The GDPR‘s “sunrise day” — when the EU can start laying fines on companies for violations of it — is May 25th. We want to be ready for that: with a cookie of our own baking that will get us past the “gauntlet walls” of consent requirements that are already appearing on the world’s commercial websites—especially the ad-supported ones.
Most of the results in that search are about what companies can do (or actually what companies can do for companies, since most results are for companies doing SEO to sell their GDPR prep services).
We propose a simpler approach: do what the user wants. That’s why the EU created the GDPR in the first place. Only in our case, we can start solving in code what regulation alone can’t do:
Un-complicate things (for example, relieving sites of the need to put up a wall of permissions, some of which are sure to obtain grudging “consent” to the same awful data harvesting practices that caused the GDPR in the firs place).
Give people a good way to start signaling their intentions to websites—especially business-friendly ones
Give advertisers a safe way to keep doing what they are doing, without unwelcome tracking
Open countless new markets by giving individuals better ways of signaling what they want from business, starting with good manners (which went out the window when all the tracking and profiling started)
What we propose is a friendly way to turn off third party tracking at all the websites a browser encounters requests for permission to track, starting with a cookie that will tell the site, in effect, first party tracking for site purposes is okay, but third party tracking is not.
If all works according to plan, that cookie will persist from site to site, getting the browser past many gauntlet walls. It will also give all those sites and their techies a clear signal of intention from the user’s side. (All this is subject to revision and improvement as we hack this thing out.)
This photo of the whiteboard at our GDPR session at IIW on April 5th shows how wide ranging and open our thinking was at the time:
Photos from the session start here. Click on your keyboard’s right (>) arrow to move through them. Session notes are on the IIW wiki here.
Here is the whiteboard in outline form:
Possible Delivery Paths
Browser add-on to rewrite the cookie. Discussed were:
Ads.txt replaced by a more secure system + faster page serving
Ad blocking decreases
Sponsorship becomes more attractive
Branding—the real kind, where pubs are sponsored directly—can come back
Clearly stated permissions from “data subjects” for “data processors” and “data controllers” (those are GDPR labels)
Will permit direct ads (programmatic placement is okay; just not based on surveillance)
Puts direct intentcasting from data subject (users) on the table, replacing adtech’s spying and guesswork with actual customer-driven leads and perhaps eventually a shopping cart customers take from site to site
Liability reduction or elimination
SSI (self-sovereign identity) / VC (verified credential) approach —> makes demonstration of compliance automateable (for publishers and ad creative)
Complying with a visitor’s cookie is a lot easier than hiring expensive lawyers and consultants to write gauntlet walls that violate the spirit of the GDPR while obtaining grudging compliance from users with the letter of it
The GDPR, with ePrivacy right behind it, and big fines that are sure to come down
A privacy manager or privacy dashboard on the user’s side, with real scale across multiple sites, is inevitable. This will help bring one into the world, and sites should be ready for it.
Since ample research (University of Pennsylvania, Annenberg, PageFair) has made clear that most users do not want to be tracked, browser makers will be siding eventually, inevitably, with those users by amplifying tracking protections. The work we’re doing here will help guide that work—for all browser makers and add-on developers
Participating organizations (some onboard, some partially through individuals)
That’s what will happen when sites and services click “accept” to your terms, rather than the reverse.
The role you play here is what lawyers call the first party. Sites and services that agree to your terms are second parties.
As a first party, you get scale across all the sites and services that agree to your terms:
This the exact reverse of what we’ve had in mass markets ever since industry won the industrial revolution. But we can get that scale now, because we have the Internet, which was designed to support it. (Details here and here.)
And now is the time, for two reasons:
We can make our leadership pay off for sites and services; and
Agreeing with us can make sites and services compliant with tough new privacy laws.
This does a bunch of good things for advertising supported sites:
It relieves them of the need to track us like animals everywhere we go, and harvest personal data we’d rather not give anybody without our permission.
Because of #1, it gives them compliance with the EU’s General Data Protection Regulation (aka GDPR), which allows fines of “up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4),” or “a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).”
It provides simple and straightforward “brand safety” directly from human beings, rather than relying on an industry granfalloon to do the same.
Try to guess how many times, in the course of your life in the digital world, have “agreed” to terms like these:
Hundreds? Thousands? (Feels like) millions?
