Don Marti

Sat 04 Sep 2010 06:42:00 AM PDT

Privacy tweaks for browsers?

I talked with Doc Searls about the issue of cross-site user tracking and how people choose to talk about it (previous post here).

The big question is: can you make a browser's privacy defaults closer to what users expect or want (the way that Mozilla tweaked their CSS implementation to avoid leaking history information) without breaking things that users expect to work?

For example, there's third-party content that users are used to: images from CDNs and "recommend this story" buttons from meta sites such as Digg and Slashdot.

What you really don't want to have happen is endless dialogs: "Do you want to accept a cookie from example.com?" "Do you want to run a script from example.com?" The more questions that you ask, the more that people click the wrong thing just to get the dialogs to go away.

So how about this as a starting point for a privacy rule: Don't store third-party cookies, DOM Storage, or scripts from a domain unless the user has already accepted them for first-party use. So if a user actually goes to example.com, and the site uses JavaScript and cookies, then later on, when another site includes third-party scripts or cookies sourced from example.com, allow them. If the user has never heard of example.com and gets offered their cookies and/or scripts when visiting another site, silently block the third-party stuff, or at least expire the cookies when leaving that site.

That should give the user the expected integration with his or her chosen meta and social sites, without the unsettling mystery tracking.

Anyway, this is the kind of stuff you can come up with if you think about how HTTP works and try to put the verbs in the right place when describing web tracking and privacy issues. Would it work?