Agenda Request - Review Working Group Charter Changes #52
Comments
AramZS
added
the
agenda+
|
I’m unable to attend the meeting today to make the following points under this agenda item. The charter will be reviewed by the W3C membership. What have the group done to verify there is a mandate within the W3C to disintermediate advertising by web browsers as the proposed draft of the charter directs? I don’t think there is one. The W3C membership are not the only consideration. There is the matter of competition law compliance. In PR #18 my lawyer colleagues provided a number of suggestions. These include ensuring all parties to the web are guaranteed access to the source data need for standards developed by the group under Fair, Reasonable, and Non-Discriminatory (FRAND) terms by those that join the group. FRAND is already an accepted principle for the licencing of intellectual property. It can be applied to essential data. Such a change would likely necessitate all the work of the group be implemented using web primitives (aka general purposes APIs). Where new APIs are needed these would need to be general purpose and not specifically for advertising. An example of such an API could be the sharing of state information between multiple data controllers under GDPR laws. Importantly this change will free individual publishers and advertisers to decide which of the groups standards they use. Publishers and advertisers would not be forced to adopt particular standards by browser vendors or the W3C. In the past there have been few lawyers on the call. I suggested some names from Apple, Facebook, Google, and Microsoft. Can the representatives from those companies advise if they have been approached? My company has a number of Formal Objections open in relation to matters related to competition. We have agreed to withdraw those Formal Objections should the W3C Director setup a Legal Advisory Group where only qualified lawyers are eligible to join and this group rule on such matters. The Legal Advisory Group would provide horizontal review on matters such as group charters to ensure any competition issues were resolved prior to the work commencing. This charter should be subject to such a review. @AramZS @seanturner Please could you draw the group attention to this comment during the meeting? |
|
@jwrosewell we'll call attention to this point. Thanks for the comment. |
AramZS
removed
the
agenda+
|
Some notes on this: Again, thank you for this comment, it makes your position here much clearer than it was earlier. I did point folks to it during the meeting as requested, but I wanted to also take a moment to talk to it in more detail.
I agree with this in principle, however, there is currently no legal group that brings forth these concerns in this context. We can only deal with participants and their feedback. That said, as far as I can tell, the main way that we deal with the question of legal concerns in a charter like this is through submission to the AC. If this is the core of your concern, and we acknowledge that we are not lawyers and there are no lawyers in the room willing to contribute directly, I think the only way we can deal with an objection on this basis is submit the charter to the AC for review and let them tell us one way or the other.
Without commenting on your example, which I think is a little too general for me to be sure I agree with, this describes a fundamentally different WG and CG then we are chartering. This CG and the WG proposed is specifically about advertising technology uses. General purpose not specifically advertising APIs are specifically out of scope for this group. Trying to alter the WG mid-stream to alter the entire intent of the group is not going to work. Arguably the place for this type of work is the Privacy CG or perhaps some entirely new charter. As to why it is the mission of the PAT groups: It is inarguable that browsers supply specific APIs for specific purposes, to enable specific purposes. I am not sure a 'general purpose' API actually exists nor could I feel able to define it. What is a 'general purpose' API for location vs one that enables the business of map and navigation services? What is a 'general purpose' API for layout detection vs one that enables the specific business of mobile website design? What is a 'general purpose' API for the purpose of web applications vs a Web Application Manifest API for the business of Web Apps? What is a 'general purpose' API for performance vs one that enables specific business outcomes that have a basis in performance? The division between APIs that are generalized and ones that enable specific business goals and concepts seems to me to be non-existent. Any one of the APIs I just listed (and more) now underlay the livelihoods of thousands of people... if not tens of thousands... and any alteration to them would have substantial and significant impact on their businesses. But these APIs do evolve and change because the world, the users, and the businesses that leverage those APIs, change. We should not freeze changes to the Geolocation API just because a number of companies have been successful in implementing that API. These APIs have no natural state, they were created, the businesses that were created on them did so on one version, and it behooves them to change how they work when it makes sense for the community (with the involvement of these businesses as well!) to change them. None of the APIs currently used by ad tech were created with the intent for them to be used by ad tech. Everything is hacked on to things that are not intended for them. These APIs also do not have a natural state. None of them, the third party cookie, or anything else, were dug up on stone tablets and then dropped whole into the browser standard. But advertising is a core component of the web now, and if we want to evolve the web that means we need to acknowledge advertising, its use cases, and build specific APIs towards its needs.
