The design flaw that I hinted at was the Internet's (HTTP) reliance on Cookies to add "state" to a users browser. This is almost in direct conflict with Privacy. And I know the purists are shouting at me now, but think about it, if I don't want to be tracked then I should simply be able to turn off anything and everything that could possible use my data, and that includes no more cookies. (Of course the Internet would collapse without Cookies).
So how do we change the current design of the Internet to solve this dilemma?
Before we try and answer that problem, let's revisit another blog post (Privacy: Do Not Track & the real Elephant in the room) where I quoted two Norwegians and their definition of Privacy.
Selmer and Blekeli in 1977: Privacy is the legitimate interest of a person to control the collection and use of information that relates to him/herself. (Source: "Data og personvern" p. 21, Universitetsforlaget, Oslo)
So now we have the underpinnings of the problem we need to solve:
How do you improve the Internet so that I can control the collection and use of information that relates to "Me" - and do so while co-existing with the current Internet.
Now let's double check with the current White Houses Administrations proposal to ensure that we're still all in agreement. Here's the paper you need to read "National Strategy For Trusted Identities in CyberSpace" Page 2 is the critical page. And here it is:
Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
The realization of this vision is the user-centric “Identity Ecosystem” described in this Strategy It is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices The Identity Ecosystem is designed to securely support transactions that range from anonymous to fully-authenticated and from low- to high-value The Identity Ecosystem, as envisioned here, will increase the following:
- Privacy protections for individuals, who will be able trust that their personal data is handled fairly and transparently;
- Convenience for individuals, who may choose to manage fewer passwords or accounts than they do today;
- Efficiency for organizations, which will benefit from a reduction in paper-based and account management processes;
- Ease-of-use, by automating identity solutions whenever possible and basing them on technol- ogy that is simple to operate;
- Security, by making it more difficult for criminals to compromise online transactions;
- Confidence that digital identities are adequately protected, thereby promoting the use ofonline services;
- Innovation, by lowering the risk associated with sensitive services and by enabling service providers to develop or expand their online presence;
- Choice, as service providers offer individuals different—yet interoperable—identity credentials and media
So lets summarize the problem...
The innovators dilemma is to figure out how to extend the current HTTP protocol so that it can offer Me: Privacy, Convenience, Efficiency, Confidence, Control and a Choice in how my information is collected and used.
Well here's the good news - fortunately we only have a production flaw NOT a design flaw to deal with. Let's head over to read the document that tells us how the Internet works and see if there's anything there that can help solve the problem using a little teamwork e.g. the browser manufacturers, the W3, Web servers and Content providers all working together to give me a Choice.
The document is RFC 2616 and here's the important part that points to the answer:
The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. It is a generic, stateless, protocol which can be used for many tasks beyond its use for hypertext, such as name servers and distributed object management systems, through extension of its request methods, error codes and headers. A feature of HTTP is the typing and negotiation of data representation, allowing systems to be built independently of the data being transferred.
I've highlighted the answer to the Innovators Dilemma.
HTTP is an "extensible" protocol which means that we can extend it to support new ways of doing things. And the way to do that is with something called an X header. In technical parlance this "is a standards based method to extend the protocol with non-standard based data". The non standard data in this case is secure, encrypted information about me that I chose to allow the browser to share with a trusted Web site or 3rd party provider.
Now how do we integrate all of this? Well we start with the two Norwegians definition of Privacy and use that to determine the control method. If I have to be in control then there's only one place to add the controls - the Browser. We add a secure database that holds my information - we then allow the user to control every aspect of that database. In essence you can chose to share whatever you want, with who ever you want.
Now lets go to the second part of the problem - the content providers/web servers. Well there's good news here to. If I trust them, then I can elect to share my data, if they abuse that privilege then I can turn off sharing - I always have control over the process.
So how do they get my data?
They read the incoming X headers (the approved way to transmit non standard data over a standard protocol). Now again I can hear the purists shouting - "that's going to put a big load on the servers". And to that I say nonsense - servers are incredibly fast these days and the burden of reading an extra 100 bytes of data on every request even if it is encrypted is insignificant. And if it is - then buy a bigger server. Those bytes are the least of your problems.
So there you have it - the answer to the Innovators dilemma on how to improve the Internet - add your identity to the browser, do it in a way that allows you to control that identity, and then share it using current standards with any Web server. It meets all the White House guidelines, it works with every Web server, firewall, filter and router. It requires zero changes to the current infrastructure other than to ship a new browser with essentially a wallet built in.
In essence this will transform the Internet in to something it should have been in the first place - a "contextually aware data communications platform". Only this time I will finally have a Choice in the collection and use of that information that relates to "Me".