Podcast / Scale / Episode 7

How you can influence online standards by thinking like an end user

Heather Flanagan for Scale podcast episode 6

How can you influence online standards? Heather Flanagan invites us into the world of internet standards, talking us through the realities of cookie changes, data privacy, and how we can influence online standards by thinking like an end user.

About Heather Flanagan

Heather is the Principal and Owner of Spherical Cow Consulting, a firm that helps organisations build a trusted and collaborative internet. She is also the founder of The Writer’s Comfort Zone, a community for people passionate about supporting each other as writers. The easiest and best way to reach Hannah is directly via LinkedIn

Show Notes

Episode Transcript

[00:00:05] Stewart: Hi there and welcome to Scale a podcast for Modern Media. I am your host, Stewart Ritchie, the founder and lead developer at Powered by Coffee. Powered by Coffee is a web and software development team focusing on technology issues facing the media today. Scale is a podcast about how technology impacts the media and how the media impacts technology in return, everything from ad tech and privacy to hosting and content management.

We’re interested in what’s happening today, what’s happening tomorrow, and where we might end up in the future.

[00:00:36] Stewart: Today we have Heather Flannaghan the principal and owner at Spherical Cow Consulting. Spherical Cow kind of puts itself out there with kinda tagline, translating geek into human.

Is that it, Heather? Mm-hmm. , translating geek into human. And today specifically, we’re gonna talk about more identity on the web, particularly federated identity, which Heather is somewhat of an expert of. Heather rather than me try and sum you up early why don’t you tell us about yourself? Tell us about Sir Kai and tell us why you’re here today.

[00:01:04] Heather: Sure. So digital identity is, is one of the big things that I, I get to, to work on. And I love it. It’s great. It, it just touches on absolutely everything. And, but it’s not like what I, I thought I was gonna be when I grew up. I thought I was gonna be a librarian. Oh, that’s, that’s actually what my master’s degree in is.

I was I have a, have a master’s in library.

[00:01:27] Stewart: I can’t say library science, but I’m similar. I never thought I would be here. I went through wanting to be a chef working in forensics. My degree is in physiology, so I know well what it is to transition into technology from something very different.

Well, that’s cool. So you mentioned standards there and standards around identity. You know, how did, how did you get into that? How do you go from library sciences into that?

[00:01:51] Heather: Well, the, it, it blamed the glory of the.com era really? In the mid nineties. Sure. You know, it, it was all exploding at the time and there was, it was new, so nobody, you know, very few people actually had a degree in practical computer science, theoretical.

Sure. Lots of those, but practical, no. So when I graduated, I went to work for a local newspaper, which was just spinning up an I S P because everybody was funny as you do. Yes you do. And within a few months they’re like, okay, you seem to be reasonably bright. Could you run our bulletin board system? And I said, well, sure does.

Does it come with the book a manual? Something to give me some guidance as to what I’m supposed to do? And they said, yep. Hand me the manual to the Galacticon BBS and I became their bulletin board systems operator. And that lasted all of two months. At which point they said so we have this, this thing called DNS could you just manage that system for us?

And I’m like, does this come with a book? So they hand me the cricket book from O’Reilly and I’m like, great. One more month passed and they’re like, Hey, send mail. I said, just gimme the book. Just, just give me the book. And that’s kind of how I ended up like flowing into tech and I’ve never quite made my way back out again.

[00:03:06] Stewart: Is, is there a, a latent desire there to move back, back out? I know there’s a lot of folk dream about starting woodworking or taking up farming .

[00:03:15] Heather: So not, not exactly. I mean, when I first was flowing into tech, I’m like, you know, it won’t be too bad if it, I know everybody gets burned out in this field and if it gets really bad, I can just go back to being a library.

And then libraries went high tech, and it’s really no different. So there’s, there’s just kind of no escape. At home. I, I, I once describe myself as very Gemini because I travel the world constantly, going to conferences and standards meetings, and meeting with clients. Between now and June, I’m going to Amsterdam, San Francisco.

Back Berlin, Atlanta, Las Vegas, Albania, and back to San Francisco.

[00:03:58] Stewart: Oh, wow.

[00:03:58] Heather: Right. It’s, that’s quite the, all the, all the travel, all the tech at home I have. Three spinning wheels a weaving loom, , a basement full of fiber, an orchard in the back of 30 trees. So it’s like there’s nothing in the middle.

