For as long as the internet has existed, there have been well-founded concerns about its threats to privacy. Though largely brushed aside historically, when innovation and monetization took priority, during this fourth decade of life with the web concerns about privacy rights have been taken up in every corner of our digital society.
We can distill the essence of the privacy concern to the questions:
- Who is allowed to recognize the devices you use, and by extension, you?
- Under what circumstances — and with what limits — can recognizable data generated by your devices be captured, stored, and shared?
The causes for concern are readily apparent: people don’t want to be surreptitiously tracked or have profiles they have no control over created from their online activity by unknown parties. They don’t want their information bundled up and shared with vast networks of potential buyers with whom they have no direct relationship, without their knowledge, much less consent, for unlimited, unspecified purposes. They don’t want to have the phone and computer that have become keystones of their lives spying on them.
But each negative sits beside a positive. Tracking users’ online behavior allows us to learn what is normal, making it possible to better support them and identify abnormalities that point to a host of problems, from breakage to fraud to misappropriation and attack. Building profiles allows us to personalize experiences and provide relevant recommendations. Being able to positively identify devices and verify users allows us to be confident in the trustworthiness of an interaction. Knowing you’re the same person using different services allows for more useful constellations and configurations of applications and, for many enterprise applications, is a requirement.
To say it more simply: what is known about you can be used both to diminish and enhance your online experience, which is what makes the changes to enhance privacy so tricky.
We have all opened our homes, our businesses, and the majority of the relationships that make up our daily lives, to the Internet. For the most part, those with access to the data generated by these online interactions have used it appropriately, or at least non-destructively. But some haven’t, and the threat posed by the minority which misuses our data is great enough that we all must take very seriously the question of how we safeguard personal data and the effort to find answers that carefully and appropriately balance utility and privacy.
If we are not careful about how we reform things, we risk sacrificing much of the transcendent value of the Internet in our quest to protect privacy. The “We” identified here includes browser vendors and the larger community of volunteers working with them in many different venues to manage the transition to a more privacy, and user, respecting internet. If you have use cases that depend upon the web, hopefully, “we” also includes you.
The implications and impact of privacy-focused changes are increasingly far-reaching and profound. These changes push platforms and providers to demand of users ever more onerous terms of service. They push regulators and legislatures increasingly to pursue the imposition of restrictions on behalf of users. They encourage tech behemoths to stake claims in the privacy frontier that prioritize corporate agendas and lock in relationships.
However, almost all of the impacts to date have been a relatively quiet prelude to the storm of transformation and disruption that our digital world will experience when Google fully transitions to the privacy updates that are being developed for Chrome, the world’s most popular web browser. These include tracking prevention technologies and the promised end of support for third-party cookies in the second half of 2024.
One privacy-motivated impact that was decidedly not quiet, and which may give us some foreshadowing of the impacts of the Chrome updates, was the release of Apple’s App Tracking Transparency (ATT) in iOS. Finally turned on in iOS 14.5 in the spring of 2021, after being postponed from the fall of 2020 due to an outcry from app developers, it had an immediate, negative impact on the iPhone advertising ecosystem. Despite the long-delayed release, app developers saw revenues drop by as much as 40% or more overnight.
The negative impacts persisted through the end of the 2021, resulting in significant drops in user acquisition spend, app installs and in-app purchases on iOS. During this period, Android experienced significant increases in the same KPIs. The magnitude of the impact was underscored when Meta identified ATT as a principal reason for the quarterly revenue miss that triggered the biggest loss of value by a US company in history.
Though ATT is perhaps the most dramatic of Apple’s efforts to promote privacy, it is by no means the first: WebKit (Safari’s browser engine) first implemented tracking prevention in 2003 with Safari 1.0. There is much to appreciate in Apple’s commitment to its ideals, but in some areas, the focus on privacy and doing things “the Apple way” has done as much to discourage success as it has to ensure it; Safari being a case in point.
Since its inception, Safari has struggled to gain traction, never achieving more than 10% market share for desktop browsers even though it has been bundled with the Mac OS since launch and was available for Windows from 2007 to 2012. This is also despite being launched within a year of Firefox, which managed to achieve greater than 30% market share before being usurped by Chrome.
Released in 2008, Chrome’s popularity surpassed Safari’s within a year and Firefox’s within 3.5 years. Within four years, Chrome had taken the top spot from the most popular browser from 1999 through the first decade of the century, Internet Explorer, which many had considered irreplaceable.
