As Legislators Debate Ad Tech, Browsers and Operating Systems Announce New Technical Controls
Congress continues to hold data privacy hearings, including yesterday’s Understanding the Digital Advertising Ecosystem and the Impact of Data Privacy and Competition Policy. The continued debate over adtech practices is reaching a crescendo, making the case for quick action on a comprehensive federal privacy law that can set parameters for how personal data is collected, used, and shared, for adtech and for the many ways data is used by companies of every sort. But any law would do well to incentivize technical solutions to privacy challenges, rather than rely solely on legal commitments, as FPF CEO Jules Polonetsky argued in his recent testimony at the Senate Commerce Committee. There is no question that well-crafted laws and rules can give consumers important rights and provide companies with clarity about their obligations. It is also important to recognize that technical solutions continue to play an integral role in improving consumers’ privacy. As policymakers craft new privacy protections in law, they should be mindful that both legal and technical safeguards are necessary to ensure strong consumer protections.
We have seen many examples of technological solutions bolstering or otherwise supplementing legal protections.
- In 2003, Congress passed CAN-SPAM – a law designed to combat unsolicited junk email. Although CAN-SPAM established important legal obligations for bulk email senders (e.g., requiring email marketers to offer recipients a clear and conspicuous means to opt out), unsolicited and fraudulent marketing remained common. Consumers remained frustrated, and many inboxes continued to be flooded with spam. Only when major email providers managed to increase the effectiveness of a range of technical solutions for accurate and pervasive anti-spam filtering did the battle against spam make major advances.
- The Telephone Consumer Protection Act (TCPA) was enacted in 1991 – the law imposes legal obligations regarding unsolicited phone calls, faxes, and text messages. But TCPA did not eliminate unsolicited calls, junk faxes, or spam text messages. In fact, consumers are increasingly targeted with fraudulent robocalls executed by automated dialers. The proliferation of robocalls has resulted in the development and adoption of new technologies to identify and prevent intrusive marketing behavior. Mobile carriers and other communications providers offer technical solutions to combat such calls (including AT&T’s Call Protect, T-Mobile’s Scam Block, and Verizon’s Call Filter). There is real progress on an industry-developed standard to combat unlawful communications that rely on caller ID spoofing. TCPA is a useful tool for enforcement, but until the technology is perfected, we won’t have the win needed to stop intrusive robocalls. Similarly, to make progress online, we will need strong federal legislation and continued progress by companies in advancing the effectiveness of current privacy tools as well as developing new ones.
Recent developments in this direction by leading companies are a welcome step in this direction. Some of the most recently announced privacy updates from Google, Apple, and Mozilla include:
Google Privacy Updates
At Google’s annual I/O developer conference, the company announced updates to its products and services, including changes to the Chrome browser, that will provide users with enhanced privacy controls.
- Modified Cookie Controls. At I/O, Google announced upcoming changes to the way cookies are handled in the Chrome browser. Rather than only having binary controls that depend on the user to clear cookies, the updates will require web developers to specify when cookies are allowed to work across websites. This will allow Chrome to automatically determine the appropriate treatment for each cookie consistent with users’ browser settings. These changes are designed to allow sites to retain personalized settings, such as login information and site preferences, while preventing cross-site tracking of users who explicitly opt out.
- Reducing Device Fingerprinting. Device fingerprinting is the process of gathering data about device characteristics in order to generate a unique “fingerprint,” allowing websites to repeatedly recognize that device over time even when a site is prevented from setting cookies. In part because browsers are increasingly blocking third-party cookies, fingerprinting is becoming more common, even though fingerprinting methods typically lack transparency and adequate user controls. According to Google, forthcoming updates to the Chrome browser are intended to “aggressively restrict fingerprinting” on the web. This follows similar updates to Mozilla’s Firefox and Apple’s Safari announced in 2018.
