At the beginning of this year EFF identified a dozen important trends in law, technology and business that we thought would play a significant role in shaping digital rights in 2010, with a promise to revisit our predictions at the end of the year. Now, as 2010 comes to a close, we're going through each of our predictions one by one to see how accurate we were in our trend-spotting. Today, we're looking back on Trend #12, Web Browser Privacy, where we predicted the following:
In the late 1990s, when the conventions for the modern web browser were being determined, certain expectations were established for web browser privacy. Users who wished to take extra measures to protect their privacy could simply choose to de-activate or limit their browser's use of cookies. This would protect them from most of the worst online tracking practices.
And that's how it remained for some time. Or so most web users thought.
As it turns out, corporations seeking to track individuals' use of the web were hard at work developing new and unexpected methods of profiling. For a long time, many of these methods either remained unexamined or were simply performed covertly and hidden from the public. But as we enter 2010, awareness and scrutiny of them is on the rise.
Try browsing the web while using a tool like the Firefox add-on RequestPolicy, and you'll see that many major sites share your web activity with dozens of advertisers and advertising networks. With few technical or legal restrictions on the ability to track you around the web, companies you may never have heard of may have profiles of you which include things about your web use that you don't even remember.
This year the Federal Trade Commission is taking a fresh look at privacy and the use of profiles to target ads based on individuals' behavior on the web. We'll be participating in the process by providing testimony to the FTC, as well as launching our own study of just how easy individual browsers are to track, and how they can be made more privacy-protective.
During 2010, a clearer picture emerged of just how sophisticated and hard-to-defend-against modern browser tracking technologies have become. There are many dimensions to this problem.
One is the sheer number of supercookie technologies that persist even if users limit or delete their regular cookies. This was a previously known problem, and some companies were already receiving scrutiny for using supercookies to record people's online reading habits. But the Evercookie project underscored just how many types of supercookie there are, how easy they are to deploy, and how hard they are to delete.
Another is browser fingerprinting. Early in 2010, we ran the Panopticlick browser fingerprinting experiment, which showed that the vast majority of web browsers can be tracked even without IP addresses, cookies or supercookies. Subsequently, the Wall Street Journal reported that firms had already been using these methods to track huge numbers of people.
We will continue to promote the development of privacy technologies to defend against these tracking methods, and encourage browser developers to include them in their mainline releases. But as things stand, we do not believe there are any options that offer web users the option to read in private without the use of tools that are impractically slow and inconvenient for continual use. As a result, we are interested in the emerging proposal for a browser header-based Do Not Track convention, and are encouraged by the FTC's interest in the proposal. Perhaps 2011 can finally be a year when Web users get more, rather than less, privacy.