I’m either the nicest prepper you’re ever gonna meet, or I’m this high tech jet setter and there’s, there’s no middle ground.

[00:04:22] Stewart: That’s awesome. That’s great. So then, I mean, let’s, let’s bring a step back then back into the kind of technology stuff. So obviously team with the BDS DNS send mail all very foundational pieces, kind of, of our, our modern and often pieces thing people don’t talk about.

So how do, how do we get from there to identity and standards?

[00:04:42] Heather: From there you get, you get to identity and standards because once you’re actually administering systems and services, you can’t, especially the identity component, you can’t avoid it because the, the, the first single most important thing to do is to control access to the system or to specific, you know, to specific things on the system.

I mean, that’s, that’s foundationally like the entire job of an administrator is to control access. Well, how do you do that? You do that by identity, by figuring out, well, who, who is supposed to be on the system and how are they logging into the system and what do I actually need to know about them? All that, you know, those gory details may change depending on your industry, right?

If you are in finance, you have, you know, the know your customer legal requirements, I think those are pretty common from one country to the next, to the next, to the next. And so they’re going to collect certain kind of information about you, whereas a a library will collect different information about you and your scholarly publishers.

You know, they actually don’t want that much information about you. They just wanna know who you’re affiliated with and, and all that changes. But it all comes into the, the complexity of digital.

[00:06:00] Stewart: And then digital identity standards. I, I believe you’re doing some work with W 3 C to help

[00:06:06] Heather: define, oh, I, I collect standards like Pokemon ,

[00:06:10] Stewart: but you have to gen 8 now.

[00:06:12] Heather: I kind do. So for eight years I was actually the Publisher for the RFC series, which is what the I TF and the IAB and you know, so it’s like the core standards series for the internet. And yeah, I got to, I got to deep dive into exactly how that particular sausage is made. As part of that, I got to experience a lot with the W 3 C as an invited expert, and today I’m still working with the W 3 C because I’m a community group chair and the community group is for federated identity.

I actually spun the community grew up up. I thought they needed it. .

[00:06:51] Stewart: Yeah. So federated identity for those of that don’t know what does, what does that mean? How is that different from, you know, just your normal login is like, I am who I say I am with this token? How does Federated identity work?

Tell us about that.

[00:07:05] Heather: It’s, it’s a question of is that, is that information local to the thing you’re – we’ll say, we’ll just use logging in as, as the example, you know, is, is does the system hold your record of who you are and your, your password or other authentication credentials, or are they getting that information from a third party?

So you’ll see this if you’re from. Everybody is pretty familiar with the consumer web, which is dominated by Google, Facebook, Twitter logins, where you’ll go to a site like the Times and you wanna log in and you can create a local account. Or you could say, would you like to just log in with your Google id?

[00:07:46] Stewart: Sure

[00:07:47] Heather: That if you would like to log in with this third party thing is, is at its base federated identity.

[00:07:53] Stewart: Okay, great. But I imagine then there are also like other, other takes on that I mean you mentioned universities there. Oh yeah. Universities often will have, and please let me know if I’m completely off on the wrong tangent, but like access to, you know, libraries of journals from particular publishers that you don’t have to log into.

But as long as you’re on that network, it’s still giving you access to those. Is that very much the same, same realm.

[00:08:19] Heather: Yes, yes-Ish. . Yeah. The, so the consumer web has like the four major iden – they’re called identity providers. But once you get into academia research and education, every university just about has their own identity provider.

And this. This is like fundamentally necessary because again, what? What the journals want to know when someone logs in, they don’t want to know that you’re Stewart Ritchie they want to know that you are in fact a student at London College. It’s all they actually wanna know about you. They don’t wanna know.

They, the less, the less personal information they can collect, actually the happier they are these days because if they have it, they are responsible for it, and they get in trouble if anything goes wrong. It’s so much better if they can just, collect the minimal information that they, that they have to in order to succeed.

[00:09:12] Stewart: Absolutely. That makes sense.

[00:09:14] Heather: So if you’re on a, on a campus and actually physically in the library and physically touching, you know, their network. Well, physically you can always do wifi, but you get the idea. Yeah. There is a way for people to be able to access the material where they don’t have to log in at all their identity completely irrelevant.

It’s the, the. IP address of your your computer, which you’ve now gotten from being on campus. And the system says, oh, you’re from that IP address range. Yeah, we know you, we know you. You’re fine. You’re just, just access. And that’s the, the most seamless way things work. It’s usually problematic, mind you in many respects because for one thing I’ve actually spoken with the people who developed the IP protocol cause standards.

