"We live in an age of digital feudalism in terms of who owns our data and online identities....less like 2011 and more like 1111."
- Marc Davis, formerly founding director of Yahoo! Research and now Architect at Microsoft Online Services
"Who owns the Digital You?" and "Who should?" were the main questions asked in the previous two articles in this series. And - spoiler alert! - the answers were "Right now, not you," and "Nobody but you."
In this Part three, we focus on a more direct question: "How?" How can we mere mortals manage something as complex and unwieldy as privacy and online identity?
Since this three part series started, plenty has occurred on the privacy front, some far less than encouraging:
- Facebook has announced plans to share your personal phone number and name with third-party Facebook developers.
- Google has just settled with the FTC, admitting it broke its own privacy rules severely enough to warrant a privacy audit by the government for the next 20 years.
- Apple has still hasn't changed their policy that buying a track of music from your phone or iPad requires you to let them track and share your device's precise physical location 24/7.
In light of all of the above, you'd be forgiven for feeling less than optimistic. But other recent events can give us reasons for hope.
Four crucial elements that can give us more control over our personal privacy are starting to fall into place, like giant puzzle pieces -- and with more pressure from end-users there is ground for hope.
PUZZLE PIECE ONE: We need a new kind of privacy policy that humans can understand in three seconds and that a computer can understand in an instant.
You might ask: "But didn't Facebook update its privacy policy into something more understandable?" Yes they did. They are replacing their privacy policy with a new Orwellian-named "Data Use Policy." And while it's better than it was before, it really only makes them, as Jon Stewart might say, "the thinnest kid in fat camp." The reaction of writer Tom Clayburn at Information Week was spot-on: "Complexity is not just a matter of words per page. It's a matter of time to comprehension." In short: if my 67-year-old dad can't accurately 'get it' at a glance, then it's too hard.
But there is positive motion here: in December, the Mozilla Foundation debuted its alpha early draft of "privacy icons"-- a set of easy-to-understand icons that can tell you at a glance what a given site will do with your personal information.
They were inspired by the folks at the Creative Commons, who found a way to boil down one of the most complex and arcane areas of the law, copyright policy, into a few easily understood icons.
A number of smart people saw this and thought: "Let's do that again, but this time for privacy."
This particular effort was spearheaded by Aza Raskin, who, although he has since left Mozilla for his own health-related start up, will continue to lead the Privacy Icons effort.
A key aspect of the icons, though, is that they aren't just designed to be read by human beings--though that is incredibly important -- but also to be read by software. I'll get into why that's so important later on.
PUZZLE PIECE TWO: Managing your privacy needs to become as easy as clicking one setting in your browser's control panel.
Today, the average web browser is being tracked by hundreds of third party ad services, many of which issue browser tracking cookies with virtually no warning -- and there are few good ways of asking them not to track you. But first remember a similar annoyance from Internet advertisers a few years ago. Do you remember when web advertisers appeared to compete to see who could deploy the most annoying pop-up ad? What tamed that trend the most was incorporating pop-up blocker management where it belonged -- a simple setting in everyone's web browser.
Smart people in different browser development teams thought, "Let's do that again, but this time for privacy."
And the good news is that there's significant motion here. New versions of two of the world's most popular web browsers launched last week -- Internet Explorer 9 and Firefox 4.
Both browsers offer smart and easy "Do Not Track" settings built in. Once you've checked off one box, the browser from then on broadcasts your request to not be tracked to all the web sites you visit. There are some differing techniques as to how they send your preferences to advertisers, but even those de facto standards are coming together.
So as of this writing -- about two weeks after these two new browser launches -- there are already more than roughly 100 million new browsers in use are sending out their users' privacy preferences to all the websites they visit.
How can we ensure that advertisers listen to and honor those requests? That's the third puzzle piece.
PUZZLE PIECE THREE: Advertisers Need to Get their Act Together or the Feds Will do So For Them.
Do you remember being called, typically right at dinnertime, with automated sales messages? Remember the creativity and persistence that marketers, political organizations, and salesmen used in trying to get you to listen to their messages? Those calls have largely been curtailed by the National "Do Not Call" Registry, one of the most popular federal laws of all time, which puts the force of law behind consumers' request not to get calls from telemarketers. And advertisers have, by and large, complied with the law.
Some smart policy makers and legislators thought: "Let's do that again, but this time for privacy."
