Doc Searls Proposes We Set Our Own Terms and Policies for Web Site Tracking (searls.com) 33
Today long-time open source advocate/journalist Doc Searls revealed that years of work by consumer privacy groups has culminated in a proposed standard "that can vastly expand our agency in the digital world" — especially in a future world where agents surf the web on our behalf:
Meet IEEE P7012 , which "identifies/addresses the manner in which personal privacy terms are proffered and how they can be read and agreed to by machines." It has been in the works since 2017, and should be ready later this year. (I say this as chair of the standard's working group.) The nickname for P7012 is MyTerms (much as the nickname for the IEEE's 802.11 standard is Wi-Fi).
The idea behind MyTerms is that the sites and services of the world should agree to your terms, rather than the other way around.
Basically your web browser proffers whatever agreement you've chosen (from a canonical list hosted at Customer Commons) to the web sites and other online services that you're visiting.
"Browser makers can build something into their product, or any developer can make a browser add-on or extension..." Searls writes. "On the site's side — the second-party side — CMS makers can build something in, or any developer can make a plug-in (WordPress) or a module (Drupal). Mobile app toolmakers can also come up with something (or many things)..." MyTerms creates a new regime for privacy: one based on contract. With each MyTerm you are the first party. Not the website, the service, or the app maker. They are the second party. And terms can be friendly. For example, a prototype term called NoStalking says "Just show me ads not based on tracking me." This is good for you, because you don't get tracked, and good for the site because it leaves open the advertising option. NoStalking lives at Customer Commons, much as personal copyrights live at Creative Commons. (Yes, the former is modeled on the latter.)
"[L]et's make this happen and show the world what agency really means," Searls concludes.
Another way to say it is they've created "a draft standard for machine-readable personal privacy terms." But Searl's article used a grander metaphor to explain its significance: When Archimedes said 'Give me a place to stand and I can move the world,' he was talking about agency. You have no agency on the Web if you are always the second party, agreeing to terms and policies set by websites.
You are Archimedes if you are the first party, setting your own terms and policies. The scale you get with those is One 2 World. The place you stand is on the Web itself — and the Internet below it.
Both were designed to make each of us an Archimedes.
The idea behind MyTerms is that the sites and services of the world should agree to your terms, rather than the other way around.
Basically your web browser proffers whatever agreement you've chosen (from a canonical list hosted at Customer Commons) to the web sites and other online services that you're visiting.
"Browser makers can build something into their product, or any developer can make a browser add-on or extension..." Searls writes. "On the site's side — the second-party side — CMS makers can build something in, or any developer can make a plug-in (WordPress) or a module (Drupal). Mobile app toolmakers can also come up with something (or many things)..." MyTerms creates a new regime for privacy: one based on contract. With each MyTerm you are the first party. Not the website, the service, or the app maker. They are the second party. And terms can be friendly. For example, a prototype term called NoStalking says "Just show me ads not based on tracking me." This is good for you, because you don't get tracked, and good for the site because it leaves open the advertising option. NoStalking lives at Customer Commons, much as personal copyrights live at Creative Commons. (Yes, the former is modeled on the latter.)
"[L]et's make this happen and show the world what agency really means," Searls concludes.
Another way to say it is they've created "a draft standard for machine-readable personal privacy terms." But Searl's article used a grander metaphor to explain its significance: When Archimedes said 'Give me a place to stand and I can move the world,' he was talking about agency. You have no agency on the Web if you are always the second party, agreeing to terms and policies set by websites.
You are Archimedes if you are the first party, setting your own terms and policies. The scale you get with those is One 2 World. The place you stand is on the Web itself — and the Internet below it.
Both were designed to make each of us an Archimedes.