Right. And yeah, that was one of the, the early standards, like from. I forget, late, late seventies, early eighties published by the I E TF in, in the RFC series. And so I’ve spoken to these people and said, do you realize how this is being used? And they were appalled. This is not what that, that was actually designed for in any way, shape, or form.

So that’s problem number one. Problem number two is just how people are now in terms of where they are in the world when they’re actually trying to access are yet at the local coffee shop, you know how many people actually study in the library. There’s not enough room in the library or on campus to necessarily have everybody study there at one time.

Yeah, so that’s absolutely, that’s problematic too. And there’s, there’s ways around it. You can always, you know, make sure, remember to set up your V P N or make sure you go through the library portal. But even those have some, some flaws to it of, okay, if you’ve gone through the library portal, how do you bookmark, you know what, I wanna come back to this article.

This one’s what’s important to my research. And then you leave campus or something like that. And it’s just, it becomes really untidy.

[00:11:05] Stewart: Yeah, absolutely. I can see that being, I mean, it’s, it’s amazing that it works. It’s one of those kinda like, to me, there are certain things that, like historical things, I’m like, I don’t believe that this still works.

It’s too, mm-hmm. too basic and yet works so well. When it does work.

[00:11:23] Heather: It does. Now it’s also under threat. Now this is gonna transition a little bit into some of what we’re dealing with in the digital identity landscape, especially with federated identity, is looking to change because of what the browser manufacturers are requiring.

[00:11:45] Stewart: Of course

[00:11:45] Heather: apple has, you know, they, they take the stance of, you know, being one of the more privacy preserving browsers out there and some of their services. They said, you know, all right, how, how are people tracked on the web? Because that’s, that’s bad. We don’t want, we don’t want tracking to happen. How do, how do we avoid that?

Well, one of the ways people are tracked is by their IP address. Especially when you look at the consumer web, which is what drives the, the big decisions for the browsers, cuz it’s the biggest and we’ll call it market. Apple has said, you know what, we don’t like that. That’s a bad model cuz you can track people by their IP address and so they’ve started obfuscating it or, you know, upleveling it or you know, otherwise changing it in ways that now the, oh, we recognize that IP address as being an arrange for a university doesn’t work as consistently as it used to.

[00:12:38] Stewart: Yeah, of course. That makes sense. So that’s is it private relay is the Apple program in question where it’s a, you know, effectively a very, I don’t wanna say VPN cause I don’t think that’s quite pit, but more of like a, a, a layer that you kind of proxy through from Apple to like, yes.

[00:12:56] Heather: There, now there’s things that university network administrators can do to signal Apple. Please don’t do that to us. Yeah, please, please don’t. But they first, they have to actually know about it, which is challenging because while, you know, we can talk about the university as if it’s one entity, once you actually dive into it, the librarians don’t necessarily know who the network people even are on their campus.

Of course, that’s not a conversation that’s typically gonna happen.

[00:13:22] Stewart: Yeah, I can see that. I can see that being a problem. But I think then let’s maybe move this down layer away from kind of like institutional identity into kind of consumer identity. Mm-hmm. , I mean, we’re starting to talk about consumer browsers anyway, so how – obviously there’s gonna be big changes in high identity is handled particularly shared identity using these federated services primarily because of cookie changes and other privacy related changes that are kind of coming with browsers. How do you, how do we feel that is gonna impact online experience?

How do you think we’re gonna get around that, et cetera?

[00:13:56] Heather: I think the so let’s talk a little little bit about what the, what the changes are to make sure everybody’s on the same page with that. So, third party cookies, those are little bits of information stored in the user’s browser memory or local desk, whatever, but stored in the browser.

That gives some information about what the user is doing and it’s third party because it is set by one domain spec, you know, explicitly to be read by anybody in anything. Sure. And so other domains can look at that and, and make a decision, or record a piece of information or whatnot. It’s, it’s traditionally a great way to track people and what they’re doing.

Have, have an ad network, drop a little cookie on there, and then they know every site. You go to and exactly the path you take to get there and what you’re actually looking at and maybe how much time you’re spending on any one thing. Of course. Well, it’s, that’s, and and that’s generally considered less than ideal from a privacy perspective.

