Privacy at Swash: As cookies crumble — How Swash is changing the consensus around data, by design
It’s the end of the (AdTech) world as we know it…
With Safari and Firefox already blocking cookies by default, and Google planning to phase out support, the old tools and practices around data are being deprecated and up-ended.
The prolonged death of third party cookies is only the latest development in a process that started 10 years ago with laws adopted by all EU countries giving people the right to refuse tracking tools that reduce their privacy online.
Since then, the banners this law created have grown into cookie monsters, to the point where the newly independent UK has labelled them ‘pointless’ and argues for their replacement by choices at the browser level.
While the UK has its own motives, it does feel time for the digital world to move beyond these most basic tools to manage their use of data and notify the world to see in the form of a privacy policy or banner.
These are now ubiquitous and, in the case of banners, dominate the online user experience, often obscuring the content to the point where they represent a ‘cookie wall’. Like the quickly-spoken small print on car finance ads heard on the radio, hardly anyone is listening or really believes their rights are being respected when they click through.
Advertisers, data scientists and other data consumers are also concerned about using aggregated third-party information with consent obtained through acquiescence, rather than ‘freely given” as GDPR requires.
They worry such consent is not valid, and the new E-Privacy Directive, successor to the Cookie Laws and the subject of four years of deliberations, increases the likelihood insights from such data will be outweighed by risks of regulatory action and class-action lawsuits.
Putting Privacy by Design, into Practice
It’s now clear the ‘sticking plaster’ for data use and abuse represented by cookie banners and privacy notices don’t mitigate the risk faced by the marketing services industry. The solution isn’t more regulation which raises the burden of notification higher, and trains people to further zone out or click “stop bothering me”.
While article 25 of GDPR stresses the use of “state of the art” technology, there’s often a disconnect between top-down, compliance-led processes and the developers building new apps and solutions, and criticism of the ‘utopian’ and ‘academic’ mindset of many privacy activists.
How can we bring these different viewpoints together, and bring the principles of Privacy by Design into practice? I believe the tools already exist, both in terms of technology and process. In particular, the DPIA, or Data Protection Impact Assessment.
Intended as a living document or ‘pre-flight check’ for existing or planned data-intensive activities across an organisation, I’ve found DPIAs an invaluable tool both in my consultancy work with clients and teaching marketing students at the IDM.
The question and role-based approach embedded within DPIAs means they can perform a dual role of reintegrating legal with the ‘engine rooms’ (marketing, sales, operations) of the business and capture the necessary detail to translate into technical deliverables before any code is written.
This can be difficult for established organisations, but such frank analysis brings unexpected benefits in terms of efficiency and making data transparency and security part of ‘business as usual’.
For new projects, there is the benefit of starting with a clean sheet, but it can be intimidating to start and engage with regulator-issued templates for DPIAs. This can put off many smaller projects, and there is very little in terms of a knowledge base for completed DPIAs in the public domain, perhaps due to concerns around commercial information being exposed to competitors.
The Swash approach
How do we deepen the common pool of knowledge around DPIAs and extend its reach? One way is to bring in technical, external and academic stakeholders at the earliest possible stage, as demonstrated by Swash.
As the world’s first Data Union, Swash has built a browser plugin that already enables over 60,000 users to monetise their data from web surfing and exercise a degree of control and choice previously unavailable from banners and preference centres.
Swash made a conscious decision to identify the need for a DPIA at the start of their project, describing the scope and nature of all the processing they would be doing across the entire data lifecycle; capture, usage, transfer, storage and eventual deletion of information.
This was vital not just in getting to grips with the complexities of the relationship between Swash, its users and third parties who purchase and interrogate the data but also to inform the direction and priorities for development, security and support.
In the current climate of concern and distrust around data privacy, particularly in the context of decentralised tech, Swash prioritised the “Consultation” step of the DPIA process, by which the methods and mechanisms to consult with all stakeholders are defined and followed through into action.
When I joined Swash earlier this year as an Advisor I found the DPIA had not been filed away but, instead, treated as a living document subject to regular review. The Swash DPIA had also been analysed and made the subject of an academic case study by the School of Computer Science in Guelph, Canada.
This process was valuable because it validated some of the particular challenges with Swash in terms of building a business model and tech concurrently, but meant these could be added to the general body of knowledge to new students entering the employment market.
If more projects in the crypto space adopt this model, this starts to change the way software is developed in the form of scalable tools, frameworks and design patterns which make it increasingly hard to produce tech which is not privacy-preserving, rather than remedial work on the current ecosystem. This is what we understand by “state of the art”.
Since then, as Swash launches the first wave of solutions to be built on its platform, we have reviewed and updated the DPIA to reflect developments in available tech and changes in what is a fluid regulatory and commercial landscape. We continue to welcome external scrutiny and discussion on this subject, and encourage all to join the debate on our social channels or via contact@swashapp.io
Gilbert Hill is a Privacy Technologist & Entrepreneur. After founding one of the first PrivTech software companies around cookie compliance, he was CEO of a VC-funded blockchain startup building tools to exercise data rights. He now advises companies, public sector organisations and crypto projects on the responsibilities and opportunities around data ethics and monetisation.
About Swash:
Swash is an ecosystem of tools and services that enable people, businesses, and developers to unlock the latent value of data by pooling, securely sharing, and monetising its value.
People share their data to earn while retaining their privacy. Businesses access high-quality, zero-party data in a sustainable and compliant way. Developers set up and build systems within a collaborative development framework with ease.
Swash is reimagining data ownership by enabling all actors of the data economy to earn, access, build and collaborate in a liquid digital ecosystem for data.
Let’s connect: Twitter | Telegram | Reddit | LinkedIn | Website | Newsletter
Originally published at https://swashapp.io on October 2, 2021.