Existing documented W3C processes handle this and a single WG charter is not the appropriate place to litigate W3C policy. If you feel the existing W3C IPR standards are insufficient, you should be taking it up on a different level then here. However, it is outside of our scope to try and redefine those rules from below, especially when we are dependent on W3C tooling built under and understanding of those guidelines to help enforce them. I believe the now highlighted W3C documents recently added to the WG charter should cover these concerns.
Yes. As I've said, this group is a CG and open to all contributors. I do not have their contact information. Any representative can reach out to me individually to set up a time to speak to the group, publish something on one of our repos, or participate in a call. However, we cannot wait indefinitely for these people to 1. Appear. 2. Speak.
This is fundamentally a matter for the W3C AC and Director. We cannot pause operations to wait on a change in W3C policy that may or may not happen. I assume that should such a group arise, its earliest work would be reviewing standing Working Group and Community Group charters and asking them for changes and should such a group arise I would welcome their feedback and we could, at that time, make changes to the charter based on their feedback regardless of if we are operating or not. As we've seen with the CG, changes to the charter on the basis of in-motion operation are standard. This objection is also best resolved by submission of the charter to those who are at the right level to deal with such questions. |
|
As discussed at the 6/21 telecon, barring additional support for James’s objections/suggestions, we will submit the proposed working group charter, without incorporating those changes, to the W3C process in 72 hours . |
|
For those considering supporting my objections/suggestions please consider the following links for a summary of the outstanding areas for consideration.
|
|
Thanks for being brief and succinct @jwrosewell. I will try to do the same in my response.
There is no mention of first or third party in the charter (the word "party" is not found), so I am guessing that you refer to this minimal definition of privacy:
This was discussed extensively and I believe that there is consensus for this specific language. As you observed yourself, this is useful in ensuring that the working group doesn't undertake work outside of an agreed scope. In this case, it is to ensure that work does not violate some these elementary privacy expectations. I understand that you disagree with this conclusion, but my understanding is that your position is at odds with established consensus. (The chairs may correct me on my understanding of consensus, but I believe that both of the above are well-documented.)
The only reference to the joint PING/TAG work on privacy principles is very narrowly targeted and as it relates to the previous point, I think that it is defensible as it is relying on a narrow definition only. (The charter does not refer to the entirety of the document, nor would it be appropriate to do so until the work achieves broader support.)
This point remains very confused for me. We tried to clarify this on the call, but let me try again. The intellectual property rights necessary to implement specifications (i.e., patents) are, by W3C policy, not FRAND but royalty free. Nothing changes here, nor should it. You seem to be referring to rights over access to information that is not rightly yours, nor is it the property of any other actor in this group. That is, rights over the browsing history of web users. A working group charter cannot grant any rights over that data. That's between individual web users and those entities that might receive that data. There are occasions where private information has been used for research purposes to inform choices made by working groups. The example given was the use of Chrome data to inform decisions about the Topics proposal. Meta might provide some information about how people use their advertising platform. This is very common in standards environments, where data and research is essential for informing choices. We cannot compel entities to share information with others, because it is rarely possible under the terms by which they obtained the information, especially when some of that information is private. Though they might be able to conduct research, they are bound by usage terms and agreements set when the data was collected, as well as the moral obligation to respect the privacy of those who the data relates to. No doubt their lawyers have ensured that their use of that data is defensible. No doubt they also take care to ensure that the use of data is appropriate and moral. In the end, you need to consider contributions that are informed by use of private data no differently from any other contribution made to the group. Treat claims with appropriate skepticism, ask questions about methodology, try to corroborate results using data you might be able to access, find shortcomings or limitations, offer criticism, and ultimately determine whether the decision it informs suits your needs. But do not ask that the information be licensed for your use unless you are prepared for the answer to be "no". Enshrining that request in a charter as a demand or precondition of participation is highly inappropriate.