Absolutely. Third party cookies, however, are also used to say something like, yes, this user logged in to this site and for a larger publisher that has multiple related domains, they need to have it as a third party cookie because, you know, that will take, you know, the big, the big, big monster Elsevier.

Elsevier has hundreds of domains of course. Right. And they can’t. They don’t, traditionally, you don’t set a single, you know, you don’t make someone log in for every single domain. You say, yes, this person actually logged into Elsevier. Now that’s valid for all of these journals. That’s under threat. Mm-hmm.

It already doesn’t work particularly well in Safari. And in fact, you know, there’s, there’s lots of pieces of software that don’t work particularly well in Safari anymore, and which the answer had been. Oh yeah. Hmm. Just don’t use Safari. It wasn’t, let’s fix it. It was just, just go to another browser.

We’ll just pretend that never happened.

[00:16:04] Stewart: Fair enough. So then I, yeah, so to, I guess to like, make that a little bit more, just to restate it, so make sure I understand you, someone goes to Elsevier, one of their brands, all of which just gave me at the moment, and they log in and they’re logged into that site.

The ideal user experience would be they go to a second brand, different journals say, and they’re still logged in because it’s, it’s a centralized id. It’s the same login information that they’re gonna use. with a kind of high digital identity with third party cookies would work like great. We have, you know, a generic and read the cookie from that to me and that says, yeah, you are logged in.

Here is the ID and the token that we can check to be like, yeah, you are who you say you are. Mm-hmm . But because those third party cookies are no longer gonna be readable, privacy sake to get away from all the tracking that is done this is going to hugely. Publishers, whether news, media or scholarly ability to say like, this user is definitely this user, definitely who they say they are.

Any, the opposite of that is either bad ux cause you’re not gonna have to log in again. or, you know, just kind of suck it up and find other ways to try and, and deal with that, that don’t involve a third-party cookie. Is that about about a summary of it?

[00:17:24] Heather: That’s about, that’s about it. This impacts some of the basic protocols that are used to log in.

 Open Id connect is definitely has some aspects of. Impacted by, the the loss of third party cookies. One of the more from, from my perspective, one of the more critical things that gets lost is what’s called front channel logout.

[00:17:45] Stewart: Okay. I don’t know what that is.

[00:17:47] Heather: It basically means that when you go to a system and say, okay, I want to log out now, well, it can’t necessarily do. Because of course if it’s a third party, it’s like, well, you can’t just wipe that out. That that’s just, that’s just not gonna work. So there’s, there’s there’s alternatives to how to log out. There’s, there’s the front channels. That’s something the user can see and control.

And there’s back channel where servers are talking to servers. But you can’t use. They’re, they’re two different ones for reasons, and they’re not one-to-one replacements. So the, the issue of things, things like front channel logout and, well, how do you actually still enable that? That’s some of the work that I’m involved in with the W 3 C and the Federated Identity Community Group where Google has proposed a an API called fed.

That sort of stands for federation federated credential Management and trying to, all, all the browser really wants to do is say, user. Do you, are you really okay with what’s about to happen here? I know you click the login button, but are you actually okay for the site that you’re on, the journal actually going to a, an identity provider?

Are, are you really okay with that? . Sure. In the past, the browser didn’t care, right. The brow browser was completely passive to all of this and just let information flow back and forth. It was not an active party in any transaction because the browser vendors are being held accountable to, you know, you you browser vendor must do something to deal with privacy and the tracking issues and everything you have to, GDPR is like the biggest stick in the, in the house. Demanding that. So they’re like, all right, well, in order for us to actually do something about it, we actually now have to step up and become an active player in, in the entire workflow.

It’s challenging because the protocols that they are now getting in the middle of, were not designed for. We’re not designed for anything to get in the middle, cuz that’s like security failure. You don’t want a thing in the middle when you’re dealing with secure cookies going back and forth.

[00:20:09] Stewart: Absolutely. It’s hard enough with I, I, to me, I think the closest analogy is something like CORS c o r S, Cross Origin Resource Security, forgotten what the acronym stands for. This is the browser thing getting in the middle to try and verify like, is this. A domain that you should be accessing or has something gone wrong, you know? that’s a very, that’s the closest thing I can think of to it. So if you, few of the standards, you mentioned something open, ID connect. Are you able to give us like a quick rundown on that? Just for anyone listening that doesn’t know it?

[00:20:43] Heather: I actually don’t know how to do that.

