A coalition of technology companies, publishers, academics and advocacy groups this week proposed a web specification to allow internet users to declare whether they agree to have their personal data shared or sold.
It’s not called Do Not Track (DNT), a web specification that took shape in 2011 after percolating for several years, and allows internet users to declare whether they agree to third-party web tracking.
Instead, it’s called Global Privacy Control (GPC) and its backers believe this time will be different.
The project was spearheaded by Ashkan Soltani, a privacy researcher who helped develop Do Not Track and who served at America’s Federal Trade Commission, and Sebastian Zimmeck, a computer scientist at Wesleyan University.
GPC has attracted the support of the usual privacy-aligned suspects – Abine, DuckDuckGo, Brave Software, Disconnect, Mozilla, and the Electronic Frontier Foundation, among others – as well as various publishers like The Financial Times, The New York Times and The Washington Post.
DNT and GPC don’t look very different. Each is expressed as a binary digit in an HTTP header or as an HTTP DOM property, where the value 1 represents the user’s preference not to be tracked or not to have data shared or sold.
As conveyed by a user-agent (web browser), DNT involves setting a DNT header field:
GET /something/here HTTP/1.1 Host: example.com DNT: 1
And here’s the GPC specification, which entails setting a Sec-GPC header field:
GET /something/here HTTP/1.1 Host: example.com Sec-GPC: 1
But Soltani believes GPC can succeed where DNT failed thanks to changes in the regulatory landscape.
“There’s definitely legal support,” said Soltani in a phone interview with The Register.
California’s Attorney General Xavier Becerra has suggested as much.
This proposed standard is a first step towards a meaningful global privacy control that will make it simple and easy for consumers to exercise their privacy rights online.
#DataPrivacy is the future, and I am heartened to see a wave of innovation in this space.
— Xavier Becerra (@AGBecerra) October 7, 2020
That wasn’t the case with DNT, he explained.
While the Federal Trade Commission supported DNT when it took shape a decade ago, there was no enforcement mechanism and thus no reason for companies to respect DNT signaling. The spec went to internet standards body W3C and proceeded to be put through a standards process dominated by industry lobbyists.
As Soltani tells it, DNT got co-opted and stalled. Ultimately, the FTC backed away from the project. “So it just sort of flopped,” he said.
The 2003 California Online Privacy Protection Act was amended in 2013 to include a requirement that online services disclose how they respond to the DNT signal. However, the state law didn’t require anyone to obey the DNT signal. And so they didn’t.
Do Not Track is back in the US Senate. And this time it means business. As in, fining businesses that stalk you online
Zimmeck,in a phone interview with The Register, cited this as an example of why self-regulation doesn’t work.
“For some things, there’s a right time and a wrong time to do it,” he said. “I think DNT was just a little bit too early. Since then the times have changed a bit.”
The California Consumer Privacy Act (CCPA), which took effect at the beginning of this year, and the General Data Protection Regulation (GDPR), which took effect for EU citizens in 2018, have altered the privacy landscape.
The CCPA established a right to opt-out of having one’s data shared or sold (§ 999.315. Requests to Opt-Out) and establishes “user-enabled global privacy controls, such as a browser plug-in or privacy setting” as a mechanism that’s acceptable to do so.
DNT is not an option because it deals with tracking, not the sale and sharing of personal data. Becerra has said DNT doesn’t clearly signal the intent to opt out of data sharing and selling. GPC has been set up to do just that.
And Soltani suggests GPC has the potential to change privacy dynamics from an opt-out default to opt-in, something advertisers have long opposed. That’s because once a GPC declaration has been made, any company seeking to sell or share data will need to obtain user permission to flip the consent switch off. And companies doing business in California, even those outside the state, will be motivated to comply because of CCPA.
“Opt-out with Global Privacy Control is essentially opt-in,” said Soltani.
Soltani and Zimmeck also expect GPC will dovetail nicely with the requirements of GDPR.
“The system was left extensible so it could be applicable to GDPR,’ said Soltani.
Presently, GPC has been implemented in the Brave browser, the DuckDuckGo Privacy Browser and DuckDuckGo extensions, and browser extensions like Abine Blur, Disconnect, OptMeowt, and the EFF’s Privacy Badger. And project participants hope to see support expand to other browsers and to mobile operating systems.
For developers interested in testing the presence of the GPC header, there are code samples available.
Zimmeck argues there’s a growing momentum to improve privacy online.
“When I talk to people at tech companies, it seems they understand that privacy is an important part of their business,” said Zimmeck. “And even if they don’t believe they should offer privacy from a moral or ethical standpoint, it’s a valuable business proposition at this point.” ®