How everyone can get the privacy they want online | Media Pyro

These “cookie banners” became ubiquitous when privacy-concerned regulators began requiring websites to publish their data collection policies and obtain consent to collect cookies—those pieces of information that websites send to your browser to track your online activity, and identifiers that can identify you when you return.

Although banners were supposed to give people more control over their personal data, in practice they became annoying and generally did little to protect privacy. Part of the problem is that few people ever click on the links that allow them to manage their use of cookies, according to my research at Carnegie Mellon University’s CyLab Institute for Security and Privacy. And there is growing recognition that asking consumers to make data decisions every time they visit a new website is cumbersome and inefficient.

Is there a better way to help consumers gain control over their data that actually works?

The good news is that researchers, standards organizations, and privacy experts are working on technology that will make it easier for people to say how they want to be tracked online. Some of the digital tools being developed are so-called personal privacy assistants, which ask consumers to make a few decisions in advance about how they want their data to be used, then communicate those preferences to websites and apps behind the scenes, without the need for a single human. . do something more

Problem cookies

Most people do not have a problem with cookies when they are used to provide online shopping carts and other website functions or when they help websites remember their personal preferences. But websites also use cookies to create user profiles, which they then share with ad networks and other third parties. While my research found that some users enjoy receiving ads for items they’ve purchased online, others find it creepy and uncomfortable when ads for underwear or incontinence products fill their desktop.

How the Privacy Assistant works

AI-powered tools can learn users’ privacy settings and help them manage app permissions and cookies. Here’s how one of these systems might work.

Information about how a user uses their mobile device is recorded to help determine the user’s privacy settings.

The app asks a few preliminary questions about the user’s privacy settings to improve accuracy.

Periodic user requests to grant certain permissions or share certain information

The assistant can automatically grant permissions on behalf of the user or operate in a mode where the assistant prompts the user for confirmation, always or in certain cases.

Worse, cookies are used to send personal health information and other sensitive data to websites without users’ permission, and data brokers sell user profiles for purposes other than advertising, such as deciding whether to offer credit , whether to charge higher or lower interest. rates

The idea behind cookie banners was that websites should tell people in advance what cookies they are using and why, and give users the option to accept or reject them. However, cookie banners have become problematic for several reasons.

First, most cookie banners are set in such a way that the quickest way to make them disappear and continue browsing the web is to accept all cookies. To decline cookies, you usually need to go to the settings screen and then decide what to do. Second, if you choose to review your options, you’ll often find that they’re written in a way that makes it difficult to determine which cookies may be useful to you and which may violate your privacy. Also, not all options are clearly labeled: if you click the X to close the cookie banner, it’s not at all clear what happens. Finally, even if we solved these problems, most users would still have to make too many decisions about cookies because most users visit many websites and most websites use cookies.

Now imagine a future where, with the click of a button, you can automatically get rid of the cookies you don’t like and keep the ones you do, on every website you visit. For example, if you value targeted advertising, you can configure your web browser to accept the types of ads you would like to see and reject the types of ads you do not want to see. Your web browser will act as your virtual agent, automatically accepting only those cookies that match the settings you specify and rejecting all others. It will take care of everything seamlessly and even use artificial intelligence to adjust your preferences over time.

This is not science fiction. I have been working with researchers and practitioners on similar ideas since the 1990s, and a number of systems and standards have been proposed that would allow software acting on behalf of Internet users to automatically read privacy policies and make privacy decisions based on each individual’s preferences. Such tools would go beyond the cookie controls that most web browsers have today and allow for more granular decisions about what personal information people want to share and with which websites.

We can use a similar approach to help people adjust data permissions for mobile apps, such as deciding whether to allow them access to location data. My colleagues at Carnegie Mellon tested an AI-powered privacy assistant that, based on your answers to just a few questions, can predict with reasonable accuracy many of the privacy settings you’ll need for any app you download in the future.

Recently, several Internet browsers and plug-ins, including Firefox and Mozilla Corp.’s DuckDuckGo, began offering a privacy option called Global Privacy Control that allows users to opt out of the sale of their personal information with the click of a button. on every website they visit. In 2021, the California Attorney General announced that websites must comply with this request. This is the first step towards creating a more robust system of computer-readable privacy signals.

What about IoT devices?

Websites and mobile apps aren’t the only data collectors consumers encounter these days. Smart doorbells, smart appliances, various Internet of Things (IoT) devices, and even cars have sensors that collect data, including user location information, audio, and video. If you think it’s hard to deal with consent banners on websites, imagine every smart light bulb you pass flashing at you until you confirm that you know it’s collecting data.

And again, research shows a better way. My colleagues at Carnegie Mellon are working on an IoT personal privacy assistant app for smartphones and smartwatches that will notify consumers of any nearby sensors and tell them what information is being collected and how it is being used. The app will then help consumers configure privacy settings for these IoT devices. I could tell such an agent that I’m fine with smart lights detecting my anonymous presence and turning on and off accordingly, but I want to be informed when I enter a space where microphones can record my conversations. I can also tell it to stop informing me about sensors I already know about in places I frequent.

While personal privacy assistants offer the ability to actually protect privacy without burdening users, making this idea a reality will require support from websites, mobile app platforms, and IoT device manufacturers who will need to build this technology into their systems . This is unlikely to happen on a large scale without laws requiring companies not only to provide information about their data practices in plain English and in standardized forms, but also in a standardized, computer-readable form that personal privacy assistants can read them automatically.

If we can move forward on all these fronts, then consumers will no longer have to blindly accept privacy settings they don’t understand. They can get the privacy they want with little of the anxiety they have today.

Dr. Kreinor is a professor of computer science, engineering, and public policy and director of the CyLab Security and Privacy Institute at Carnegie Mellon University in Pittsburgh. She can be reached at reports@wsj.com.