Privacy architectural changes in the web are coming
In 2019 I argued and explained that we are in the midst of a perfect storm that the privacy debate has caused. I predicted the impact on the web architecture, and the web platform. The thing that billions of people use every day, that is. These very basic building fabrics of our connected societies were to undergo fundamental changes and shifts. This is happening.
The web ecosystem is undergoing unprecedented changes. Those changes are motivated by privacy.
The core reason for this is to some degree privacy activism/advocacy, fuelled by the previous decade of flourishing privacy research. Some of this research is becoming very important in the multi-billion dollar industries that embrace some of such proposals. However, while many individuals seemed to jump on the privacy bandwagon, this area is not at all simple. Even if upon first sight detecting who has the insight, and who has not, may not be simple. On the contrary, the turf is becoming very complex. This is because of the need to consider such aspects as business, policy (even politics), regulations, recently also competition. This of course demands strict versing in technology, the web, understanding the risks, threats, strategy, knowledge of policies, law, etc. Few people are apt to actually navigate/understand the full picture. It does not mean that there are no such people. And some of such people happen to be involved in some of the places where it counts, which is fortunate. Why such a focus on “people”? Well, these architectural changes are up for debate, still.
What is privacy here?
To simplify the matter a bit, one of the biggest challenges of privacy is managing information flows. Making sure that information is not leaking, that it is not indiscriminately “hijacked”. That the user’s point of view is appreciated, considered, and respected. This is a nice shortcut for the technical handling of viewing privacy (which is, of course, a much broader issue).
Web Privacy Architecture
As mentioned in my 2019 analysis, Web architecture is being rearchitected. But how? Internet and the web were never built with security or privacy in mind. This is, simply speaking, changing. Security received a big boost (this process is ongoing). Now is the turn for privacy (this process is around 5-15 years behind the security process, the distance keeps shrinking). The fundamental changes can be viewed and appreciated in two general and broad technical changes.
We cannot avoid mentioning big names like Google or Apple. It’s also them who exert influence on the current debate about the future of privacy in terms of the future web ecosystem. There are many more players involved, but in this analysis, I accept that it’s desktop/mobile OS and web browser vendors that have a privileged position. Accepting this fact should not be difficult, because, well, it’s a fact. We could discuss obscure and useless conceptions which existed only because someone managed to get national/EU funding to develop them, but since these are artificial and useless, what’s the point of discussing something meaningless? I could discuss other firms’ ideas, the involvement of regulators, etc., but doing so would further lengthen the post.
Instead, let’s discuss ecosystem evolution.
The ecosystem changes
Mobiles.
In the case of mobiles, the changes are driven by Apple’s strategy, Android, and others adopting some of these, and putting forward their own. In the case of mobiles, the changes are aplenty. Many of these happen behind the hood, invisible to the user (but they can still feel the effects). Users experience user interface changes, or the occasional/frequent permission prompts (“this app wants to access THIS OR THAT…. Do you allow…”). Can you believe today that a few years ago Android did not even have the means to grant/refuse access to some sensitive components like cameras, internet, sensors, and so on? Today we take it for granted. You’re also probably unaware that some information collection happens in ways not revealing data from particular users thanks to differential privacy. That’s the deployment of privacy engineering, first announced by Apple (then adopted by some others).
There’s still much to do, the most important next step seems to be curbing the abuse of in-app web browsers (IAB; when a website opens not in a native web browser, but in a "facade", such as in apps like TikTok, Instagram, Facebook, or Android/Google Search) that can decrease security and invade user privacy, also in practice.
The web
For a few years, Apple is putting forward proposals for new web features/APIs, to tighten some information flows. For example, the Storage Access API to access cookies overtly. There’s of course also cross-pollination between mobile and web technologies, but I will not go into discussing this aspect. Google-proposed changes are more exciting since they go deeper into how the web fabric works.
Now, Google largely motivated this big shift by staking a big decision, phasing out third-party cookies provided (IF) some web changes are agreed upon and deployed; originally planned for 2022, two times postponed, now to 2024. This is called “Privacy Sandbox”, a stack of proposals that would shift how some web elements work. Some information flows would be sealed/secured/tightened. Others would be dis/allowed only in a strictly defined manner.
Those proposed features may have various uses. From making sure that single-sign-on works, those embedded videos can know/learn of user’s choices, to serving ‘relevant’ ads in privacy-improved ways.