[00:20:45] Stewart: It’s very complicated

[00:20:46] Heather: because it, it’s actually like, very big, very robust authorization protocol. It’s built on top. It comes out of the Open ID Foundation. And it is one of the most popular protocols out there for this kind of, this kind of thing.

Of course. That’s when, when you’re clicking on the log in with Google or log in with Facebook or login with Apple, you’re basically relying on that protocol to make the login happen. Of course. Now how does it do it? Magic.

[00:21:22] Stewart: Absolutely. That’s fair. It is, it is complicated. I know it involves a lot of, I, I come at it kind of from doing a bit by kind of the OWA side, so like send office request, that request the token, gets the token back, sends the token.

Again, it’s all kinds of like complicated, but that’s if. And it know the two sides where the the Open Federation, not federation.

[00:21:41] Heather: I have, I have anything a whole, a whole rant that we’re not gonna get into. It’s not the point of this call about how difficult it is to, you know, I, knowing the standards exist is one thing, but then, you know, when we talk about Open I Deconnect as an example, it’s a family of standards.

[00:21:59] Stewart: Sure.

[00:21:59] Heather: With lots of different sub-components and actually having a roadmap to know what all those components are and when you would want to, that’s not actually something that really exists in the world today. Most standards to have that same problem of, you know, they’re usually families of standards and getting any kind of roadmap is really hard.

[00:22:23] Stewart: So do we want to go back to talk about cookies a little bit? Sure.

[00:22:26] Heather: So the, the, the cookies are, so as they’re going away some of the things that I’ve heard people say are, you know, when I, when I’ve presented to you know, an audience of, here are some of the changes that you can expect coming out of browser land. I, I was referred to the chipper voice of fear, uncertainty, and doubt, because there, there’s all these changes and all these different APIs that are sort of being thrown in the mix.

And executives commonly say, look, this is. This is great. Can you just tell me what we need to do and when we need to do it by ultimately that’s, that’s what we need to know. What, what is the change and when does it happen, because then I can allocate my resources to actually do something. I would love to be able to answer that question.

[00:23:11] Stewart: Of course.

[00:23:12] Heather: I can’t, unfortunately from my perspective, I, I look at it from another way. Do you want to be told what to do or would you like to actually have a chance to influence what you’re going to be told to do so that maybe it’s not as burdensome later. Cuz I’m, I’m into standards development.

I think that’s the most sensible thing. But, but executives who are trying to contain research and development to a constrained space and not just pour money into it they struggle with this right now, as to what, what are we supposed to do?

[00:23:47] Stewart: Yeah. Okay. That makes, that makes sense. I think you can even go a step further where you know these, you know, kind of big organizations that are already involved kind of in the standards process.

It’s hard enough for them to, you kind of have to be there day one. But you know, there are a lot of kind of media orgs out there. And there are media orgs, just any SME who has a technology side to it that needs to manage identity. How are they going to be able to, to cope, to know what to do?

Cause like you say, it’s not easy to, to listen, not listen. It’s not easy to find out exactly what’s gonna happen and be prepared. And I think traditionally too, it’s hard for those groups to feel represented in the standards because there’s, it’s so hard to justify the time to contribute to that.

Unless it is something that, that business is like kind of founded around. But it’s still incredibly important work that, that everybody needs to, to chip into. But it’s, yeah, it can be hard to justify.

[00:24:44] Heather: It can, and, and that’s not, you know, that’s not a decision anyone can make for them. Yeah. I mean, it’s, it’s really hard to know, but you have to know, you know, how are you going to be told? Well, it’s not like Google can reach out to every person on the planet. I, if you’re not following Google’s changes, you know, if you’re not aware of the, the Canary program of how they, you know, that’s like their alpha alpha program for Chrome.

You know, then, or if you’re not actually watching their privacy sandbox.com effort, if you’re not, if you’re not actually looking, they can’t reach out to you and tell you they can’t. They, they can’t quite, they’ve been shouting this out to the world for years. But it’s, it’s hard to get the message to the right people at the right.

[00:25:40] Stewart: Of course makes complete sense. What about, what about user land? So the end users of kind of all the products that this work integrates to. Are we expected to see kind of significant changes for them and how things are approached? Or is it even still too early to tell how this is gonna to pan?

[00:25:56] Heather: Oh, the poor end users, I feel so badly for them because, because of the demands that they, the end user must be, Absolutely.