Look at the number of login/password combinations remembered by your browser. That’ll be a fraction of the true total.
Now think about what might happen if we could turn these things around. How about if sites and services could agree to our terms and conditions, and our privacy policies?
We’d have real agreements, and real relationships, freely established, between parties of equal power who both have an interest in each other’s success.
We’d have genuine (or at least better) trust, and better signaling of intentions between both parties. We’d have better exchanges of information and better control over what gets done with that information. And the information would be better too, because we wouldn’t have to lie or hide to protect our identities or our data.
Think about it. None of those work unless individuals are in charge of themselves and their relationships in the digital world. And they can’t as long as only one side is in charge. What we have instead are opposites: limited control and coerced consent, maximum disclosure for unconstrained use, unjustified parties, misdirected identity, silo’d operators and technologies, inhuman integration, and inconsistent experiences across contexts of all kinds. (I’ll add links for all of those later when I have time.)
Can we fix this problem, eleven years after Kim came down from the mountain (well, Canada) with those laws?
No, we can’t. Not without leverage.
The sad fact is that we’ve been at a disadvantage since geeks based the Web on an architecture called “client-server.” I’ve been told that term was chosen because “slave-master” didn’t sound so good. Personally, I prefer calf-cow:
As long as we’re the calves coming to the cows for the milk of “content” (plus unwanted cookies), we’re not equals.
But once we become independent, and can assert enough power to piss off the cows that most want to take advantage of us, the story changes.
Good news: we are independent now, and controlling our own lives online is pissing off the right cows.
We’re gaining that independence through ad and tracking blockers. There are also a lot of us now. And a lot more jumping on the bandwagon.
According to PageFair and Adobe, the number of people running ad blockers alone passed 200 million last May, with annual growth rates of 41% in the world, 48% the U.S. and 82% in the U.K. alone.
Of course the “interactive” ad industry (the one that likes to track you) considers this a problem only they can solve. And, naturally, the disconnect between their urge to track and spam us, and our decision to stop all of it, is being called a “war.”
But it doesn’t have to be.
Out in the offline world, we were never at war with advertising. Sure, there’s too much of it, and a lot of it we don’t like. But we also know we wouldn’t have sports broadcasts (or sports talk radio) without it. We know how much advertising contributes to the value of the magazines and newspapers we read. (Which is worth more: a thick or a thin Vogue, Sports Illustrated, Bride’s or New York Times?) And to some degree we actually value what old fashioned Mad Men type advertising brings to the market’s table.
On the other hand, we have always been at war with the interactive form of advertising we call junk mail. Look up unwanted+mail, click on “images,” and and you’ll get something like this:
What’s happened online is that the advertising business has turned into the “interactive” junk message business. Only now you can’t tell the difference between an ad that’s there for everybody and one that’s aimed by crosshairs at your eyeballs.
Today’s ad and tracking blockers are are primitive prophylactics: ways to protect our eyeballs from advertising and tracking. But how about if we turn these into instruments of agreement? We could agree to allow the kind of ads that pay the publisher and aren’t aimed at us by tracking.
Here at Customer Commons we’ve been working on those kinds of terms for the last several years. Helping us have been law school students and teachers, geeks and ordinary folks. Last we publishe a straw man version of those terms, they looked like this:
What those say (in the green circles) is “You (the second party) alone can use data you get from me, for as long as you want, just for your site or app, and will obey the Do Not Track request from my browser.”
This can be read easily by lawyers, ordinary folks and machines on both sides, just the way the graphic at the top of this post, borrowed from Creative Commons (or model for this), describes.
Many people from those groups (including Kim Cameron himself) will be at IIW, the Internet Identity Workshop, at the Computer History Museum in Silicon Valley, on the last week of next month, April 26-28. It’s an unconference. No panels, no keynotes, no plenaries. It’s all breakouts, on topics chosen by participants.
The day before, at the same location, will be VRM Day. The main topic there will be terms, and how we plan to get working versions of them in the next three days at IIW.
This is a huge opportunity. I am sure we have enough code, and enough done work on standards and the rest of it, to put up exactly the terms we can offer and publishers online can accept, and will start to end the war (that really isn’t) between publishers and their readers.
