Tips and Tricks

When Gravity Takes Over

Change, even planned change, can take you by surprise. When it does, it’s definitely time for some reflection! This is a blog post about what it takes to make change happen. But first, let me provide the background:

In early 2021, I started a conversation with a team at Google about how to build and engage a community to talk about a particular aspect of digital identity. Google and the other big browser vendors, Mozilla and Apple, were (and still are) bound and determined to Do Something about individuals being tracked based on their web browsing. Who doesn’t want their privacy respected when they are online? It’s hard to argue against that goal.

The challenge this team within Google was particularly interested in, however, was the intersection of where the basic building blocks of the web experience were being used for both legitimate and illegitimate reasons. The thing about the basic building blocks in question—third-party cookies, URL link decoration, and redirection—is that there is no way the browsers can tell the difference between appropriate uses, like logging into an online service, from how tracking services are using those same features. Those features are a lot like building blocks: you can use them to build a house, or you can use them to smash in a window. What you use them for doesn’t change their nature in any way that can be automatically observed and controlled for at scales the size of the Internet.

The big browser vendors have been ramping up to address this challenge for a few years now. They are on a mission; they have the ‘carrot’ of positive press and doing the right thing by helping individuals and the ‘stick’ of looking at some serious legal and financial trouble (thank you, GDPR!) if they don’t do anything. But what about all those sites and services that are going to break? What about college students being able to log in with their college account to access online material for their studies? What about employees that need to log in with their company account to access enterprise resource systems? What about researchers who come from dozens or even hundreds of institutions around the world that need to collaborate on specific scientific projects?

And that’s where I came in. My mission, if I chose to accept it, was to get those organizations that were dependent on those web building blocks to work together to find a solution that would allow them to continue to log in and out of third-party services with their organizationally provided account. And so I reached out to everyone I know in the digital identity space to organize a virtual, two-day workshop. I kicked off an official community group within the W3C. I’ve lost track of the number of webinars I’ve been involved in to raise awareness and help organizations understand that they will have serious problems if they don’t step up and help figure out a solution. And yet, despite great feedback from all those sessions and recognition that this is leading towards some pretty significant breakage of essential web services, nothing translated into the action I wanted to see.

Then this past week happened. This week was the first time I’ve given my presentation on the subject to an in-person crowd. Several people in the room had already been to one or more of the webinars I’d offered. Some were even members of that community group. My session was the very first session of the conference, and people didn’t stop talking about it for the rest of the week. People met in hallways to discuss how to bring this back to their organizations. People found whiteboards to draw up plans to help test the code coming out of Google with their services. People proposed an additional, sector-specific working group to keep engagement levels high as the privacy-preserving browser changes roll out. People committed to weekly meetings that will lead up to an in-person hackathon in February.

I. Was. Floored. I’ve spent nearly two years raising awareness, knowing that browser changes, as necessary as they are, pose a major threat to many organizations and particularly to the research and education sector. I’ve spent years engaging with anyone willing to listen (and probably some who weren’t willing but couldn’t escape), laying out the path that organizations and developers need to take to be a part of the solution instead of the victim of the changes. To be honest, I’d just about written off any hope of proactive engagement. Instead, I expected this to become an emergency response exercise which would be excruciatingly painful for all involved.

So here’s the million-dollar question: what was so different that the engagement I’d been pushing for finally found traction? Was there something I could have done differently or sooner to get this kind of action? I think this was a convergence of a few things that were necessary to do but not sufficient by themselves. 

  1. Communication: The webinars, blog posts, and status reports were absolutely necessary to ‘seed the ground.’ People may not have been paying close attention, but they had heard that something was going on here such that when they saw the session description, they decided it was important enough to show up. 
  2. Structure: The community group formation as an official place to meet and get the code published was also absolutely necessary. A W3C community group is a recognized place to incubate ideas, and browser vendors are comfortable participating because of the existing framework that protects their Intellectual Property and sets an established pattern for behavior.
  3. Urgency: The timeline of when things are expected to break completely (because they are demonstrably starting to break in some browsers now) was necessary to move the urgency from “ok, yeah, but that’s years away” to “OMG this is breaking now and my organization is not prepared!” 
  4. Convenience: Last but not least, meeting in person was the last and most necessary straw to break the inertia. Webinars are great, but they don’t support those hallway conversations that happen when 100 people from as many different organizations leave a session and talk. They don’t support the perceived safety of having impromptu, frank discussions during a break, over food, or even in an elevator. In-person meetings provide opportunities that you rarely get any other way.

This past week felt like a boulder I’d been pushing uphill crested a peak and started rolling on its own. Woohoo! I had begun to doubt that peak was even there! But forget rest; now’s when it really gets fun. My job will continue to be community engagement, with a new focus on concrete activity.

The biggest challenge now will be to keep the boulder rolling, because while this peak was overcome, we’re not at the top of the mountain yet. But the combination of communication, structure, urgency, and convenience will make sure we crest that peak, too.

Many thanks to everyone who attended my session at the Internet2 TechEX in Denver, Colorado, and committed to rolling up their sleeves and engaging in the effort. You’re awesome.

Thank you for reading my post! Please leave a comment if you found it useful. If you want to start your own blog or improve your writing, you might be interested in another effort I’m spinning up, The Writer’s Comfort Zone. Learn more here!

If you’d like to have me on a podcast or webinar, my media kit is available for your reference. 

2 thoughts on “When Gravity Takes Over

  1. Hi Heather – I have long appreciated your persistence in educating people about the impact the proposed browser changes will have. I agree with you that the increasing urgency is motivating more people to move to action. It was also helpful to have a few leaders in the field (including yourself), call for a hands-on event (the hackathon) and to reach out to specific organizations and projects asking them to assign engineering resource to the effort. We all knew we should be doing something. Now there is a specific “thing” we can do (thanks to your continued corralling). Thanks for your leadership!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.