, but consumers may be okay because of the technical countermeasures that are starting to be drawn over browsers.
What will it take for the W3C to come to an agreement on the Do Not Track standards?
One thing advocates long stood by is if a user says "Do not track me," that should mean you’ll get rid of the unique ID identifier cookie if you’re a third party in the business of advertising or collecting user data. The advertising industry has said no, we need to keep these cookies for certain users like market research, product improvement, etc. It’s hard to come up with something that doesn’t count as market research or product improvement.
So you get one part of the group saying "We can’t live with X" and another group saying "We can’t live without it." It’s unclear, after a few years of those positions remaining where they are, how in the span of just a few short days things will be resolved.
What would be the ideal solution?
Consumers don’t have a great handle on what’s going on in terms of how their data is being collected and what it is being used for. Therefore it makes sense to shift the burden of explaining to the user what is going on to those who are in the best position to do it. Advertising companies have an incentive to convince users that they’re trustworthy and that users should allow them to collect data.
By setting those default settings to Do Not Track, we give interested parties the incentive to educate consumers about the impacts of those choices. We allocate to them [those parties] the responsibility of getting consumers to give them access.
What are your thoughts on technology that uses data like IP addresses, timestamps and geo-location information to target ads, which is supposedly less invasive?
I have no objection to privacy-preserving advertising. I have done research in this topic and have designed systems that will enable privacy-preserving advertising. The concern isn’t that websites are ad-supported or many forms of ad targeting – like we see you seem to be coming from the New York area, so we’ll show you an ad for events in New York, or we see you’re on a site for fancy wristwatches so we’ll show you an ad for fancy cars. All of that is very much welcome.
The ads depend on relevant browsing history that draw the most privacy concerns. It’s fair to say that advocates differ on how to handle this. Personally I don’t have a lot of trouble seeing ads based on my browsing history; I actually prefer to see relevant ads. My objection is that my data is being seen by companies I’ve never heard of. Privacy-preserving advertising, I think, would be great. Many forms of it are to be welcomed.
What projects are you working on now?
I’m finishing up some research and countermeasures [for consumer privacy], but it’s very difficult to see a long-term consensus approach. Personally, I’m starting to shift away from privacy. Part of it is because I’ve grown frustrated with the space. A lot of what there was to be said has been said. We now have a pretty good understanding of what consumers expect and want, and an okay understanding of the economics of the space. Compound that with years of negotiation and unfortunate episodes of vitriol, and so I’m ready to move on.
This is partly why I started focusing on technical solutions, like working on the Firefox cookie-blocking feature. Here’s something we can use that doesn’t require everyone to agree on it. It doesn’t have the same negotiating flip-flops of Do Not Track that have gone on for years. And hopefully it’s good for consumers.
My personal research has started to move into the Computer Fraud and Abuse Act, which is a federal hacking statute that is quite overrun. In essence, using a computer in a clever way that someone doesn’t like is a federal crime. That seems excessive. I’ve been working on understanding what can be done about it, doing more law-oriented research. On the technical side, I’ve been doing some work on browser security but still casting around for the next issue I’d like to work on.
Privacy was tantalizing a few years back because it was clear there was a lot of interest on the horizon and an opportunity to provide input. I hope I’ve done some measure of good, but at this point it seems stuck. The space is sufficiently crowded with enough vested interests that make it difficult for one grad student to make a difference.
I think the group would be responsible to set some firm deadlines, in particular to say if we can’t agree on X by Y time, let’s agree that we can at least disagree and move on. The group leadership has resisted that approach so far. The path of least resistance is to say "Let’s have another conversation," and it’s a lot harder to say goodbye but that may be what’s necessary.