• Home
  • Interviews
  • James Rosewell, SWAN : “In practice, no one’s privacy has been improved”

James Rosewell, SWAN : “In practice, no one’s privacy has been improved”

Partager sur facebook
Partager sur twitter
Partager sur linkedin
Partager sur email

This week, we were given the opportunity to meet with James Rosewell, the founder of an innovative alternative solution to the upcoming elimination of third party cookies, SWAN (Secure Web Addressability Network). James is focused on technological innovation and addressing major technological challenges. His mantra : making the complex manageable (and understandable if I may add). True to himself, James developed SWAN with the aim of simplifying and improving the experience of users and publishers. SWAN is founded on strong values and concepts such as user experience, trust, privacy, community and the right to be forgotten. I strongly recommend that you visit the SWAN website (https://swan.community/)  for more information on its philosophy, its functioning (FAQ and detailed explanatory videos) and its commendations. You will also find an Open Web demo and a comparison between SWAN and other solutions to the problems created by the retirement of third-party cookies.

Please find below a transcript of our discussion[1]:

“What led you to create SWAN?

51Degrees, my company, provides information about the devices that are accessing websites. Details include the browsers, the operating systems, the versions, what they’re capable of.

We knew about the privacy sandbox from the August 2019 announcement. We honestly thought it wouldn’t go anywhere, but that changed in January 2020. Google committed to a timeline around the removal of many features of the Web browser, of which there were 23 separate proposals in the privacy sandbox, and they included things that were going to affect our business.

So it led me to ask a lot of questions. What problem is being solved? What problem is the privacy sandbox trying to solve? Improving privacy sounds good, but what does it mean and what are the unintended consequences? It’s a nice aspiration. After talking to a lot of people, I came up with an approach that needed three different prongs.

The first was this matter for regulation. Essentially Big tech companies that control access to digital. Predominantly Google and Apple. If you use the App Store or the Web to deliver your product they are the gatekeepers. They control the rules and that places them in a uniquely powerful position. We see that through the App stores, 30 percent of the financial transactions goes to the gatekeepers. And the web is similar. It is more complicated because it doesn’t get monetized in the same way, but nevertheless, the same dynamic is true. So we need to involve regulators.

The second in relation to the web is the W3C, if that’s the forum that is being chosen for the discussion, then we need to engage there.

And thirdly, we need to create a solution that deals with the problem as we think it is being defined, but in a way that doesn’t have these unintended consequences. So, that takes us to SWAN.

Could you explain SWAN and how it differs from other solutions?

SWAN, unlike, I think, any other proposal, binds the different parties that receive the data to a common contract called the Model Terms. So if I send data to you, you and I have to be bound by those Model Terms and it’s a take it or leave it contract. We can’t say we’re going to negotiate a different contract for the sending of this data, because if we were to do so, we would be in breach of the contract with the party that sent it to me.

We can present a proposition to people where, rather than consenting to a confusing list of unfamiliar companies, that is confusing and difficult for them to understand, they can consent to share pseudo anonymous identifiers and preferences only with parties to a single understandable contract. So it’s very similar to going to buy coffee beans : you can go and buy coffee beans and you don’t know the supply chain of the coffee vendor. You don’t necessarily know which grower grew the beans or who transported the beans from India, or wherever they came from to the country where you’re buying the coffee beans, and you’re not exposed to that supply chain. You don’t have to understand that. But if you care about the supply chain being ethical, you look for the fair trade logo. You know that when you see that logo, the supply chain has been audited. Those Model Terms and the conditions that the Model Terms require become analogous to fair trade coffee, and it’s providing people the trust that they would want to see to confirm that their choice is being respected.

Concretely, what would SWAN’s business model be?

The SWAN ecosystem is made up of two types of entities. A non-profit governance entity that is there to govern the ecosystem, but it doesn’t operate anything. Its primary purpose is to control the Model Terms. We need to have a way of changing these Model Terms so you can say, OK, well, there’s now version 1.0. That would be what the company does. There may also be some logo scheme compliance. You can’t just say pay us ten dollars and you get a logo that kind of doesn’t work. There needs to be some audit and some accountability features there as well. So that’s what that governance organization covers. That would not be for profit. And the key is that that organization is absolutely neutral. That sounds a bit difficult to believe, but I believe that we can create a neutral organization that isn’t aligned to publishers, advertisers, technology or a particular privacy agenda. It can be genuinely neutral.

The second type of entity is the SWAN operators (plural) that must conform to the rules set by the governance organisation. They work together to form the SWAN network and provide the pseudo anonymous identifiers and preferences choices to publishers and advertisers in compliance with the Model Terms.

Have you, or are you currently experiencing any difficulties while developing SWAN?

Broadly the industry has responded in three different ways to SWAN.

One is : it’ll never work and in any case Apple and Google aren’t going to like it even though it complies entirely with their vision of privacy. I think the other part of the skepticism comes from the fact that, in this industry, everyone’s fighting with each other. But the industry is growing up, it’s having its adolescence now and perhaps more rational collaborative heads will prevail.

The second response, particularly from the legal community, has been : will the Model Terms work? Can we define a single contract that will bind an entire industry globally? And again, that’s a big thing, but we already do it in open source software. You have a take it or leave it contractual license for the use of software. And because it’s free, of course, the procurement teams and the legal teams don’t really look at the license agreement. But it works.

