Yesterday I posted about how the current Do Not Track debate is muddling the underlying issues.  I got a great reply from Mike Yang on Twitter that rightly pointed out at P3P had been a mess in part because Microsoft jumped the gun on it.  That got me to think about an even broader context here which is the shift to mobile.  A do not track battle on the web only is even more absurd in the context of a rapid shift in where people spend time and can be tracked even better (at least in the new iOS).

Mike then pointed out that Android has a pretty good permission system, which I agree with.  The system is easy for end users to understand and doesn’t get in the way because you need to approve it once when you start using an application and then only if an upgrade to that application wants more permissions.  

So the better idea here might be to start with mobile and then extend that model to teh web.  When you first visit a site there would be a one time permission dialog.  Websites in the EU already do this with regard to cookies.  Now one might think that this becomes very cumbersome.  But with a standard, browsers could be configured so that you don’t even see the dialog if a site is only requesting permissions that you are willing to always grant. 

Of course web sites don’t operate in a sandbox so there would be some trust involved.  But a standard like this would also make it possible to construct automated services that can crawl the web, register for sites and services, monitor marketing systems and see if sites are abiding by their requested permissions.

The permissions themselves should be things that can be worded in relatively plain English (substitute your language here), such as “Permission to send emails to you” or “Permission to share anonymized information with third parties for marketing purposes.”  This approach would also make it possible to weave in things that are one off now, such as sites permitting access to location or potentially local storage.  

It will take some work, but I think one could come up with something that works across both mobile and the web with the same language.  That would be a real win for consumers and also provide operating clarity for companies.

Yesterday I posted about how the current Do Not Track debate is muddling the underlying issues.  I got a great reply from Mike Yang on Twitter that rightly pointed out at P3P had been a mess in part because Microsoft jumped the gun on it.  That got me to think about an even broader context here which is the shift to mobile.  A do not track battle on the web only is even more absurd in the context of a rapid shift in where people spend time and can be tracked even better (at least in the new iOS).

Mike then pointed out that Android has a pretty good permission system, which I agree with.  The system is easy for end users to understand and doesn’t get in the way because you need to approve it once when you start using an application and then only if an upgrade to that application wants more permissions.  

So the better idea here might be to start with mobile and then extend that model to teh web.  When you first visit a site there would be a one time permission dialog.  Websites in the EU already do this with regard to cookies.  Now one might think that this becomes very cumbersome.  But with a standard, browsers could be configured so that you don’t even see the dialog if a site is only requesting permissions that you are willing to always grant. 

Of course web sites don’t operate in a sandbox so there would be some trust involved.  But a standard like this would also make it possible to construct automated services that can crawl the web, register for sites and services, monitor marketing systems and see if sites are abiding by their requested permissions.

The permissions themselves should be things that can be worded in relatively plain English (substitute your language here), such as “Permission to send emails to you” or “Permission to share anonymized information with third parties for marketing purposes.”  This approach would also make it possible to weave in things that are one off now, such as sites permitting access to location or potentially local storage.  

It will take some work, but I think one could come up with something that works across both mobile and the web with the same language.  That would be a real win for consumers and also provide operating clarity for companies.