Opinion article: It is (already) time to improve the web privacy standard

Opinion article: It is (already) time to improve the web privacy standard

A series of high-profile data and privacy breaches in Australia has people once again questioning the amount and nature of data being collected about them.

The series of incidents has resurfaced and revitalized the conversation about online privacy. Privacy means freedom from observation and nowhere is this more important than on the Internet, where we must trust others to carry our traffic.

The Internet is an unprecedented place to connect with others, transact business, learn and express ourselves.

However, some of the fundamental mechanisms of the web lend themselves to surveillance technologies that track our behavior, interests, and even personal relationships without our consent.

Deloitte Australia Research sample “Most brands appear to engage in some form of online tracking and monitoring, although most consumers are uncomfortable with this.”

The same survey found “Only 2 percent of brands disclose possible data sharing, online tracking, or other specific uses of data during the customer experience upon registration, outside of the privacy policy.”

There is a general trend to give Internet users more power to decide how much of their traffic is observed by third parties. Likewise, there are efforts to make more systems, applications, and other points of user interaction privacy-preserving by design.

It is worth highlighting some of the work that is currently being done to innovate and improve the web privacy standard.

Protect user metadata on the Internet

Part of making the Internet the best it can be is ensuring that all users have control over who sees their information when they use the Internet.

Today, it is more difficult than ever for users to preserve their privacy with modern communication tools, but that reality only increases the urgency of this work. Indeed, the entire Internet needs to be updated to make it safer and easier to use for everyone.

One area of ​​work to highlight is that both major mobile platforms, iOS and Android, have crucial Internet privacy protection: Apple iCloud Private Relay is part of the Apple platform and INVISV is available for Android devices. These are also examples powered by Fastly’s global privacy proxy infrastructure.

Apple and tens of millions of iCloud customers now rely on Private Relay every day. To put this power in the hands of more people, it was necessary to focus on replicating it effectively for Android.

To connect to the Internet, devices use IP addresses. All communications contain both your IP address and the name or IP address of the site you are visiting. However, these identifiers are clearly visible to many network entities, such as your network provider, the site you are connecting to, and any third-party sites that are integrated into the site you are visiting. This allows the network operator, the main site and third-party sites to know both your identity and the sites you are visiting, which has fueled a booming data brokering industry.

Relay services provide users with privacy protection when they use their mobile devices to access the Internet, making previously clearly visible information unavailable to anyone other than the user. The underlying technology makes it impossible for anyone to independently know this private information.

Limit what websites “need to know”

Another important advance is that of an authorization protocol known as private access tokens (PAT).

Internet users frequently encounter CAPTCHAs on their travels: tests that ask you to prove that you are a human being. They are widely used to protect payment flows, login pages, and other sensitive forms from automated abuse.

But there are problems with the model. CAPTCHA providers (and other bot mitigation providers) collect browser data to make human-bot classification decisions, but they generally don’t share what data they collect or how they use it, as it’s part of their secret sauce. They can also be ignored by CAPTCHA farming services, where low-paid humans solve puzzles, and are a friction point in the online experience. Not all users pass a CAPTCHA test on their first attempt.

PATs address the fundamental problem with CAPTCHA and other bot mitigation techniques available today, which treat all traffic as suspicious and rely on user action and browser data to assess risk.

They wear Careful application of cryptography and requirements to ensure that a website learns exactly what it needs to know about a user to provide access to a resource. No human interaction is required and there is no leakage of non-essential data.

The main limitation of PATs today is related to their novelty. Currently, only Apple devices running iOS 16 or MacOS Ventura (currently in beta) support PAT challenges. Until the ecosystem improves, an alternative system will continue to be necessary. However, given the obvious benefit of this protocol and the excitement that already exists in the space, it seems to be only a matter of time until other big-name device vendors, browsers, and operating systems start supporting PAT.

Relay services and PATs are just two initiatives underway that will help preserve privacy on the Internet. They bring us all closer to the Internet we all want, one that supports privacy while being fast and responsive.


Guy Brown is a Senior Security Strategist at Fastly.

Leave a Reply

Your email address will not be published. Required fields are marked *