And in short from various policy makers and lawmakers, there are many "Do Not Track" proposals being proposed in Congress, in regulatory commissions, and some similar efforts in the tech industry itself. Some specific implementations and proposals are gaining critical mass, and advertisers who had been leery of the idea are increasingly seeing the handwriting on the wall. But the bottom line is this: either on their own if they can or compelled via the law if they must (or by some mix of the two), advertisers will need to get on board. And there are early signs that they are.
Smart advertisers will see things as Mike Zaneis does: "As long as the advertising industry is transparent with the data they collect, it won't harm the marketplace. Fear-mongering and theoreticals will drive people to opt out, because they're scared of something that's not happening."
This leads to the last and perhaps most ambitious new "puzzle piece" we need:
PUZZLE PIECE FOUR: Managing Identity, not just Privacy, Needs to Move to the Browser.
We've talked about how privacy is amazingly important, but privacy is a subset overall of your online identity.
Of the four puzzle pieces, this is the easiest one to get discouraged about; it's easy to think that all open solutions have failed, and that it's too late, and that sites like Facebook have won this battle already. It's hard to argue against Johannes Ernst (one of the early advocates of open identity efforts) who in a recent article lamented that all the open identity solutions from the last few years are all dead or on life support. He ends with: "It was fun while the ride lasted."
But that's not quite his final verdict: "It will come back up for sure, with new visions by (likely) new visionaries. Decentralization, user-centricity, like democracy, does not ever die, it just disappears from sight for a while."
I think that this form of user-centric identity is about to reappear. The clearest way I see to that goal is to have the management of your identity reside in your browser -- just as browsers and utilities already today do their best to help you remember, and manage, your multiple passwords. After integrating privacy controls into the browser, integrating control of your identity into the browser is next.
And there is new motion here as well:
The Mozilla team has laid out an aggressive vision of what identity built into the browser could look like; early test code has been written and released. And though this feature almost made it into Firefox 4, it's a key aspect of their 2011 Firefox plans.
Just this last week, some of the early conceptual designs for upcoming Firefox account manager features built into the browser were made public.
Once a robust identity management feature is written into the browser, it can do things like read those software-readable Privacy Icons mentioned earlier, and clearly and prominently inform you about how a particular site will treat your personal data -- much as browsers now warn you about spyware, phishing attempts, or other potentially harmful browser code.
And as one browser innovates successfully, it will spread almost immediately to others.
If end-users like you and me put pressure on browser providers, a key area of competition will be which software company can simply, gracefully and powerfully integrate "privacy by design" into their next browsers.
PUTTING THE PUZZLE TOGETHER: So what now?
Help support and push these puzzle pieces into place:
1. The Privacy Icons effort is managed in an open group you can join and give notes and help push forward the Privacy Icons Project.
2. Vote with your choice of a new web browser: download one of the browsers with one-click privacy features, and immediately turn on your choice's "Do Not Track" features. You can also manually opt out of tracking cookies for many major advertisers.
3. As we await identity being managed in the browser, take advantage of one of many great browser plug-ins for managing privacy settings, such as blocking Facebook, Google Connect, or other tracking scripts from tracking your browsing without your permission. Any one of these is a ten minute install, and then runs in your browser's background after that. We need to put pressure on browser providers so that these are eventually integrated into our browsers -- but for now, the plug-ins work fine.
4. Do not trust your single sign-on to Facebook, Google or anyone else, unless you are getting concrete value in exchange for doing so. For sites that don't bring you specific worthwhile benefit for using some large corporate single sign on, then use OpenID or individual sign-ups, and take advantage of one of many browser plug-ins to take the pain out of managing them all while we wait for the browser vendors catch up and integrate these features.
These are good provisional things to do to cover your identity and privacy; they're only stop-gaps until the four puzzle pieces I wrote about above are in place. But you can help the puzzle pieces land in the right place more quickly.
Let this be our simple demand: Taking control of our own online identities should never require more than a few mouse-clicks. Each and every one of us has the right to decide for ourselves exactly when, where, how, and with whom our digital identity can be shared. We are, I believe, at a key fulcrum point where if we make good choices as consumers, as users, and as Internet users, we can push this moment into a fundamentally new system.
The next 24 months are a crucial window for this space. If these four puzzle pieces come together (or even ones substantially similar) they could affect the information marketplace for all of us for decades to come, or more.
We can all help steer our Internet experience back to the way it should be: where each and every one of us owns our own digital selves.