Privacy on the web - How did it all start?

Privacy on the web - How did it all start?

Privacy, Browsers, Karl Mattson, 03. December 2020

Part 1 of 2: ‘End of the year’ blog series on Privacy

For better or for worse - we think better - this might be aptly labeled as the year of online privacy. Never before was privacy such a hot, and evolving topic. So, to wrap up the year, we at eyeo have asked Senior Business Development Director and browser expert Karl Mattson, who has been involved with the consumer web and online privacy since its very beginning, to write a two-part series. In this first part, the focus will be on the history of privacy.

When we talk about web privacy, it’s important to understand its foundational beginnings. A good place to start is 1995 when Netscape launched Netscape Navigator – the first browser that was targeted at and used by regular consumers. Netscape had a graphical interface and rendering ability that made it by far the easiest browser to use by the masses. The impact of that can’t be overstated. Netscape turned the open web which, prior to that, was used only by academics and very technical people, into something easy to navigate.  This turned the web from a largely limited channel to the beginnings of a mass medium.  From that point on the big question became how would this new medium pay for itself?  How would it be monetized to fund the content and experiences that were sprouting up all over it? The first means to monetize looked at was advertising. 

And with that the issue of privacy came up right away, because the act of using the web ties an individual to a device that is trackable. We know this almost intuitively now but back in 1995 this was a new concept. The advent of the web meant content consumer’s choices were trackable, to minute levels of detail, in a way that reading a newspaper or watching a TV show never could be.  At the same time, privacy was becoming an issue because of the web’s nascent advertising industry, governments had also awakened to the fact they now had a new way of monitoring people’s behavior on a massive scale. This all made for some very strange and now, with hindsight, laughable, legislation. 

In the United States, “the 1996 Communication Decency Act” was proposed and it contained all kinds of drastic elements designed to make it very easy for the government to track users. Separate legislation was proposed to address specific technology, like encryption. For instance, an early encryption product called PgP – which stood for ‘Pretty Good Privacy’ – became the poster child for inane governmental attempts at regulating privacy on the web.   Initially, the US government tried hard to require all encryption products to give the decryption key for *everyone* who used them to the government. That never succeeded because organizations like the EFF fought against such a ridiculous attempt at citizen control. This forced governments into more shadowy, unreported efforts at monitoring web users’ behavior. At the same time it was becoming clearer and clearer this new medium could support an advertising ecosystem. 

Monetization on the web and the appearance of cookie tracking

The issue of tracking user behaviour then shifted away from outright government control and more towards the topic of: “what can we do to make the web monetizable?” 

Right about this time cookies were invented. Lou Montulli invented cookies while working at an early browser called Lynx. He then moved over to Netscape. The term “cookie” comes from a computer science concept called “magic cookie” which describes a piece of software that allows different programs to work together. Cookies are stored in a users’ browsers and track how they navigate through a website. Back then they contained an individual’s-specific information and behaviors about a specific website. Originally the cookie was used in honest, humble ways.  Netscape was among the first to use them to make it easy for the users to be logged into my.netscape.com and see personalized content. AOL.com’s, ‘My AOL’ followed suit. Soon Yahoo, Excite and all other personalized content portals were doing the same thing. But advertisers had bigger plans and the cookie was quickly adopted by early online advertisers, advertising networks and websites. In a short time more than 95% of all websites were using these cookies to track and make user behavior available to advertisers to serve targeted advertising. Fast forward to now where every website sends an average of 34 cookies per website and 70% are what we call “third-party cookies”.  

Cookies can be classified into first-, second- and third-party cookies and it’s important to know which class does what.  First -party cookies are set by a website and are meant to infer and track your activity on that particular website. They are only relevant to that specific web domain. (This is how my aol and my netscape used them back in the day.) 

In some instances a website might allow cookie information to be transferred from one company  to another company via some sort of data partnership. Those are second-party cookies.  Finally we have third party cookies: which can be set by advertisers or other elements of a website that are *not* necessarily controlled by the website’s owners. These are almost wholly used to generate robust, detailed, profiles of you as you go from one website to the next. That makes for highly accurate targeting which, in the realm of advertising, means more effective and hence more expensive advertising.  This, more than any one thing, made it possible for advertising to flourish on the web.

The first issues with cookie tracking

The issue of using 3rd party cookies to track people across websites became an issue very quickly that grew as the web advertising industry – particularly ad networks –  exploded in the early 2000s. The industry responded by developing several initiatives. The two biggest responses to this increasing alarm and awareness were the “Do not track” initiative and the creation of “private browsing sessions”. 

Private browsing sessions are a feature within a web browser and, at first glance, appear to offer the user some decent privacy protection. But it’s not a whole solution. Private browsing sessions seem like they would protect the user, but user behavior can still be inferred from these sessions and a cookie still could be set.  So, even if the website doesn’t know your name you still might end up in situations where a website knows what this device is and where this device has been by inferring your behavior. Often times this information is then married with external user profiling companies and, boom, there you are, as visible and knowable to strangers as you would have been if you didn’t opt for private browsing. 

“Do not track” came around in 2009 as a web browser standard that allowed users to prevent site-to-site tracking, also sometimes known as “advertising beacons”. This was adopted by browsers, with Mozilla Firefox being the first, followed by Internet Explorer, Safari, Opera and Chrome. This was a step forward but arguably more a bandage than cure.  To enable ‘Do Not Track’ users had to dig deep in browser settings, which made it hard to find and implement.  ‘Do Not Track’  was never really adopted by the users, in part because advertisers were adamant about pressuring the industry, including browsers, to not promote it.  

We now have a per year 60-70 billion-dollar industry in the US alone of companies that are taking third-party cookie data and marrying it with other personal data they can get through additional sources to create robust personal profiles to track users. 

Where is privacy going next and how are things changing? We will talk about that in our next blog post – stay tuned to find out more about that!