WSJ: Cookies-förfrågningar är inte lösningen på nätintegritet

I ett försök att skydda internetanvändarnas integritet krävde lagstiftare att webbsajter skulle redovisa och begära tillåtelse från besökarna att spåra och lagra deras trafik. Resultatet blev ett dagligen irriterande moment som inte heller lyckades revolutionera nätintegriteten, skriver Wall Street Journal.

Men det finns en lösning. Om man fick svara en gång på vilka sätt man är villig att bli spårad på nätet via sin webbläsare kunde denna sedan kommunicera det till alla sajter som man besöker. Det skulle både öka integriteten på nätet och ta bort störande cookies-förfrågningar.

De digitala lösningarna är på väg men för att fungera helt krävs hjälp från lagstiftarna, skriver tidningen.

How Everyone Can Get the Online Privacy They Want

Most people rarely read the privacy-consent requests they approve. There’s a better way.

By Lorrie Faith Cranor, The Wall Street Journal, 7 June 2022

Go to almost any website these days and odds are a notice will pop up explaining how the site uses cookies and asking you to “accept” or “manage” them based on your preferences. Odds are also that you click “accept” without even thinking about it.

And that’s a problem.

These “cookie banners” became ubiquitous when regulators, worried about privacy, started requiring websites to post their data-collection policies and get consent to gather cookies—those bits of information that websites send to your browser to track your online activities, as well as identifiers that can be used to recognize you when you return.

While the banners were supposed to give people more control over their personal data, in practice they have become an annoyance and generally do little to protect privacy. Part of the problem is that few people ever click on the links that allow them to manage how cookies are used, according to my research at Carnegie Mellon University’s CyLab Security and Privacy Institute. And there is growing recognition that asking consumers to make data decisions every time they visit a new website is unwieldy and ineffective.

Is there a better way to help consumers gain control of their data, one that actually works?

The good news is that researchers, standards organizations and privacy experts are working on technology that would make it easier for people to signal how they want to be tracked online. Some of the digital tools being developed are so-called personal privacy assistants that would ask consumers to make a few decisions upfront about how they want their data used, and then communicate those preferences to websites and apps behind the scenes, without the individual having to do anything more.

Problematic cookies

Most people have no problem with cookies when they are used to make online shopping carts and other website features work, or when they help websites remember their personal settings. But websites also use cookies to build profiles of users that they then share with advertising networks and other third parties. While my research has found that some users like receiving ads for exactly that thing they were shopping for online, others find it creepy and aren’t too pleased when ads for lingerie or incontinence products fill their computer screen at work.

Even worse, cookies have been used to send personal health information and other sensitive data to websites without users’ permission, and data brokers sell users’ profiles for purposes beyond advertising, such as deciding whether to offer credit or whether to charge higher or lower interest rates.

The idea behind cookie banners was that websites should tell people upfront what kind of cookies they use and why, and give users the option of accepting or rejecting them. However, cookie banners have become problematic for several reasons.

First, most cookie banners are set up so the fastest way to make them go away and get on with your web browsing is to accept all the cookies. To reject cookies, you generally have to click through to a preferences screen and then figure out what to do. Second, if you do decide to review your options, you will often find them written in a way that makes it hard to know which cookies might be helpful to you and which might invade your privacy. Furthermore, not all the options are clearly labeled: If you click an X to close a cookie banner it isn’t at all clear what will happen. Finally, even if we solved these problems, most users still have too many cookie decisions to make because most users visit a lot of websites and most websites use cookies.

Now, imagine a future where, with a click of a button, you could automatically get rid of the cookies you don’t like and keep the ones you do at every website you visit. If you appreciate targeted ads, for example, you might configure your browser to accept the types of ads you would like to see and reject those you don’t. Your web browser would act as your virtual agent, automatically accepting only those cookies that match the preferences you specified and shooing away all the others. It would take care of everything seamlessly and even use artificial intelligence to adjust over time as your preferences evolve.

This isn’t science fiction. I’ve been working with researchers and practitioners on ideas like these since the 1990s, and a number of systems and standards have been proposed that would allow software acting on behalf of internet users to read privacy policies automatically and make privacy decisions in accordance with each person’s preferences. Such tools would go beyond the cookie controls most web browsers have today and allow for more fine-grained decisions about what personal information people want to share and with which websites.

We can use a similar approach to help people configure data permissions for mobile apps, such as deciding whether to grant them access to location data. My colleagues at Carnegie Mellon have tested an AI-driven privacy assistant that, based on your answers to just a few questions, can predict with a fair amount of accuracy many of the privacy settings you would want for any app you download in the future.

Recently, a handful of internet browsers and plugins—including those offered by Mozilla Corp.s Firefox and DuckDuckGo—began offering a privacy option called Global Privacy Control that allows users with a click of a button to opt out of the sale of their personal information at every website they visit. The California Attorney General announced in 2021 that websites must comply with the request. This is a first step toward building a more robust system of computer-readable privacy signals.

What about IoT devices?

Websites and mobile apps aren’t the only data collectors that consumers encounter these days. Smart doorbells, smart appliances, a variety of Internet of Things (IoT) devices and even cars have sensors that collect data, including information about users’ location, audio and video. If you think it’s hard dealing with consent banners on websites, imagine if every smart lightbulb you walked by blinked at you until you confirmed you were aware that it collects data.

Once again, research suggests a better way. My colleagues at Carnegie Mellon are working on an IoT personal privacy assistant app for smartphones and smartwatches that would notify consumers of any sensors in their vicinity and let them know what information is being collected and how it is being used. The app would then help consumers configure privacy settings for those IoT devices. I might tell such an agent that I’m OK with smart lightbulbs detecting my anonymous presence and turning themselves on and off accordingly, but I want to be informed when I enter a space where microphones might record my conversations. I also might tell it to stop informing me about sensors I already know about in spaces I visit frequently.

While personal privacy assistants offer the opportunity to actually protect privacy without burdening users, making this vision a reality will require buy-in from websites, mobile-app platforms and IoT device manufacturers, which will have to build the technology into their systems. That is unlikely to happen on a wide scale without laws that not only require companies to provide information about their data practices in plain English and in standardized forms, but also in a standardized computer-readable form so that personal privacy assistants can read them automatically.

If we can move forward on all these fronts, then consumers will no longer have to blindly accept the privacy settings they don’t understand. They can get the privacy they want, with little of the angst they have today.