From the film “Jerry Maguire” came those now immortal words: “Show me the money,” and it is within the context of those words that we look at HTTP/2 and HTML5 and its effect on privacy. 

Image provided by author

First, let me say that within a business context, I believe that IT architecture should support business strategy. It drives efficiency, enables new products and services, and supports healthy margins. But what about the web — a networked infrastructure that belongs to no one person, organization or country? Does this approach support the best interests of all the stakeholders?

The internet has changed dramatically in the last 10 years. It is fueled by free, ad-supported services, and it has gone mobile. That means for the first time ever, I use multiple devices to connect and interact with it. What is immediately apparent to the advertising industry, which fuels these free services, is the real-time need to offer more personalized ads wherever I am, and to whatever device I am using.

Enter two improved specifications that power the Web: HTTP/2 (device agnostic) and HTML5

First, let's look at HTTP/2. If you read Section 10.8 carefully, you will see that it has serious privacy issues. It fundamentally changes the web’s default "privacy settings." While positioned to provide more security around your communications (TLS 1.2) in the name of privacy, the actual impact of the change is about tracking you across "origins."

The definition of origin is the point or place where something begins, arises, or is derived — in other words, the end user's device. Nothing is more important to the advertising industry than the personalization of ads that are useful to me. They will pay a premium to track me as I move from device to device, from location to location. A consolidated profile that follows me where I go is far more valuable than multiple profiles tied to a desktop, laptop or phone.

HTTP/2 makes that a reality — but at what cost?

There is nothing in it so far that makes it more efficient or will result in a better experience on mobile. The security capability of TLS 1.2 is a “nice-to-have” feature, making it harder for hackers to perpetrate a man-in-the-middle attack.

Now, let us couple the advances of HTTP/2 with those of the latest HTML update, HTML5. Sadly, Section 1.8 uncovers more privacy concerns. The first sentence reveals the issues: Some features of HTML trade user convenience for a measure of user privacy.

In general, due to the internet's architecture, a user can be distinguished from another by the user's IP address. However, IP addresses do not perfectly match to a user; as a user moves from device to device, or from network to network, their IP address will change. Other steps like browser fingerprinting help remove that ambiguity, thereby targeting the individual as they move from device to device.

As a consumer, I will have no idea that these changes are taking place. They’re designed to be seamless and require no behavioral changes on my part. I simply continue under the guise that my communications are more secure and yet my privacy is clearly at risk. So why are these changes even being contemplated if there is no measureable benefit to the consumer’s experience?

Firstly, we’re close to the end of phase one of digital advertising. The balance between usability and advertising has been lost so only the very largest advertising engines on the internet will survive. Only they have the resources to enable something like HTTP/2 and HTML5 due to their complexity.

Secondly, the EU's General Data Protection Regulation will go into effect on May 25, 2018. The new regulation establishes a chain of responsibility for consumer’s data and how that data may be used. The only way to obtain the necessary consent from consumers is to have a direct relationship with them. For well-established tech companies and social networks like Google and Facebook, this will be easy as consumers come to those sites for multiple services. Once consent is obtained, ads can now follow me across devices.

Trading convenience for privacy is now a familiar refrain. The average internet user was not asked to weigh in on their preferences relative to privacy versus convenience. With no mobile user experience gains, this reinforces the argument that business strategy drove internet architecture changes. 

If one combines the privacy concerns of HTML5 with HTTP/2, you have the perfect solution for Wall Street, but at what cost to the internet user? It was never about mobile or a better experience — it was all about tracking me across devices, in support of a business strategy that gives me no choice on the tradeoff.

How inconvenient for us me.

photo credit: tokyoform Tokyo 3921 via photopin (license)