DNT v2.0 (Score:2)
Do Not Track did not work (Score:1)
Re:Do Not Track did not work (Score:4, Interesting)
Do Not Track did not work
On the contrary, DNT worked perfectly for the purpose it was intended: to sabotage alternative solutions to the privacy issue. At the time, privacy and tracking were becoming a concern and there were efforts to fix the problem in ways benefiting the consumer - for example, a proposal sent to the W3C was to standardize ad blocker functionality directly in the browser. Google realized the danger, and, together with their lapdog Mozilla and their other accomplices from the Digital Advertising Alliance [wikipedia.org], forced the DNT proposal through the W3C with great fanfare. This blocked other initiatives and killed any attempt to standardize on a customer-facing privacy solution.
Google knew very well it's a non-workable design, but they didn't care. They didn't want a working mechanism anyway. As another proof of cynicism, even though it was their own proposal, Google never honored the DNT flag anyway.
Is it the first of april yet? (Score:5, Insightful)
I can tell you what happens. If your browser tells the site "You must agree to my terms", the site will tell you "Set your terms to 'nothing' to see the content".
There are also a number of legal obstacles. For example, it's already questionable how much effect typical forms of agreeing to terms on a website really have (since you don't sign anything and your identity is not verified, so anyone could have clicked the "I agree" button), but at least some human being is clicking the "I agree to the ToS" checkbox. This proposal assumes that an automated system on the website is able to review and agree to the terms. If you really want the site to agree to your terms, you'll have to wait after requesting a page for a human responsible for the site to review your terms and agree to them. Any automated response won't be legally valid.
The sensible way to do this is for governments to address these issues one by one, rather than expecting sites to comply with a user's terms and possibly just denying access because it becomes too complicated to assess whether the site can comply with the terms, or because the site owner simply does not want to comply with user's ToS. A simple one would be, for example, to make Do-Not-Track a law and require sites to provide access even if you don't allow tracking.
Pay or consent (Score:2)
If your browser tells the site "You must agree to my terms", the site will tell you "Set your terms to 'nothing' to see the content".
To be closely followed by something like "This website is not directed toward persons in member states of the European Union."
A simple one would be, for example, to make Do-Not-Track a law and require sites to provide access even if you don't allow tracking.
Which would probably lead to a rise in pay-or-consent schemes, in which the website presents a paywall to a user agent that presents DNT or son-of-DNT.
Re: (Score:3)
The point is, that GDPR forbids pay-or-consent schemes.
"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
and
"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being a
Re: (Score:2)
And the robots.txt file is supposed to stanch AI crawlers.
I have a bridge in NYC for you that goes to Brooklyn for sale. Crypto.
Doc is altruistic, and I love his motives, but this isn't going to work. Sorry. Even litigation with the GDPR won't stop it, as the collection of judgments will soon be impossible as countries ignore international law, international courts, and generally flip the bird across jurisdictions.
It's an ugly situation that only ends when you dismantle the panopticon, a seemingly impossib
Re: (Score:2)
There is one thing that can stop most of it.
Ban personalized ads.
If you can't personalise ads, you have no incentive to buy user data. If you don't buy user data, others have no incentive to collect it. The whole tracking economy will collapse if, say, the US and EU ban the use of tracking data for personalisation. The few parts of the market that could still legally use the data will die off because it's no longer financially profitable to collect it, if the main market for it disappears.
This will not happ
Re: (Score:2)
And therein lays the biggest problem: We have no right to be left alone.
How to replace consent with contract (Score:2)
When assessing whether consent is freely given
No consent (in the GDPR sense) is needed. So-called pay-or-"consent" can run on contract basis with three entities: the viewer, the publisher, and the sponsor. Each viewer pays tokens to the publisher for website access, and tokens can be either purchased with real money or earned through a sponsor. The viewer enters into a separate contract with this sponsor to receive tokens in exchange for advertisement display space within the publisher's site and inference of the viewer's interests from web browsing hi
Re: (Score:2)
While in the EU there are court rulings that the site simply wanting to make more money through tracking is not "essential" to providing the service (they can shown generic ads to cover their costs), unfortunately the UK regulator seems to have gone the other way. It appears that the regulator has been captured by businesses that want to force "pay or okay" here.
