There have been some requests to require all web browsers to transmit rules that instruct web pages on how long they can hold onto data.  Passing rules along with data is a bad idea because it may be ignored due to existing rules and simply because it is unenforceable.

Suppose that a default rule that a web browser would send is “only keep this data for 2 weeks”.  When a user goes to upload and share a picture with their friends, there are existing terms and conditions in place merely by using the web site which may override this 2 week retention rule.  The website might say plainly that uploaded pictures will be archived forever which is in conflict with the rules that are associated with the picture.  This leads to user confusion as the expectations may differ.

Using the same example as above, there is no way for the browser to verify that the website does honor this retention rule.  After all, what a recipient does with a piece of data is outside the scope of what a browser sees.  Any browser user-interface would not be able to assert any fact regarding these rules.   Thus, the default rules would never be able to be changed by the user.  And because these defaults would never be seen by the user or changed in any way, all will most likely ignore them.

Currently, one of the most sensitive data that people share with a website is their credit card number.  Browsers have never passed rules to a website when an e-commerce transaction occurs.  Yet, sites do not retain credit card numbers without permission.  In this case, there are regional laws governing the usage of credit card numbers.

This approach of putting legal protection around data is best.  If a certain type of data is deemed more sensitive, it should be treated that way legally and outside of the way it is transfer. Credit card numbers can be transferred in any manner – from the browser to a website, or from a postcard to a brick and mortar – both methods are protected.

Update:
Localization to Belorussian by Patricia Clausnitzer. Cool.

The previous day at MetaPlaces, I heard a lot about mobile advertising and the targeting operators can provide. What was most scary for me was the amount of information operators have and their use of this information to place you into a very detailed market segmentation… all of this without your expressed permission…

One company was able to take a two week data drop from an undisclosed operator and tell you the sort of lifestyle, socioeconomic status, age range, and other demographics of the phone owner. The data drop merely consisted of longitudes and latitudes of where the phone was at given times. Following a single phone you are able to known where the person lives, what kind of coffee he drinks, what area the person works, what stores he shops at, what their work hours are like, are they hitting clubs at night or are going home, and do they spend time at the library. And the user is aware that this sort of tracking is happening!

This is wrong. Operators should always be up front about this. The location data is yours. Where you take your phone, like who you call, is personal information.

Recently, a group of privacy advocates are calling on Congress to address some of these concerns. Some of the more interesting requests are:

* Sensitive information should not be collected or used for behavioral tracking or targeting.

* Individuals should be protected even if the information collected about them in behavioral tracking cannot be linked to their names, addresses, or other traditional “personally identifiable information,” as long as they can be distinguished as a particular computer user based on their profile.

* Individuals should have the right to confirm whether a data controller has their personal or behavioral
data, request such data, and delete it.

For more information about this effort, please check out the CDD press release.