This is a key scoping provision in the charter. It is in the name of the group even. If you want to pursue non-technical approaches, I suggest that you seek to form a working group for that purpose. |
|
Re: FRAND - The input data must be available to all implementers under the same terms with the same user consent. i.e. browser vendors could not rely on consent captured at installation of the browser for the use of the input data in any specification developed by the group. Developing these details concerning consent is an important next step in the iteration of the charter prior to adoption. By enshrining this in the charter we can ensure all the work of the group meets an agreed requirement just like any other requirement. The fact others find this objectionable is concerning to me. The fact that the charter includes specific proposals to be worked on but no this basic policy principle is equally concerning to me. Re: Non-technical - I wish to establish the best solutions for the 5bn+ users of the web. Establishing a group that consumes the limited resources of the W3C and our collective energies that explicitly excludes professions other than engineering is limiting. Why should engineers and technology monopolise the solutions? We know from regulators other professions have a role. Re: Parties - The charter and debate adopts the direction advocated elsewhere concerning parties. For example; only the browser vendor can process the input data, or the cross-site limitations. There are even issues concerning this here. Therefore the parties issue is present throughout the document. Please see the extensive note I posted after yesterday's meeting for details on why this is problematic. Re: 'Privacy Principles' - Thank you for recognising the state of the document, there should be no issue amending the document o state that the group is not bound by the position of any documents or work that are not explicitly listed in the charter or the W3C Process. Do we agree? |
|
AramZS, As a representative of the Movement for an Open Web MOW I support the request made by James Rosewell. In particular that :
I would suggest that competition law compliance is for all. Advice on the law is for lawyers. I am a lawyer and would support the creation of a legal working group to help develop and advise on these points with representatives of any other organizations who would be willing to participate. I am aware that a number of other organizations involved in this discussion have lawyers who may be available. With kind regards, Tim Cowen Preiskel & Co LLP, 4 King's Bench Walk, Temple, London EC4Y 7DL |
|
"FRAND" and "licensing" terminology is being used here in potentially ambiguous ways. W3C attempts to publish standards under a royalty-free patent policy: In other cases, it seems like "licensing" is being used to refer to data about users. @jwrosewell could you clarify what you mean by "input data"? It's possible that you mean that any data that might be used by some implementer to trigger, for example, sending attribution reports must be sold or shared under fair terms to any other organization that wants that data. I don't think that "licensing" would apply in that case because I think that most of the data isn't copyrightable (or patentable), but is instead facts about users, like their browsing history or when they visited particular websites. Mandatory sale or sharing of browsing history would be deeply concerning to user advocates, and I expect to many people in a group working on private advertising technology. It could also be that "input data" is a reference to the kind of data that is used in discussing standards designs, as @martinthomson referred to above. That data can be important to evaluating the feasibility of different approaches. I would suggest that as a group that works in public, we would typically rely on data that is shared publicly (which may necessarily be limited) in any decision making, rather than licensing or sharing data under some confidentiality terms. And I would agree that because of those limits, we also sometimes have to be skeptical or look for corroboration or additional evidence when we don't have access to private data. |
|
James’ post raises some important issues that might be useful for this smaller group to resolve so as to avoid issues we’ve seen with DID and other topics when the larger W3C community reviews the output of such groups. Criteo agrees that “advertising is a core component of the web now, and if we want to evolve the web that means we need to acknowledge advertising, its use cases, and build specific APIs towards its needs.” The question arises which “needs” we are addressing. The Charter seems to incorporate two assumptions that if left unaddressed could restrict competition for improved digital advertising as we try to improve privacy outcomes for individuals. Digital advertising is paid by a marketer to a media owner, and hence is primarily a business-to-business process. Of course the goals of both marketer and media owners are to attract, engage and achieve positive responses from consumers who are exposed to such paid content. However, if we are to support the needs of responsible advertising, then we might benefit from clarifying some specific principles:
I would hope we can revise the Charter to focus on improving privacy, while also ensuring we do not inadvertently restrict greater competition in digital markets. |
|
@jwrosewell, thanks for being brief. I'll do the same. FRAND: Like Nick, I still don't understand your points. I've made an attempt to clarify, but see no progress on this issue. Non-technical: It's not a monopoly. It is possible to do other work. I see no reason that other approaches will succeed. Convince me otherwise, preferably with action rather than more words. Parties: Your extensive note did little to clarify. Please frame your objection in specifics if you intend to make progress. Principles: We don't agree. We could add many words with contain no information content, but we should not. @joshuakoran, I'm not clear on how we might translate all of that into words in a charter. Or maybe I'm just not sure that we need to litigate this matters at the level of chartering. Let me try to explain more on the general point you make below, which I think is important enough to waste a lot of words on (sorry, it is a little lengthy). Either way, I invite you to suggest concrete changes rather than talking in the abstract. I don't know what you really want the charter to say differently based on this:
Regarding:
