Privacy Alert: Business Strategy drives Internet Architecture with HTTP/2 and HTML5



From the film “Jerry Maguire” came those now immortal words – “Show me the money,” and it is within the context of those words that we look at HTTP/2 and HTML5 and its effect on your privacy.

First, let me say that within a business context, I believe that IT architecture should support business strategy. It drives efficiency, enables new products and services, and supports healthy margins. But what about when it comes to the Web – a networked infrastructure that belongs to no one person, organization or country? Does this approach support the best interests of all the stakeholders?

The Internet has changed dramatically in the last 10 years. It is fueled by free, ad-supported services and it has gone mobile. That means for the first time ever, I use multiple devices to connect and interact with it. What is immediately apparent to the advertising industry, which fuels these free services, is the real-time need to offer more personalized ads wherever I am, and to whatever device I am using.

Enter two improved specifications that power the Web: HTTP/2 (device agnostic) and HTML5

First we will look at HTTP/2. If you read Section 10.8 carefully, you will see that it has serious privacy issues. It fundamentally changes the Web’s default ‘privacy settings’. While positioned to provide more security around your communications (TLS 1.2) in the ‘name’ of privacy, the actual impact of the change is about tracking you across ‘origins’.

The definition of origin is the point or place where something begins, arises, or is derived – in other words, you and your device. Nothing is more important to the advertising industry than the personalization of ads that are useful to me. They will pay a premium to track me as I move from device to device, from location to location. A consolidated profile that follows me where I go is far more valuable than multiple profiles tied to a desktop, laptop or phone.

HTTP/2 makes that a reality — but at what cost? There is nothing in it so far that makes it more efficient or will result in a better experience on mobile. The security capability of TLS 1.2 is a “nice-to-have” feature, making it harder for the hackers to perpetrate a man-in-the-middle attack. Now, let us couple the advances of HTTP/2 with those of the latest HTML update, HTML5. Sadly, Section 1.8 uncovers more privacy concerns. The first sentence reveals the issue… Some features of HTML trade user convenience for a measure of user privacy.

In general, due to the Internet’s architecture, a user can be distinguished from another by the user’s IP address. However, IP addresses do not perfectly match to a user; as a user moves from device to device, or from network to network, their IP address will change. Other steps like browser fingerprinting help remove that ambiguity thereby targeting the individual as they move from device to device.

As a consumer, I will have no idea that these changes are taking place. They’re designed to be seamless and require no behavioral changes on my part. I simply continue under the guise that my communications are more secure and yet my privacy is clearly at risk. So why are these changes even being contemplated if there is no measurable benefit to the consumer’s experience?

Firstly, we’re close to the end of phase one of Digital Advertising (The End of Digital Advertising as We Know It). The balance between usability and advertising has been lost so only the very largest advertising engines on the Internet will survive. Only they have the resources to enable something like HTTP2/HTML5 due to its complexity.

Secondly there’s a new privacy policy called the General Data Protection Regulation that will go into effect on May 25th 2018. The new regulation establishes a chain of responsibility for consumer’s data and how that data may be used. The only way to obtain the necessary consent from consumer’s is to have a direct relationship with them. For someone like Google and Facebook this will be easy as consumer’s come to those sites for multiple services. Once consent is obtained, ads can now follow me across devices.

Trading convenience for privacy is now a familiar refrain. The average Internet user was not asked to weigh in on their preferences relative to privacy vs. convenience. With no mobile user experience gains, this reinforces the argument that business strategy drove Internet architecture changes. (Europe’s new privacy regime will disrupt the adtech Lumascape)

If you combine the privacy concerns of HTML5 with HTTP/2 you have the perfect solution for Wall Street, but at what cost to the Internet user? It was never about mobile or a better experience – it was all about tracking me across devices, in support of a business strategy that gives me no choice on the tradeoff.

How inconvenient for us me.

Posted in: GDPR, Privacy by Design

Email Subscription