Peter Lowe shared his thoughts on the future of data protection and internet tracking on the eye/o blog last week.

Tracking on the internet is something that's very, very hard to avoid, if not completely impossible. It's so common and accepted that even companies claiming to be "privacy preserving" actively implement methods to circumvent attempts to block them. Massive data breaches have shown the type and scale of data that's being kept about us. It's everywhere.

Sometimes it might be tempting to give up and just accept tracking as a fact of life -- and, actually, that's what more than a few people I know have done -- but there's still a lot you can do to minimize the amount of your personal data being kept, shared and sold. And there are countless people working on standards, regulation, tools, services, and methods to help us - so it's not entirely hopeless.

But what does the future look like? I have a few guesses.

Regulation

Regulation has arrived, and is here to stay. More and more places in the world are implementing regulation around data handling to a greater or lesser extent, and companies are having to adjust to take this into account.

You've probably heard of GDPR, and may have heard of the CCPA in California - but did you know that Nevada has its own regulations? And even China is talking about implementing their own laws?

However, each set of rules is slightly different. Some are focused on individual rights, some are more focused on company responsibilities. Some have teeth, some don't. So what I expect to become more common is something along the lines of tax laws: companies will start operating out of regions that are advantageous to what they're trying to do.

We've already seen this to some extent. Quad9, the open public recursive DNS resolver that provides malware protection for free, moved its operational and legal headquarters to Switzerland recently. This ensures that legally it's an EU organization, and subject to GDPR along with all the other regulations. Though on the flip side, it's not uncommon to see error pages saying that a site is no longer operational for visitors in the EU.

So, just like funneling money through tax havens and taking advantage of shell companies, data will be stored in places where the rules don't apply. Legal loopholes will be taken advantage of, allowing data to be abused in ways that the regulation has tried to prevent. And none of this will be visible to anyone except the most determined analysts.

Layered privacy protection

Most people I know use some form of browser addon for content filtering, in particular ad blocking. This is great for browsing, but with the proliferation of chatty IoT devices, services loading in the background, mobile phones, and whatever else, this isn't enough anymore.

This means that people interested in protecting their privacy online need to look at additional methods. DNS filtering, for example, is a great way to protect your whole network against threats and data sharing coming from IoT devices - especially those that can't be upgraded and have no way to configure. For more serious applications and specific uses, VPNs are another way to mask your behaviour online. And simply using privacy focused services is a great thing to do - DuckDuckGo, the Brave Browser (and their new search engine), Apple iOS - these are all using privacy as a selling point.

My prediction on this side of things is: privacy will move from being a unique feature, to becoming something that is actively looked for and more commonly offered. And if you care about your privacy online, then we'll have to use these products all over the place.

New threats

Regulation is coming into place, the ways to protect ourselves are becoming more plentiful, and everything's getting easier to use.

Which means one thing: the people who want to track you are going to try harder.

Browser fingerprinting used to be uncommon; now it's a standard part of how ad networks operate. Server-side data sharing was unusual for most companies; now it's becoming the default. CNAME cloaking was basically just a theory at one point; now academic papers are being published on how widespread it is.

But that's just the start.

Facebook has patented methods for identifying a camera's geolocation based on scratches on the lens, and the people it can identify in the photo. Amazon wants to monitor people's moods based on the sounds an Echo device can hear while you're sleeping. Oculus (well, Facebook) is monitoring what people are looking at and how they're moving, so that it can place ads directly into VR games. Fitness trackers are identifying users with PTSD and targeting ads for antidepressants at them.

One of those is false - but without checking, do you know which one?

So where are new threats going to come from? This is harder to predict, but my guess is that we'll really just see more advanced versions of what's already happening: taking data that doesn't seem useful, and turning it into a way to build up profiles of people and target them. As tracking becomes even more pervasive and precise, unconscious details like eye movements, heart rate, involuntary actions, microexpressions, if they aren't already being factored into targeted ads, will be.

And, of course, SPACE ADS. We're going to see ads from space and privacy threats alongside them. But that's a whole other article.