There are many reasons why Chome found success while Safari did not. The most important was that the team behind Chrome prioritized replicating IE’s functionality and assuring it was compatible with the majority of websites of the day, going to great lengths to work with site developers and incorporate their feedback. In contrast, the Safari team chose to do things their way, emphasizing design, security, and user experience over site compatibility.
As a result, Chrome worked everywhere from the start, while Safari constantly had problems on all but the simplest of sites. This led to the general belief that Safari was passable for basic browsing, but to get things done, you had to use IE or Chrome and eventually just the latter.
Safari has always strived to support web standards and actively participate in their development, and today it works more reliably across the web than it has historically. This is due to efforts by both the Webkit team and website developers, with both having benefited from active engagement in the broader community to create standards and encourage their adoption.
However, even today, after almost two decades of updates and improvements, Safari continues to support only a subset of common functionality and lacks compatibility with sites in many areas where standards are lacking. A big reason for this continued lag is that Chrome works with the vast majority of websites and use-cases, is available on every major platform and so there just hasn’t been a need to put the effort into improving compatibility with Safari. A developer of enterprise applications put it very succinctly recently when asked about support for Safari: “We just tell people: use Chrome.”
With ATT we have seen the potential for disruption that unilateral changes by a platform in how end-user relationships are mediated can have. With Safari we’ve seen the results of failing to engage deeply in the community process and provide site developers adequate support for their critical use-cases.
Chrome is taking a different approach as it seeks to increase user privacy by founding its efforts on a broad invitation to participate and public outreach efforts aimed at users, developers, and business communities. They have spun up groups in various public standards bodies through which they have sought to understand use-case requirements, presented proposals, and solicited and incorporated feedback as they search for ways to support a more private web. But, the results will be no different with Chrome than they were with ATT and Safari if we do not collectively step forward and engage.
Google, Apple, and other browser vendors are offering all who are willing to engage an opportunity to work with some of the most capable product and engineering teams on the planet, asking only that we own the role of business stakeholder the web has cast us in. They have teams working on the future who are ready, willing, and able to find privacy-friendly solutions for our business problems. They’re asking us to describe our use cases, review proposals and offer alternatives, for collaboration in testing, for feedback. More simply, they are asking for our participation, and for our help in defining the standards for the next iteration of the web.
Second (And Third) Chances
In response to the broader community’s concerns and well-founded claims of unpreparedness, we’ve had a couple of reprieves: Apple’s delay of the ATT release from fall 2020 to spring 2021 and Google’s delay of cookie deprecation from early 2022 to late 2023 and more recently to the second half of 2024.
In the case of ATT, despite the postponement, not enough was done to stave off a withering shock to the ecosystem. We’re now midway into our third chance from Google, with potentially much greater disruption and orders of magnitude more at stake. We can’t afford to be complacent and go back to business as usual, but that’s exactly what many have done in the wake of Google’s postponements.
If we work on this together, we will collectively build a future that works for most of us. It will never work for us all, but at least for those whom it can’t support, there will be the opportunity to make their case and hopefully an understanding of why they can’t be supported, what the alternatives are and how to break things gracefully.
It isn’t perfect; it will never be that: perfection squanders too many possibilities. What it will be is the best new start we can muster, and that is by far a better alternative than having well-intentioned but poorly informed efforts creating chaos in our digital lives.
I’m confident that we can no more remove the Internet from our lives than we can any other public utility, but we can diminish the Internet’s promise and value to each and all of us. Let’s work together and actively take up the challenge of assuring the Internet supports the vast majority of us, the vast majority of the time, and offers alternatives we can all live with in those cases where it doesn’t.
Various groups have been organized to collaborate on improving privacy online, and several of them are focused specifically on solving for a future in which ad-tech fulfills its promise while also being privacy-preserving.
IAB Tech Lab seeks to bring member companies from the ads business community, including advertisers, publishers, and their technology providers, together to develop standards to support the digital advertising ecosystem in the transition to a more privacy-focused web.
W3C Improving Web Advertising Business Group seeks to bring together ad-tech, the web development community, and browser vendors to collaborate on refactoring online advertising to remove dependencies on privacy-invasive technologies.
W3C Private Advertising Technology Community Group is a technology and solutions-focused group representing interests from across the web that seeks to be the home for ad-tech-related proposals within the W3C, an open web technology standards body.
Web Platform Incubator Community Group (WICG) offers members a venue to propose, discuss, test and generally incubate new web platform features with the potential for adoption by a W3C Working Group for standardization.