"The problem with losing your anonymity is that you can never go back." --Marla Maples
There's anonymity, and then there's being anonymous.
Oddly enough the line is a lot more difficult to understand then one may wish. Anonymity is a tricky thing because on one end of the argument you must concede that in order to have an acceptable user experience in the modern web world you must be tracked to some acceptable extent, while the other end of the argument would say that we don't want web sites, vendors and nation-states/organizations tracking us and our browsing habits.
Throwing into this the complexity of free content (what's really "free" today, really?) like Facebook and other types of free-for-a-fee sites and you have yourself an ugly little mess.
So what are the issues?
The issues with truly anonymous web browsing look something like this -
- Can making anonymous surfing still sustain the "free web" concept? - Much of the content you surf today is free, meaning, you don't pay to go to the site and access it. Many of these sites offer feature-rich experiences, and lots of content, information and require lots of work and upkeep. It's no secret that these sites rely on advertising revenue at least partly (which relies on tracking you) to survive ...if this model goes away what happens to these types of sites? Does the idea of free Internet content go away? What would that model evolve to?
- Is a user willing to pay for content on sites in exchange for their "privacy" (not being tracked)? - In line with the above point, would you be willing to pay $50/month for Facebook? How about $10/month for to look up your local weather, or $25/month to look up the sports scores or $75/month to read the online news or ...you get the idea. Many of these sites are free right now because they rely on alternative means (which rely on knowing who you are and your browsing habits) to make their revenue.
- Can we effectively de-couple "session management" from "user tracking"? - While this may seem like a simple question, it's a lot more complex politically then technically. Managing a user's session means knowing what places on your site they visit, and while this isn't that big of a deal if you operate a single-site organization it becomes a lot more complex if you're managing an authentication mechanism for an organization that owns dozens or hundreds of sites worth of content. At that point you have to be careful to not give into the temptation of tracking the user not just across your own site(s) but then across your partner sites, etc. Managing a session can be as simple as answering the question of whether the user is authenticated or not - but then why not take advantage of all the other available information?
- How does the industry draw the line between "enriching the user experience" and "tracking the user" - Where does the online industry draw the line between enhancing the user experience and just outright tracking the user? Does anyone remember how everyone was up in arms over Facebook's tracking capabilities across multiple sites, such as news sites, retail shopping, etc? As an industry there needs to be clearly defined regulations and rules around what can be considered managing the user's session and enhancing their experience - and "tracking" the user; creating a legitimate opt-in system where a user must consent to being tracked first - then having that respected by the technology and code that they utilize. I fear we're very far from this type of environment today.
In the end, though, we're left with the trust we place in our web applications... so we're left with the intersection of privacy and software security assurance. Answering the basic question again - can the user trust the software?
Take the Internet Explorer 9 no-tracking option... and a great way to understand the technical calamity of it all -
"The site must request permission, the user must consent, the browser must respect user's decision ...and an XSS flaw invalidates the whole thing. Lovely."
This is pretty serious stuff - so over a few posts in the future I'll go over each of the bullets above in more detail, with a guest-post and discussion on each ...stay tuned! If you'd like to contribute, or have something to say as always - please chime in by leaving a comment, or hit me on Twitter/Skype/email and I'll get back to you quickly.
Thanks for reading ...I look forward to continuing this thought.
Cross-posted from Following the White Rabbit