Thirdly, we have the privacy community where again, there have been two types of responses within that community. There’s been the group who would say all forms of identifier, no that they’re provided are wrong, bad, evil and shouldn’t exist. I don’t think those people are ever going to be satisfied with Google, Facebook or Apple’s propositions let alone SWAN. The other members of the privacy community who are a little bit more rational and pragmatic about the world see merit in SWAN. In this regard they are aligned to regulators like the UK CMA and ICO.

What I found very interesting in your solution, is the fact that you really want to make it accessible and understandable to everyone, including those that are not introduced to all the data privacy sector, I would say. And this is really appreciable because sometimes it can seem really complex. And I also found interesting the right to be forgotten, which is something that I’ve never really come across on the Internet.

I’m really pleased you picked that up.

Could you expand on this right to be forgotten ?

SWAN only provides pseudo anonymous identifiers. So you’ve got the secure web identifier, which is a random number that’s effectively assigned to the browser. And then you have the signed in identifier which is derived from the email address, but it’s not the email address. It’s the email address that is then hashed. So what that means is we’re not sending out the email address or anything else that directly identifies you as an individual. That makes the right to be forgotten significantly easier, because all you have to do is say stop using those identifiers going forward. When you close that private browser, the data is removed and therefore the right to be forgotten is implemented without you even thinking about it. We have something that is as close to the tightest privacy by design implementation as we can possibly get.

What do you think of the other existing alternatives to third party cookies ?  

I think all of these things have their merits. How does contextual compare well, for certain publishers it makes a lot of sense, but not all. And there’s also a problem of topic. Garrett Johnson from Boston University has a lovely example of where contextual does not work. It’s the sperm whale example. Imagine you are a natural history publisher. You’re writing about natural history and the sperm whale. Well, the word sperm would be on the block list of many organizations. Therefore, you’re going to get stories that are not promoted because of negative connotations of context, for example. So you have problems associated with context.

First party data is another one that gets a lot of attention at the moment. There are publishers scrambling to get first party data. We’ve got to get first party data. We’ve got to have our first party data strategy. And the first party data strategy is to get as much first party data as possible. But what if it annoys the customer? What if they actually leave and don’t want to give you first party data, are you really asking for first party data to support a genuine customer enhancement where they’re going to get better service? Or are you just doing it because you’re not going to have a pseudo anonymous identifier anymore? If I want to get a recipe to make a New York baked cheesecake, why do I need to tell you who I am? I’m quite happy to receive adverts for ingredients associated with New York cheesecake. And I’m sure there’s a good contextual model associated with that. But there’s no attribution. So I think a lot of this first party data, the scramble for first party data for some brands is misguided.

As long as big tech walled gardens can offer features that others can’t, we’re going to have a problem. SWAN provides the most complete and simplest answer.

Thank you for this comprehensive answer. Now, onto broader questions. Do you think that the UK GDPR will stay similar to the EU GDPR, or that it will gradually move away from it, thus risking the adequacy it has been granted?

I think because of Brexit, the UK might end up moving faster than Europe in relation to changes, and therefore the question becomes : does Europe follow? Europe traditionally takes a bit longer. I mean, 27 member states all trying to reach agreement, it takes longer. So I suspect they’ll be some divergence. And I think the question is: is that sensible and will Europe end up mirroring it ? But we’re only seven months into Brexit, so it’s a bit early to say.

One last question which is really broad but great to conclude : what are your general thoughts about the future of privacy online? Are you pessimistic or rather optimistic?

I’m more optimistic than I was a year ago. Did you see the speech from Joe Biden last week about competition in markets? When the president of the United States says sensible things about competition and effectively sets an agenda for the administration in the first six month, I think that’s a good thing. When you see regulators starting to address these problems, then I think that’s a step in the right direction.

The question for me, really, is that no one’s privacy is improved when a small number of trillion-dollar market capitalization companies know everything about you and have permission to use that information for whatever they effectively wish, while being entirely unrestrained. And there’s no effective competition to them because of their size and scale and the way that they have used privacy laws. Google was rubbing their hands with the GDPR. They were like : “This is great, we can comply with the GDPR because we can capture consent when people accept the terms and conditions during the setup of their expensive new phones, when they use our search service or use their email. We provide all the services ourselves so don’t need third-parties”. So it’s easy for Google to comply with the GDPR and have a great smooth user experience. But all the competitors are going to have all these pesky pop-up boxes, and everyone’s going to have to know about everyone else’s supply chain. It really benefits Google in the end.

So in practice, no one’s privacy has been improved. People are more confused than ever. I’m more optimistic than I was but there are some powerful forces at work, and I really think that the next test is going to be the response to SWAN. I’m delighted that the CMA and the ICO are open to SWAN. They want to see it, give it a chance. But ultimately, we need to have a mature debate and stop being lectured to by Apple and Google.”


[1] The transcript is as accurate  as possible to our discussion, but for the sake of clarity and overall consistency, some extracts have been cut, moved or edited.

Évaluez votre niveau
de conformité

En quelques clics,
lancez sans engagement
et en toute conformité un
audit flash !

Pour recevoir votre audit flash gratuit et sans engagement, merci de bien vouloir remplir ce formulaire :