I agree. Okay. Well then what does that take? It means now that like every single technology partner involved has to take a little bit of ownership and say, I, I’ve asked the user, you know, I’m, I, I care, I’m doing something. Well, suddenly that means it’s, it’s like the, the cookie banners. Now, the end users are just gonna be pummeled.

Everybody’s asking them, are you okay? What about now? Now, now? Is this good? Now is good. What about now? Yeah. You know, it’s, it’s really gonna be annoying . Yeah, because you know, the browsers have to ask, are you okay with this? The service, the, you know, in our case, the publishers have to ask, are you okay with this?

The place where they’re getting the, the identities from? Say, you know, when you’re logging into Google, you’re gonna have a window. Are you okay with this? Click, click, click. Could you just let me get to the thing I’m trying to get?

[00:27:05] Stewart: Oh, it takes a lot of jumping throughs. I think the cookie binders a good analogy that I hadn’t considered, cuz that is a, that is a thing that needs a better solution but I mean, and it’s one of these things too are like our traditional markers of like identity of like, this person is who the say is you get are using password. Fine. And then we move on to like token bases of like, I’ve got a second factor where it’s your device and stuff like, That’s fine for me and you who are kind of probably accustomed to being asked continually for two factor codes and know enough about how it works to not default to the easy s m s and have an authenticator app and stuff like that.

But how, how is it Joe or Jane Doe the street just using their, their Chromebook or their Android phone supposed to have any idea what is happening and why?

[00:28:03] Heather: A few years ago I was, I was having fun with a a little side project that I called Identity Flash Mob, where I was basically going out to social media. I did a lot on Instagram and things like that, trying to just get people aware of different changes and things that were happening. And what I discovered was that people did not want to know you know, they, they, they do not want to have to care about this, and it’s, so we’ve got very competing demands and requirements. There’s what, you know, on the one hand, people, people want to, you know, have their privacy protected. On the other hand, they want the convenience of getting to the thing they need to get to.

And they actually might even have a different perspective as to, well, what does privacy even mean? That’s not a term that actually has a clear definition. It’s, it’s a contextual definition. And the context includes things like, how old are you, what generation are you coming from? Because you probably think of this very differently from your grandparents.

[00:29:14] Stewart: Yeah, that’s an interesting, interesting idea. It was I was listening to something recently as well. It was kinda like, so I’m, I’m a Mac user, I think you are too. You know, like if you log into an Apple service through Safari even, and it sends you a two factor code of like that pops up on your screen and it has always.

Done. My head in, I’m like, I am logging in on this device, but I’m enter browser. Mm-hmm. , why? Why are you showing me this second code that I need to enter? And it only became aware that it’s Apple. Don’t trust their own browser. to be like, this person is who they say they are, it’s that it runs in a separate, separate track to identify.

So even though you could be sat at the same device doing that login, but to an, I’ve had that explained to me and it makes sense to me, to an average person is just like, this is broken, why is, why is this broken? Why is this so much harder now than it used to be? And I also, I can continue to come back.

Like I want my, I want my data protected to not be shared out unless I stipulate who gets that? Most people don’t care. They’re like, why does that matter? I’ve had. Long conversations with people about the presence of microphones in their homes. They’re attached to, you know, various databases of things, and I’m like, if you talk in your home about how you had covid, unless you are intimately aware of the terms and service of that microphone is connected to the internet, where does that information end up?

Is that gonna be purchasable by someone in the future of a profile of you? And that’s like an extreme example.

[00:30:58] Heather: It’s a extreme example, but it’s not an unusual example. And another, another little spin to put on this is of course the people who are developing these services and manufacturing these devices and coming up with these protocols.

They have a global. Course they cannot say, I’m not going to sell in these countries like China, I’ll say it like China. And there the culture is wildly different in terms of the requirements and the expectations, and so they kind of have to be able to, to be all things to all people in all the different contexts that that privacy is considered for that.

It’s, it’s an incredibly hard problem to solve. No two ways about it. And the balance of security and convenience, where in this case, privacy and convenience is going to be one that at best, you know, can we, can we get it right enough of the time that even if we’ve irritated users, we’ve actually still protected them.

[00:32:07] Stewart: Do you feel like there’s something else that we need to be, be aware of? Like with kind of the deprecation of third party cookies obviously that impacts identity, that then in turn impacts advertising and, you know, general to get a collection. Do, do you feel like there’s more places that that’s gonna impact that we haven’t, that you know, me as a technical person maybe haven’t thought of yet?

