Skip to Content

Cybersecurity & Standards, Privacy & Data

Competing and Collaborating for Better Web Privacy

And the need for civil society voices in standard-setting

In setting up a new work laptop, I installed some key software: web browsers. So much online activity is on the Web now, and it’s fortunate that we have several choices of browsers, and that you can easily use one browser to find others and download them to your device.

The marketing messages these competing browsers use to advertise their essential features are striking:

Screenshot of Mozilla's Firefox marketing webpage, as of August 4, 2022. Source: https://www.mozilla.org/en-US/firefox/browsers/.

Screenshot of Mozilla’s Firefox marketing webpage, as of August 4, 2022. Source: https://www.mozilla.org/en-US/firefox/browsers/.
Screenshot of Brave's marketing webpage, as of August 4, 2022. Source: https://brave.com/.

Screenshot of Brave’s marketing webpage, as of August 4, 2022. Source: https://brave.com/.
Screenshot of Vivaldi's marketing webpage, as of August 4, 2022. Source: https://vivaldi.com/features/.

Screenshot of Vivaldi’s marketing webpage, as of August 4, 2022. Source: https://vivaldi.com/features/.
Screenshot of Apple's Safari marketing webpage, as of August 4, 2022. Source: https://www.apple.com/safari/.

Screenshot of Apple’s Safari marketing webpage, as of August 4, 2022. Source: https://www.apple.com/safari/.

Browsers distinguish themselves by emphasizing different features: a sign of a competitive marketplace and one significant value of an interoperable Web. These marketing materials highlight many features, including performance (“blazing fast”) and tab management. But most prominent are claims about protecting your privacy while browsing the web: “incredibly private”, “the best privacy online”, “put your privacy first”. Browser vendors recognize a genuine consumer desire and appeal directly to it. And competition for privacy in user-controlled software is especially important because legal protections are lacking, inconsistent or out-of-date and because online interactions are often complex and opaque.

Whether you’re using Chrome, Edge, Firefox, Safari, or some other application to read this, the browser is just one piece of software that you interact with while using the Internet, but it plays a key role as the user agent. Your browser interacts with web servers operated by the publishers of websites (maybe you visit google.com to search the web or read an article at theguardian.com), but also network providers (including your ISP at home or work, say) and typically many other services provided by other organizations through the website you’re visiting: content delivery networks that cache data, ad networks and advertisers bidding for your attention, analytics services measuring traffic, media embedded from other sites, and more.

Keeping track of every piece of software and every company you interact with while browsing the Web (much less what they might be learning about you or what privacy practices they commit to) is essentially impossible. But your browser, your user agent, can and should help navigate those interactions and the potential impacts to your privacy. [1]

Some have criticized browser-centric efforts to protect online privacy, claiming that privacy is no longer important to users or that technical measures implemented by browser vendors are only a pretense for another business aim — like gaining power in the market for online advertising by collecting more data for targeting ads or decreasing the amount of data collected by competitors. 

But, are relatively small competitors to the most dominant browser (Google’s Chrome) all loudly advocating for user privacy protection in order to help their competitor consolidate its position in the advertising market? Are browser vendors marketing themselves based on privacy protection even though it’s not a factor for their users? That is unlikely. Instead, privacy is both important and typically well-aligned with competition, and we should work for both competitive marketplaces and privacy protections. It’s great to see browser vendors competing for users by providing better privacy online, even as we also advocate for more comprehensive legal protections.

The particular framing of the marketing of online privacy protections may also indicate how dire the situation has become. Confidence in online privacy is so weak that there is an assumption that the Web is “creepy.” My friends and family believe their devices are listening to their conversations and that everything they do online is being watched. What a failure on our part — the industry, the technical community,  and the Web — that the situation has gotten so out of hand. That lack of control and trust is bad for the marketplace: it inhibits adoption of promising new technology and requires constant defensive work. But, more fundamentally, surveillance is bad for human values – it chills speech, facilitates manipulation, and erodes the rights of everyone, particularly the most vulnerable.

Regulators across the country and the globe have recognized these problems and made it clear that changes are necessary and imminent. Policymakers in both the U.S. and EU are currently considering – and in some cases enacting – both competition and privacy bills that could substantially change practices for online advertising and data processing. Likewise, tech companies and the online advertising industry increasingly recognize the need to limit how data about users’ online activity is collected, distributed and used. We have made this point directly to industry in public events, including with the IAB Tech Lab, the International Association of Privacy Professionals and the European Policy Centre. A substantial shift is necessary in order to provide people with meaningful privacy online; pretending that nothing will ever break or change is only doing a disservice to the larger Web ecosystem.

One place we see the conversation over how to shift towards a more privacy-protective Web is in technical standard-setting bodies, including the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). [2] A plethora of technical proposals include new designs for online advertising and measurement. The details of Google’s Privacy Sandbox features are debated at W3C and IETF, alongside alternatives from, for example, Apple, Facebook, Microsoft, Mozilla, ad tech firms and online publishers for targeting, serving and measuring advertising in ways that may be less intrusive.

Beyond advertising topics, there is an ever-present push for new features, greater performance and richer communication on the Internet and the Web. At upcoming standards meetings we’ll be considering: making end-to-end encrypted messaging work between different providers; improving online audio and video conferencing; fighting fraud without endless captchas; and building augmented and virtual reality worlds. [3] The protocols to make that new functionality interoperable among Web browsers and other Internet-connected software are designed and debated by engineers in a collaborative, consensus-based process in these standard-setting bodies.

While civil society voices are present in these protocol design debates, they are not nearly as numerous as they need to be — due to the combined barriers of direct costs, the need for expertise on both technical and policy details, intensive time investments and exclusionary working environments. Our small Internet Architecture team at CDT is busily engaging in these technical and policy discussions. We are chairing groups: I co-chair W3C’s PING — the Privacy Interest Group, while Mallory Knodel chairs, among others, the IRTF Human Rights Protocol Consideration group and sits on the Internet Architecture Board. We are reviewing proposals for their impacts to privacy, security and human rights, and doing so in more systematic ways. And in order to support growth in public interest voices, we are advocating for access, inclusion and diversity of participation.

We want to help our civil society colleagues who are participating already or want to be more involved: we will provide regular updates on activity in these standard-setting organizations; help navigate processes for contributing; highlight ongoing work to the press and public; and coordinate responses where public interest engagement is especially needed.

If you’re interested in getting involved, please reach out to me directly or see the Public Interest Technology Group discussion list.


[1] Some have described this role as a “privacy butler”, e.g. Geoffrey Fowler, describing the failures of privacy policies and highlighting the work of Lorrie Cranor. https://www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/.

[2] There aren’t precise boundaries here, but in general, W3C groups work on Web technology – like the functionality of web pages and browsers – and IETF groups work on the underlying Internet, networking technology but also cryptography and other non-Web applications. Other standards bodies are created all the time, sometimes for very specific new technologies, and can compete in what their forum allows or supports. And Internet-related standards can also be developed by national standards bodies, who also send representatives to ISO, or by multilateral bodies such as the ITU, part of a United Nations agency.

[3] For a quick summary of some of the privacy and human rights-related discussions at last week’s Internet Engineering Task Force meeting, see these threads from Nick Sullivan and Mallory Knodel:
* https://twitter.com/grittygrease/status/1552391305405386752
* https://twitter.com/MalloryKnodel/status/1553096277843496960