Once we have those terms in place, others can follow, opening up to much better signaling between supply and demand, because both sides are equals.
So this is an open invitation to everybody already working in this space, especially browser makers (and not just Mozilla) and the ad and tracking blockers. IIW is a perfect place to show to show what we’ve got, to work together, and to move things forward.
As a new digital age unfolds brands have a make-or-break strategic opportunity to place their customer relationships on a powerful new footing.
The opportunity: to work with customers to create new ‘Me2B’ services that empower them with data and help them use this data to meet previously unmet needs, such as making better decisions and organising and managing their lives better.
Brands that enable these new relationships and services are sustaining and deepening customer trust, growing revenue streams and profits, differentiating themselves in crowded markets, and positioning themselves strategically at the forefront of the digital economy.
Personal Information Economy 2015: Growth Through Trust
The rise of Me2B commerce
Event Venue: Kings Place, 90 York Way, London, N1 9AG Event Date: Tuesday, December 8th 2015 from 09:00 to 19:00 (GMT) More information here.
Join us for a joint PDEC and Customer Commons salon dinner April 6th, Monday night, 6-9pm in Mountain View. This is the night before IIW’s, and at the end of the VRM day, where we will have an opportunity to talk about Banking, Credit and Personal Data with LaVonne Reimer. Sign up at Eventbrite for the Salon Dinner.
About LaVonne: She is a lawyer-turned-entrepreneur with over 15 years experience deploying technologies in markets with data privacy and regulatory sensitivities. Most recently, she engaged an expert user community to streamline ethical data-sharing practices in the commercial credit ecosystem.
For dinner, the PDEC / Customer Commons Salon, is 6-9pm at Fu Lam Mum in Mountain View.
NOTE: Those who want to arrive earlier thank 6pm for socializing, please do, and we have a no host bar at Fu Lam Mum. For those coming at 6pm, we’ll start dinner about 6:30pm and for those just coming for discussion that will start about 7:30pm. However discussion people are welcome earlier for socializing too.
Thanks to everyone who attended the Customer Commons Salon last night. It was a nice night to socialize, and talk. Doc Searls gave us a quick report on Omie, the Customer Commons project that will be made for Android, and later we hope, other platrforms. Omie is meant to make the device yours, instead of having you captive to all those taking your data and experience.
We had a great night at MINGs in Palo Alto, and want to thank them for the delicious food and accommodations!
We look forward to our next salon, the Monday night before IIW, as always!
Customer Commons is supporting, and board member, Mary Hodder, is hosting the Bay Area event. Additionally, there are NYC and London locations. Please join us if you are interested:
This is an unprecedented year documenting our loss of Privacy. Never before have we needed to stand up and team up to do something about it. In honour of Privacy Day, the Legal Hackers are leading the charge to do something about it, inspiring a two-day international Data Privacy Legal Hackathon. This is no ordinary event. Instead of talking about creating privacy tools in theory, the Data Privacy Legal Hackathon is about action! A call to action for tech & legal innovators who want to make a difference!
We are happy to announce a Data Privacy Legal Hackathon and invite the Kantara Community to get involved and participate. We are involved in not only hosting a Pre-Hackathon Project to create a Legal Map for consent laws across jurisdictions, but the CISWG will also be posting a project for the Consent Receipt Scenario that is posted in on the ISWG wiki.
The intention is to hack Open Notice with a Common Legal Map to create consent receipts that enable ‘customisers’ to control personal information If you would like to get involved in the hackathon, show your support, or help build the consent receipt infrastructure please get involved right away — you can get intouch with Mark (dot) Lizar (at)gmail (dot) com, Hodder (at) gmail (dot) com, or join the group pages that are in links below.
Across three locations on February 8th & 9th, 2014, get your Eventbrite Tickets Here:
This two-day event aims to mix the tech and legal scenes with people and companies that want to champion personal data privacy. Connecting entrepreneurs, developers, product makers, legal scholars, lawyers, and investors.
Each location will host a two-day “judged” hacking competition with a prize awarding finale, followed by an after-party to celebrate the event.
NOTE: The venue is now at Stanford University, in conjunction with the United Nations Association Film Festival, and will be followed by a panel discussion on the “Future of Online Privacy.” Cullen will be there as well.