Not being at the top level of that, that stack?

[00:32:28] Heather: I would say if anyone that’s running a. A service that has a lot of different frames in it. So this could be like the, the most common example that many people will be familiar of is like Microsoft Teams. Sure. That’s, you know, master, master service. And then, you know, lots of different applications underneath learning management systems at universities.

Those are, are not, they’re pretty common example that some will be familiar with. You know, those are gonna, those are gonna struggle. From, from when working in a browser and the people who develop them basically have kind of two choices. They can either turn it into a single page application, which isn’t necessarily a good decision.

Cause then it suddenly gets really slow, really clunky. All these stuff has to load in the background. It’s a mess. But becomes a single domain. Or develop. Dedicated apps where you’re not gonna even try it through browser, you’re gonna try it through the application on your system.

The cookie thing is just the start. It’s actually as complicated as it is. That’s the. the most tractable of the problems in the space. Okay. Going forward, you know, over the next several years, cuz this is, this is multi-year timeframe we’re looking at.

 They also have to look at you know, when you go to your browser you’ve clicked on a link in email from a business and it opens up in the browser and it has, you know, domain.com/service/or service question mark, UTM equals method, blah, blah, blah, blah, blah stuff. That’s. Well that’s not gonna fly for long, is it?

You know, cuz you gotta prevent tracking. Unfortunately, that’s also where you put like identity tokens and things like that. That’s gonna be an even bigger impact than third party cookies. They don’t know how they’re gonna solve for it yet. They being the browser vendors, because from their perspective, they can’t tell the difference.

 But they know that that’s another common way to be tracked and they’re gonna have. Do something. We’ll see. Yeah, we’ll see how that goes. And there’s a couple of things, if you can think of it as, as a you know, a thing to be used for tracking. Then the browser vendors are going to be considering how can we do something different?

How can we make this not usable for tracking while still preserving the functionality of the web?

[00:34:56] Stewart: Of course, Senator, that was jump off point for that is a technique called fingerprinting where you’re not identifying the user with a cookie, you are looking at traits that are on, on that device. Yeah. And then assigning that to like, this is this user.

 And there are terrifying numbers of things that are available to a fingerprinting application to try and work out. Yeah. Is this the same person that was here a few moments ago? Not so useful authentication, but certainly still from identity of this is the person we are tracking,

[00:35:33] Heather: Right? And all that goes into a database, which in turn feeds what ads you see.

And those ads can be ads for shoes. Those ads can be ads for extremist political parties. You know, there’s no, there’s no control over that.

[00:35:49] Stewart: Absolutely. Yeah. It’s crazy. How, how are they gonna block fingerprinting? Cuz it sucks.

[00:35:57] Heather: There, there are efforts to try and do that.

 I don’t remember the, the particular project that’s trying to minimize the amount of data that’s going across in, in a fingerprint, cuz right now it’s, it’s everything. It’s what fonts do you prefer? What add-ons do you have? What themes are you using? What IP address are you coming from? All those colors, details.

Yes. All those there’s a site, I wish I could remember what it is that you could, if, if you actually start googling browser fingerprinting that you can go to and ask, how unique is my browser? And it’ll tell you how uniquely identifiable you are just from the browser you’re using. I know I’m very uniquely identifiable because of I’ve got the turn, turn this off, turn that off.

I want this particular theme so that I have a little cat eye looking at me. You know, it’s all those things. I’m completely identifiable for my browser.

[00:36:50] Stewart: The one, the, and there are scary ones. I remember what fonts now remember what fonts you prefer, what fonts you have installed, because there are so many fonts that effectively it is a a unique fingerprint in and of itself.

Yeah. And there, there, I remember there used to be a very scary technique where , the fingerprinting tool would open a HTML canvas element, print out lots and lots and lots of domain names to it, and then you CSS default styling to say, have you been to this link? Because you can’t get in the browser like does this exist in history?

Have they been here? That’s not an API that exists. At least it wasn’t at the time, but there’ll be different colors. So it would then do color analysis to say, this user has been to this domain this and this, this domain. And then use that as part of the fingerprint. . , but it’s, it’s

[00:37:35] Heather: all crazy. So for things that if, if they had to narrow down what they were looking at, publishers probably should pay attention to the there’s a couple groups within the W 3 C that if, if, even if you only lurk there, you’ll at least get some sense of what’s happening.