Re: (Score:2)
It's really baffling how some sites actually show people in the EU a "disable spying" option that's not available in the rest of the world. You can't say you're not evil and then only offer the privacy option in countries that enforce it. But I guess some of the companies also look the other way when some of their workers in poor countries are not treated as well as workers in countries where there are labor unions.
Re:Is it the first of april yet? (Score:5, Interesting)
I just have my browser lie. I have one extension that auto clicks through cookie banners (if they don't get blocked anyway). It tries to opt out, but if it's "pay or be tracked" it just allows the tracking... Except that my browser blocks all their ads, and discards all the tracking data they try to save, and gives them ever-changing random noise when they try to fingerprint.
It's not that I object to any form of monetization for content, it's that I can't trust the advertisers so they all get nuked.
Re: (Score:2)
If you choose (automated or not) to accept, they have the *right* to track you. If any of your cookie eating plugins fails, they can use the data. And maybe you should read the banner in detail (even when they make it more steps to inform yourself than to accept it blindly), they do not only talk about storages but also about fingerprinting. And you can never be sure if you know about the latest fingerprinting methods and if your browser is vulnerable. You may also have agreed that they may use your login e
Re: (Score:2)
Enforcement. (Score:2)
Re: (Score:2)
Re: (Score:3)
Remember there is no death penalty for corporations.
What is needed is liability of the top executives for breaking the law. Once CEOs see that other CEO's daughters can no longer go to pony club as their fathers have been sued for malfeasance they might start to behave.
Doubtless someone will claim that a Limited Company [wikipedia.org] exists to stop liability of executives -- I am OK with that if through error something goes wrong but NOT where they deliberately break the law.
Re: (Score:2)
A fully loaded GDPR fine could well be the end of some corporations, if it were levelled against them. In fairness, they'd have to be proper idiots for letting it escalate that far, but the point is, whilst not an immediate death penalty, it's pretty much "have a look at the bright white light for a few years and see if you can make it back to the living".
Sadly, GDPR wouldn't apply in these sorts of circumstances as it was designed for the Internet as it is now, not how this might one day make it. Personall
Fuck Zuck (Score:1)
The actual quote was more useful i think (Score:2)
The lever is just as important as the place to stand in this context.
As a website host (Score:2)
Why would I spend any effort to implement this?
Re: (Score:2)
My own website doesn't have any cookies, doesn't use JavaScript, doesn't serve any advertisements, doesn't collect any user information other than the IP address recorded by the hosting server that delivers my pages, and doesn't collect any other information except what the user might enter on the "contact me" page (if they use it).
So what is there to implement??
Re: (Score:2)
And it only serves public domain information?
Is any one free to use anything on your website for any purpose?
Or do you actually have some kind of implicit or explicit terms of use?
Re: (Score:2)
Given there is a law that the information provided by the client has a legal meaning, not implementing it would probably mean you can be sued by not following the terms your site did not parse.
As long as there is no such law, I wonder why any site should follow the terms. Currently the sites pressure the users to accept their terms and suddenly they should just accept the user's terms? Without any law requiring them to do so, they most certainly won't.
I have a different request (Score:2)
Targeted ads are great if they meet my needs
If I'm in the market for a product or service, I want to request all suppliers to send me their pitches
Once I buy, or decide not to buy, the pitches stop, all of them
Also, unless I indicate that I'm in the market for something, I see no ads
I understand that this is a fantasy, and that advertisers will still spam me with incredibly stupid "targeted ads", but if it worked, it would be great for advertisers, since their ads would not be wasted on someone with no inte
Re: (Score:2)
What about a marketplace for showing ads that pays you credits you can distribute?
You say "I need a new PC", visit a site and get all the PC ads. You actually click one and buy the PC. Afterward you get to choose to spend the provision for some website, e.g., to support the journalism of your favorite news site that now doesn't need to show you ads.
They can't exploit you in every way possible? (Score:2)
It's never going to work because Google (Score:1)
Place to Stand (Score:2)
Nothing learned (Score:2)
This only provides sites with more unique bits for fingerprinting while expanding number of meaningless privacy settings that don't do anything.