In Privacy versus cross-context aggregation, Wendy Seltzer points to stories by David Weinberger and Ethan Zuckerman about facebook's latest marketing coup: When facebook users go shopping online (e.g., with Blockbuster) then their shopping behavior is pushed to facebook and used for advertising. From Weinberger's description:
The new ad infrastructure enables Facebook to extend their reach onto other companies' sites. For example, if you rent a copy of "Biodome" from Blockbuster.com, Blockbuster will look for a Facebook cookie on your computer. If it finds one, it will send a ping to Facebook. The Blockbuster site will pop up a "toast" (= popup) asking if you want to let your friends at Facebook know that you rented "Biodome." If you say yes, next time you log into Facebook, Facebook will ask you to confirm that you want to let your friends know of your recent rental. If you say yes, that becomes an event that's propagated in the news feed going to your friends.
While, technically, Blockbuster can't look for a facebook cookie, it can give facebook the opportunity to look for it itself, and in the process hand off information about the purchase. That can be done through redirects, frames, or any other number of techniques. Some of these techniques involve JavaScript, some don't. Ultimately, what we have here is the return of the 1990s third-party cookie, but on steroids, and used not just to track users' page views, but to link business information across vendors.
(Not having either a facebook or a Blockbuster acocunt, I don't know what the precise technique used is; I'd be curious to learn more about that. If anyone feels like drilling down further, tamper data and Firebug are among the tools of choice.)
The more general point, though, is independent of the precise mechanism used to pass on the data: Today's Web is an environment in which applications have lots of opportunities to communicate among each other, to aggregate data, and to mash-up information from different sources. What is useful infrastructure in a Web 2.0 application becomes a privacy threat when used maliciously.
Enabling social processes becomes key: How can we make sure Web applications' data flows become comprehensible to users -- both from an infrastructure and a usability perspective? And how can we make sure Web application providers need to state their intentions transparently, providing levers for social and regulatory enforcement? These questions bring us back all the way to P3P; using P3P policies as a trigger for cookie handling in IE6 demonstrated how to use technical capabilities as a lever to enable at least some social transparency of business behavior.
Maybe we need another generation of simple policy languages that enable a similar tie-in, but for a broader set of use cases: Placing Cookies in HTTP headers is hardly the main concern any more. Forget cookies if you can get client side SQL and client-side global data storage. Forget web bugs for data leaks if Javascript can submit()
forms cross-domain (and xforms have the same feature, but declaratively). And forget forms if events can cause the user's every keypress and mouse click to trigger an XMLHttpRequest()
object to phone home (soon cross-domain). In today's environment, the ping
attribute on links almost comes as a relief, as it enables easier spotting of tracking techniques -- along with easier tracking. If, as a community, we want to use technical levers to entice Web application providers to behave in a socially transparent and responsible way, then we need to take a comprehensive approach, start to understand what technical control points we still have, and how we can use them.
Meanwhile, our best chance to holding sites honest are the kind of public shaming that facebook is experiencing, law enforcement, and regulation (where applicable) -- if anybody notices what's going on, that is.