One, they’ll probably be very much interested is the private advertising group. There’s actually two, there’s a community group, which is free for anybody to. And then there’s a private advertising working group, which you have to be a member of the W 3 C to join. There’s also my community group, which is the Federated Identity Community Group that meets every Monday eight a 8:00 AM Pacific Time, except for those, you know, once a month we try and shift it to be more friendly to Pacific time zones.

[00:38:23] Stewart: Absolutely. And then is there anywhere else people can learn, obviously W 3 C and those working groups, community groups, create a place to start anywhere else that would be useful?

[00:38:31] Heather: Honestly, those, those are the best places I can think of. You can certainly follow me on LinkedIn because I am regularly speaking about this. I, I’ve lost track of just how many webinars and conference sessions that I’ve presented to, and I always announce them on LinkedIn to say, Hey, I’m gonna be here, I’m gonna do this.

If there’s a recording, I make the recording available. If people want slides, happy to give them slides. If people would find it useful to have me present in their organization, I do that too. You know, it’s like anything I can do to get the word out.​

[00:39:07] Stewart: So LinkedIn, anywhere else people can, can follow you, find out more about your work and how, if they wanted you to come talk at their organization, how they could do.

[00:39:15] Heather: Well, there’s also the websites, spherical cal Consulting dot. You can, you can see what’s going on. You can see the, the blog posts that I have is my personal blog post of what I see happening in the industry or things that I care about as a freelancer. Cuz at the end of the day, I am a freelancer.

And of course I work for many different organizations. But it all comes back to how can I personally make the internet better when I’m a, I’m, I’m basically a librarian. I’m not, I’m not a tech. I’m not, I don’t write code , so what can someone like me do? And that’s, that’s like my entire career is built on that question.

[00:39:51] Stewart: It’s, it’s a good question. Being a techie is overrated. There are many, many, many, many more ways to contribute from, like policy, from an understanding, from a kind of like, what, what is the good this is doing and is this actually a good thing to do that we have been sorely missing for the last two decades?

[00:40:11] Heather: I wish for people understood that .

[00:40:14] Stewart: I’m like, I just, with all the kinda like web three stuff kind of floating around, I’m like, I just really wish we could govpack to the wild, the wild west of the web where everything was open, everything tended to chaos. Everything was decentralized by default. There was no it’s no sort of idea to build scarcity and have tokens to sell those like No, it’s on the web.

It is free and open half at it. But sorry, I’m gonna go my high horse.

[00:40:38] Heather: The internet is, the thing is, is internet. The technology’s underlying it, you know, it’s they, they represent everything that humanity represents, all the positives and all the negatives. So when you have a wild, wild west like that, you have the ultimate in innovation and you have also the ultimate in threat.

Unfortunately, just kind of like the rest of my life, there’s nothing in the middle.

[00:41:03] Stewart: Working at the extremes. I like it. One last question. I know you’ve got a lot of speaking events coming up all around the world. Do you have any that are publicly accessible if anyone wanted to find out more or anything else you’d like to direct people to?

[00:41:16] Heather: Sure. So. Okay. If you’re really interested in the digital identity space the one conference I will, I’m going to be attending hopefully I’ll be speaking at, I’ve, I’ve put in some submissions. We will see I highly recommend you look to Identaverse . That is, that is like the best identity industry conference in the world, I think.

And this year it’s going to be held in Las Vegas at the end of May. If you can’t make it all the way over to Las Vegas the European Identity Cloud Conference is in Berlin the first week of May and might also be something of interest.

[00:41:49] Stewart: Great. Thank you so much for your time. I really enjoyed it.

And speak soon. Have a great day.

[00:41:55] Heather: Great. Thank you.

[00:41:58] Stewart: Thank you for listening. If you enjoyed this episode, please subscribe. The skill is available in all the usual podcast places. Even better, if you could leave us a review that really helps us.

If you’re interested in finding out more about me or Power by coffee, you can find us on social media and again, in all the usual places, links are in the show notes. Scale is currently gonna kind of come out every two weeks and we will see you then.


A modern media podcast

hosted by Stewart Ritchie

How can you influence online standards? Heather Flanagan invites us into the world of internet standards, talking us through the realities of cookie changes, data privacy, and how we can influence online standards by thinking like an end user.

Grab a coffee and let’s discuss your project.

Drop us a message and we’ll set-up a call to discuss how our team of experts can help.


  • This field is for validation purposes and should be left unchanged.