An interesting technical proposal for the web popped up last month just quietly, prosaically named A File Format to Aid in Consumer Privacy Enforcement, Research and Tools.
It's written by researchers Nick Sullivan, Louise van der Peet and Georgios Smaragdakis at the Delft University of Technology in the Netherlands, and Brien Colwell of encrypted network company BringYour.
What the proposal is about is to help users to actually exercise the extensive rights to privacy they have nowadays, under for example the European Union's General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).
Legally, users have those extensive privacy rights but nowhere is it specified that it should be easy to exercise them and that is the problem the humble text file seeks to solve.
"Following this file format makes it easier for consumers to take privacy actions, similar to one-click unsubscribe," the researchers suggest; what's not to like about that?
Web developers will be familiar with robots.txt file that tells crawlers how to index sites, which data to access and what to leave alone, that was first mooted in 1994.
That text file is now commonly used, and the proposed privacy.txt file works in a similar fashion, bringing a standardised and machine parseable way to add structured data for a complete privacy policy, what consumers can do to enforce their rights, and those pesky cookie disclosures.
From the proposal:
.. currently the association between a web request and the privacy policy is tenuous, leading to the possibility of incorrect or unverifiable consumer data usage at the very source.
This proposal fills that hole by associating structured privacy data with every web server.
Just like HTTPS security can be technically enforced, this proposal makes it possible to technically enforce privacy by verifying that the structured privacy information exists and is in good standing before sending data to the server.
Apart from linking to a machine-readable privacy policy, the text file provides information about the site owner, including a contact email address.
Privacy.text also includes email addresses or links for people to use, to request their personal data and profiles be deleted under right to be forgotten regulations. The file will also provide resources for users to opt out of data sharing with third parties, and receiving marketing messages.
Disclosure of cookies, the small text files that web servers can set on users' machines, is also included in privacy.txt. Web browsers could use this to refuse any undeclared cookies. Whether or not a universally supported privacy.txt will put an end to the incessant cookie disclosure screens on sites remains to be seen, but here's hoping.
The researchers have submitted the proposed file format to the Internet Engineering Task Force (IETF) standards body for consideration.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.