As an example, consider the current industrial-scale user data processing during the targeting of ads. It would be changed. It is to work differently, in more privacy-respecting ways. Following the changes, ads would be targeted based on algorithms/logic that would supposedly remain in the user’s devices. Same for the discovery about the success of ad campaigns (Apple’s proposal here, Google’s there).
Those proposals are still in motion, subject to change, which happens often. In 2022, these features are not yet stable. Changes may happen until 2025, even.
Very important web architectural changes happen here, and they follow a W3C-standardisation logic. Let’s discuss some important milestones.
Stuff is shelved
In 2020, Google rescinded its PIGIN proposal and replaced it with Turtledove. Probably nobody remembers that.
In 2019, Google proposed a way to inform websites about users’ interests, Federated Learning of Cohorts (my takes here and here) , which worked based on the inspection of users’ web browsing history. After backlash, in 2022 Google rescinded the proposal, replacing it with something simpler (Topic).
In 2022, too, Google rescinded another proposal — SameParty cookies, which were supposed to allow the use of some information from cookies in “validated” ways. There’s no sense to go into more detail: it’s canceled. In other words: three proposals were shelved, two of them already somewhat being implemented in Chrome (for tests).
This shows that the debate over privacy now happens in the context of discussing web architecture. Stuff is proposed. Stuff is changed. Other stuff is canceled. Many actors were involved (much more than just Google/Apple). It’s complex. You can’t know for sure what the picture will look like in 2025.
So: fascinating, too.
Regulatory-like venues perhaps no longer drive this practical debate. These are in the background, with EU data protection authorities rightly not participating in the process, and not taking a position (still: competition authorities… do! Google had to accept some commitments, and they also set up an “independent” trustee, tasked with the inspection of the fulfillment of the commitments, an actor which unfortunately lacks the credentials to actually observe the complex web ecosystem evolution process in any meaningful way - and is therefore quite useless). Instead, privacy regulations will perhaps have to be adapted to the new ways of how the technologies work.
In summary, the effects of the privacy debate surrounding the web architecture changes resulted in putting forward 10-20 ideas for new features or amending how existing features work. Some moved forward. Others were rescinded, others are missing the point or are unsatisfactory. Others, still, are being implemented in web browsers like Apple Safari, Mozilla Firefox, or Google Chrome. Expect more changes to happen until 2025 (this is an informed assessment by someone who knows how technology/web standardisation, and feature development, work in practice).
There may also be the next step when those changes would start driving the potential evolution of the law, technology policies, and data protection legislation. Although this evolution is difficult to predict today, I would not be surprised if this was the case in 2025–2030; while today there reinterpretations/re-adaptations of existing frameworks, to the new technical status quo, will be needed).
Please note that currently a lot of people are struggling with those changes relating to web features evolution alone, which are still in motion. And it is not at all easy to find good people for the task (even Google apparently had/has problems with communicating their own choices). Those changes impact a huge ecosystem: the web, and also mobiles. Transforming big ecosystems is hard. Adopting the changes and adapting to them are the last miles.
Since it impacts many realms: security, user experience, marketing, ads; and many brands or fields (IT, news sites, e-commerce), imagining the constraints is tricky. Meanwhile, you may find some more-or-less arbitrary people wanting to pose “advice”, or consult in these matters... But this is extremely complex and requires careful consideration.
My advice
What to do then, if it concerns you? You should have started inspecting those changes around 2020. But it’s still not too late (i.e. see the timelines indicated above). How to prioritise things? Understand what’s happening, and how it may impact you, and adopt internally, accordingly. Those changes aren’t only on paper. They will require actual technical changes.
Much is at the stake here (with Google's ad revenue, and Apple's planned construction of ad infrastructure). And recently more and more is being said about competition aspects. The technical notion of privacy is quite well understood (though still not perfectly). But the technical meaning of “competition” is also fuzzy.
To appreciate this asymmetry, know that while the several W3C documents on privacy exceed well over 20000 words, the single competition document has only around... 180 words.
That speaks of the difference.
Is competition a misnomer, or an artificial obstacle to privacy-proof things? Well, it depends on a perspective. What is a fact is that we live in societies where competition is guarded by devoted institutions, regulators. All around the world. Ignoring such constraints is probably unwise.
Summary
Putting privacy-vetted features through an interoperability forum like that is great. It makes sure that the technical changes get adopted broadly. Privacy is changing. Things today look completely different than in 2011. They will look different in 2025, still. Let's hope that these changes will be well adapted for the long run.
Did you like the assessment and analysis? Any questions, comments, complaints, or offers of engagement? Feel free to contact: me@lukaszolejnik.com.