Privacy is a commodity

“We value your privacy,” begin approximately 187 billion website privacy policies. Then they go on to say how they’ll give away data to any “partner” for any number of vague reasons. Then they make further mockery of that “value” thing by plugging in all manner of user-tracking technology.

Let me put that even more bluntly.

Any website owner that claims to value user privacy and then plugs in a third-party widget is a hypocrite. They don’t value privacy at all. They have, in fact, proven the exact opposite. They’re a willing accomplice, letting that third party track users’ online activities in any way they like.

Back in the distant days of Web 1.0, if you fancied fancy functionality on your website then it was usually provided by code running directly on your web server. The only place user interactions were logged was on that one website. Well, barring the activities of three-letter agencies and their SEKRIT monitoring along the wire.

Now, though, vast numbers of websites provide all manner of functions using widgets supplied by third parties and deployed from those third parties’ servers. And that’s where the problem begins.

Let’s take Disqus as an example, because it’s the tool that set my train of thought in motion.

Disqus is a commenting system for websites based on plug-ins for a wide range of content management systems including WordPress, Joomla, MovableType, Blogger and Tumblr. There’s even a generic “universal code” version, a snippet of JavaScript that’s advertised as working on any website. Look see! Disqus even provides the commenting system here at Technology Spectator.

Disqus provides benefits for both website owner and commenter, sure. But the problem is that if I, as a user, want to comment on a website that uses Disqus, I have no alternative but to have a relationship not only with that website but with Disqus too.

As soon as I log in to post a comment, Disqus is tracking me. Then, thanks to the magic of cookies, they can track me across every other website that uses Disqus, compiling a wonderfully saleable profile of my interests as I go.

Actually, Disqus is tracking me whether I log in or not. Its JavaScript has to be loaded just to display the comments on a website. Logging in just gives Disqus the added bonus of being able to cross-match my browsing habits with the name and email address I provided at registration time. That in turn would allow Disqus to cross-match with any other database they might obtain, by fair means or foul.

In theory I could block Disqus’ cookies to prevent the ongoing tracking, turning access back on only to post comments and then flushing the cache. But that sounds tedious. Besides, it might not work. It’s been shown that for most internet users their specific combination of operating system, web browser and browser plug-in versions, screen dimensions and other JavaScript-accessible facts is usually enough to uniquely identify their computer.

And of course if I disable JavaScript then Disqus won’t work, and I can’t see the comments at all.

I don’t know whether Disqus uses any of these tricks. Chances are they don’t. But that’s irrelevant.

The real issue is the tradeoff that Disqus-using websites have made on my behalf. Rather than paying for web development with their own money, they’re paying for it with my personal data.

Excuse me?

OK, so I’m a hypocrite too. If you visit my website I’ll give tracking power to Google in exchange for Google Analytics, Doppr for a widget that lists my travel dates, Automattic for each commenter’s avatar, Google again to embed a YouTube video, PayPal to include a give-me-money button, Ustream to embed my old live video show… and on and on…

And I don’t even run advertising. Don’t get me started on that!

The currency of Web 2.0 is our own users’ privacy, and we spend it like water.

Looking a little further ahead, what happens when the world is awash with vast databases of personal data? When every pissant little web service is trying to flog its list of 30 million names, addresses and browsing habits? Supply, demand etc.

There’s only so much analytics that advertisers will pay for. The bubble will burst. But personal information can’t be put back into the bottle. Then what?

Stilgherrian is a writer, broadcaster and consultant covering the intersection of technology, politics and the media. He majored in computing science, has used online services heavily since the mid-1980s, and has worked as a network administrator.