Yes, a lot of the information and actions occur between businesses. For starters, the flow of money occurs there almost exclusively. But businesses already have the means to talk to each other. It is the inter-business exchanges that involve users that are in scope for the work. The charter starts with a scope of "[...] specify new web platform features intended to be implemented in browsers or similar user agents." That is, we are looking to support any communication that might need to transit a user agent. To that end, anything that happens outside of that, whether it be the bidding processes or even exchange of user data between servers (inappropriate or not), is simply out of scope. The charter cannot claim exclusivity over interactions between businesses, though any interactions that are mediated by the browser are in scope... for improvement. I recognize that there is a general concern here that browsers are seeking a greater role in intermediating these communications. This only partly true. It is only true to the extent that it is necessary to achieve privacy goals. For example, @jwrosewell's objections seem to be more grounded in objections to those privacy goals than anything this group might do. That is, the objection is to browsers seeking to prevent unsanctioned tracking (as defined in various places). This group is very explicitly NOT about preventing tracking. It does hold a general and non-specific assumption that the work to stop tracking is at least partly successful. After all, if tracking remains viable, then there is far less incentive to adopt the solutions that a group like this might offer. However, this group only seeks to provide the advertising industry means of conducting their business that is not dependent on practices that have - or can have - poor privacy outcomes for web users. Back that general concern again, I appreciate that those who want to preserve the mechanisms that underpin tracking (and a number of less objectionable practices) find themselves with no venue to object to their removal. This is why we are seeing the focus on the topic here. There is no single "end tracking" working group (though Privacy CG comes pretty close; as chair, we'd welcome your contributions there) where concerned citizens might go to say "please stop". Without an obvious venue, this group seems like a nice place to have that discussion. It's not, but I understand the urge. What has happened is that browsers have - for the most part - unilaterally taken actions to stop tracking. Browser vendors will claim - and I agree - that those decisions are entirely within their remit. (We might need to find a different forum to discuss that point, because this isn't necessarily a simple topic either.) This conclusion is something that the browser market has largely vindicated. The quality of anti-tracking measures is now an important point of product differentiation...or at least that is my sense both from reading press and from what our marketing team has reported. The consequence of those changes it that cross-site exchange of information - as it relates to specific users - increasingly is being pushed to channels under the control of user agents. This is, in my opinion, a good thing on balance. It does change the competitive dynamics in markets like digital advertising, sometimes for the worse, but I'll get back to that point. However, the upside is huge. Information about how people use the web that flows between sites without any hope of user intervention - other than whatever the parties involved might deign to offer affected users - has done a lot of harm. These changes are putting user agents in a position to give users real control over those interactions. That will no doubt reduce the efficiency of those systems that depend on those information flows. But it allows us to give users the decision about what is or isn't appropriate rather than leaving it to those nameless entities that exchange that data. ...Mostly. What this group is going to be talking about is narrow carve-outs for things like measurement that won't (necessarily) involve user interaction in quite the same way. Robin's talk a few meetings back outlined the reasons for this (see slide 11 in particular, "PRIVACY CALLS FOR COLLECTIVE GOVERNANCE") where he points at the role of collective governance in handling systemic factors. For this, it is very much necessary for this group to identify the narrow bounds on what is appropriate within a specific context. We do this for a number of reasons, but foremost is that the business of advertising has been important to the web and we would like to avoid unnecessary damage. It is also because we recognize that curtailing cross-site information flow disproportionately advantages those who have less need for it. Those with large or diverse web properties are often able to realize a lot of their advertising goals with just the information they see from their own site. By providing advertising use cases with better options for conducting their business we hope to address some of the imbalance. Some of the things we produce will have a greater degree of user agent involvement. But those will be where there are fewer controls - such as consent dialogs...ugh - in place. In other places, such as FedCM, we will see things that start with far stronger user interaction requirements, but can be used to initiate direct B2B conversations about users without user agent involvement. A short note on the mention here of pseudonymous identifiers. My opinion, and what I understand to be the prevailing view of my peers, is that pseudonymous identifiers are a sham. There is a long and well-documented history of reidentification attacks on "anonymized" data sets that suggests that pseudonyms are ineffectual as a privacy measure. |
|
@seanturner @AramZS - I was not able to attend the meeting today. However I believe the criteria for further review within the group has been met. Please can you confirm the agenda at the next meeting will allow time to answer the points raised? I could start with a presentation explaining the key points. @martinthomson - one initial brief response. You state in relation to my objections.
This is not true and is a deliberate mischaracterisation. My position is that browsers MUST enable lawful data sharing between data controllers and processors and do nothing to prevent it or interfere with it. Anything else is to create quasi-laws that you, me, the W3C and IETF do not have the mandate to define and implement. |
|
@martinthomson one further initial point. Robin, @ekr, and your position is that data controllers and processors can't be trusted.
