WebRTC Use by New York Times Creates Privacy Hubbub
Just in case you missed all of the commotion this week, WebRTC was placed right at the center of an interesting privacy problem as a result of its use by the venerable New York Times (NYT) on its Nytime.com website to track the private IP address of visitors. While NYT apparently is not using the information gathered for nefarious purposes, unless you consider building better visitor profiles for marketing reasons nefarious, there are two obvious problems here.
First, at a high level here in the U.S. NYT is obtaining private information without user consent. They have been able to do so by exploiting the fact that WebRTC enables supported websites to read the private IP addresses of visitors. In fact, this capability in WebRTC allows for circumvention of tools designed to actually block precisely this activity.
Second, as if the first was not bad enough, as numerous comments were quick to point out and post, such practices happen to be a violation of European Union law. Specifically, given how popular WebRTC has become in Europe, the language everyone needs to be aware of is:
“The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.”
All of this relates back to the huge raison d'etre for big data and sophisticated analytics. In a world where buyers now have more access to better information and options, sellers want to have as complete a user profile as possible to make their marketing campaigns both more efficient and in theory more effective. After several decades of it first being postulated by famous futurist Alvin Toffler, we are getting ever closer to what he described as the effective targeting of “The Market of One.” And, key to that targeting obviously is IP address information as it is the breadcrumbs we leave that enables sellers to build more context-rich profiles of all of us.
What the NYT revelation shines a light on is where to draw the line on what should be considered the acceptable practices for capturing our information and where should consent play a part. It is understandable that marketers hate the fact that public IP address exposure provides them less than perfect information about us, and that they recognize that asking for consent about exposing private IP addresses might lead to people not being pleased. However, as the release of the rules regarding robocalling in the U.S. by the Federal Communications Commission (FCC) highlights, and which made direct marketers grumpy to say the least, we are heading toward a more permission-based interactive world.
In short, while there is great and growing enthusiasm for WebRTC, applications and service developments using the technology cannot and should not be done with a lack of recognition of their context in real use cases. WebRTC enables a lot of great things, but as with all technologies it also enables activities or capabilities with a dark side. Let the NYT example serve as a warning.
Edited by Dominick Sorrentino