- Auto-Delete Options for Location History and Search. Google Location History is an account-level setting that maintains a history of a user’s location – data that is typically generated by the user’s mobile device. When enabled by the user, this information may be used to provide personalized maps, recommendations, real-time traffic updates, and behavioral advertising. Google Web & App Activity is an account-level setting that saves users’ searches and activities within Google products and services, and may be used to give users more personalized search results and content recommendations. Google plans to expand the existing deletion controls for these settings. Currently, users have the option to turn off Location History and Web & App Activity altogether, and can choose to either bulk delete their entire histories, or manually delete individual data points. According to Google, forthcoming updates will allow users to exercise more nuanced control, allowing users to configure their account activity settings to auto-delete search and location data on an ongoing basis, every 3 or 18 months.
- Incognito Mode Expansion. The Chrome browser’s Incognito Mode employs technical safeguards to ensure that the browser does not save browsing history, cookies, information entered in web site forms, or related data. Incognito Mode limits the risk that other users who share a device might be able to access an individual’s browsing history. In 2019, this feature will be available in a broader range of Google services (now available in YouTube, and soon to come to Google Search and Google Maps). Although Incognito Mode does not address all privacy concerns, it allows users to browse the web and interact with Google services without their data being linked to activities performed outside of the Incognito Mode experience or their Google accounts. (Google Safety and Security Blog).
Apple Privacy Updates
Apple recently announced updates to its Intelligent Tracking Prevention (ITP) feature and proposed a new privacy-conscious technological solution to allow for ad click attribution.
- Limiting Workarounds. While Safari blocks third-party cookies by default, ITP goes a step further by limiting a workaround called link decoration – a technique involving web sites that insert user attributes into the URL of a clicked link, allowing third-parties to track users across sites using cookies set in a first-party context. A previous version of ITP automatically capped the expiration of such cookies at 7 days and the ITP 2.2 update will change this default to one day. This update coincides with the release of iOS 12.3 (and Safari macOS).
- Privacy Preserving Ad Click Attribution for the Web. In order to facilitate ad click reporting, a process that has traditionally relied on third-party cookies which are increasingly affected by cookie blocking technologies, Apple has proposed a browser-based technology solution that will enable ad click attribution in a manner that offers greater privacy protections to users than traditional methods. This solution is currently available as an experimental feature in Safari Technology Preview and is being proposed as a W3C standard that would be available in other browsers.
We anticipate additional privacy announcements at Apple’s upcoming WWDC conference in early June.
Mozilla Privacy Updates
Mozilla has long been a leader in developing and implementing technical privacy solutions. Mozilla’s Firefox was the first browser to implement Do Not Track and one of the first browsers to block third-party cookies by default. Mozilla has released several technologies and policies this year to strengthen user privacy protections.
- Firefox Anti-Tracking Policy. Mozilla’s Security/Anti-Tracking Policy defines tracking techniques Mozilla believes should be blocked by browsers by default (e.g., tracking cookies, URL-based tracking, and device fingerprinting). In their newest Firefox Quantum browser, Mozilla released a capability that allows users to specifically block Fingerprinters and Cryptominers for improved privacy, security, and performance.
- Firefox Add-On Policy (Effective June 10, 2019). Browser add-ons enable users to modify and personalize their web experience. Mozilla’s new policies for add-ons includes disclosure requirements for data collection, storage, and user data sharing. For example, companies must disclose when and why cookies are used, as well as provide an opportunity for users to refuse them. Violations of the updated add-on policy may result in the rejection of add-ons and/or the block or deletion of developers’ accounts.
- Funding Research for Super Privacy Browsing Mode. Mozilla issued a call for research proposals that would develop additional privacy safeguards for the Firefox browser. Mozilla will fund research to solve “inefficiencies currently present in Tor so as to make the protocol optimal to deploy at scale” and technologies that might support “a Super Private Browsing (SPB) mode” for users.
Conclusion
It will take a combination of solutions to address consumer privacy issues. As Congress debates federal privacy legislation, policymakers should bear in mind the importance of technical safeguards in protecting consumers’ data. Lawmakers should consider ways that a baseline, comprehensive privacy law could create incentives for organizations to develop and implement technical safeguards that align with consumers’ privacy expectations.