If you believe that, and feel you must do something about it, then create technologies to identify wrong doing and enable existing justice mechanisms to bring those bad actors to justice. Make the "promises" transparent and verifiable. Don't create technologies and changes to the web that remove free will, stifle innovation, and concentrate power over the web into the hands of a small number of gatekeepers. |
|
Martin, all,
As the newcomer I hope that I have understood things properly and hesitate to offer a perspective from my experience, but thought it might be helpful to clarify a couple of key points on FRAND and Privacy Issues.
FRAND
You raise an issue about what “Fair Reasonable And Non Discriminatory” or FRAND means in this context. It is used as a basis for a remedy to an issue of market power. So, for example, if a company is dominant in the provision of something, such as a telecoms network, the policy position in many countries is to require access to that thing on “fair reasonable and non-discriminatory” terms. Since Patent rights needed for the implementation of standards may enhance and increase, if not confer market power, one frequently used method of avoiding any challenge to agreements for the use of standards that read on patents is to require FRAND access in agreements to the grant of the use of patents that read on standards, (aka Standards Essential Patents). (W3C has such provisions in its basis constitutional agreements to avoid any such issue). So if there is any risk of market power being enhanced or increased as a consequence of standards setting one preventative action would be to require the use of something that risks being controlled by a dominant entity, to licence that thing on FRAND terms. In one case that might be a patent licence on FRAND terms in another the use of data on FRAND terms.
Privacy Issues
I think the current debate is clouded by the fact that “Privacy” is used without definition. Different people may reasonably think that they are protecting privacy by different means and others will disagree and talk past each other by not defining terms. (A lawyer asking for clear definitions is hardly original but is expected!).
Should the W3C discuss privacy or security or leave the parameters to be defined by markets? W3C should be about technical standards that allow things to work better; interoperate faster, improve functionality, speed, latency and increase quality of service and quality of experience. Since privacy and security affect all uses and their online services and experiences then it probably does need to be addressed: but in a technologically neutral way that does not provide a business benefit for one type of function, shape or structure of organisation over another.
Parliaments deal with policy and define norms in laws. Different parliaments define laws which reflect the priorities of different societies. Laws necessarily strike a balance between different policies and rights and freedoms. Personal rights and commercial and economic freedoms can conflict. They also seek to secure public interests such as copyright protections that provide key sources of revenue for news publications and public goods such as freedom of expression and freedom of speech. Reference to one law or another is important if the W3C is to discuss privacy with any certainty. Pragmatically, GDPR probably applies to more commerce and interstate commerce globally and may be familiar to more W3C members than any other law. So as a privacy law that most are familiar with, might we not use that as a basis for privacy definitions that we can work with?
With kind regards
Tim
From: Martin Thomson ***@***.***>
Sent: 23 June 2022 02:30
To: patcg/meetings ***@***.***>
Cc: Timothy Cowen | Preiskel & Co ***@***.***>; Comment ***@***.***>
Subject: Re: [patcg/meetings] Agenda Request - Review Working Group Charter Changes (Issue #52)
@jwrosewell<https://github.com/jwrosewell>, thanks for being brief. I'll do the same.
FRAND: Like Nick, I still don't understand your points. I've made an attempt to clarify, but see no progress on this issue.
Non-technical: It's not a monopoly. It is possible to do other work. I see no reason that other approaches will succeed. Convince me otherwise, preferably with action rather than more words.
Parties: Your extensive note did little to clarify. Please frame your objection in specifics if you intend to make progress.
Principles: We don't agree. We could add many words with contain no information content, but we should not.
@joshuakoran<https://github.com/joshuakoran>, I'm not clear on how we might translate all of that into words in a charter. Or maybe I'm just not sure that we need to litigate this matters at the level of chartering. Let me try to explain more on the general point you make below, which I think is important enough to waste a lot of words on (sorry, it is a little lengthy).
Either way, I invite you to suggest concrete changes rather than talking in the abstract. I don't know what you really want the charter to say differently based on this:
I would hope we can revise the Charter to focus on improving privacy, while also ensuring we do not inadvertently restrict greater competition in digital markets.
…________________________________
Regarding:
ensuring not all B2B processing for digital advertising must be exclusively bundled within user agent consumer software
Yes, a lot of the information and actions occur between businesses. For starters, the flow of money occurs there almost exclusively. But businesses already have the means to talk to each other. It is the inter-business exchanges that involve users that are in scope for the work.
The charter starts with a scope of "[...] specify new web platform features intended to be implemented in browsers or similar user agents." That is, we are looking to support any communication that might need to transit a user agent. To that end, anything that happens outside of that, whether it be the bidding processes or even exchange of user data between servers (inappropriate or not), is simply out of scope. The charter cannot claim exclusivity over interactions between businesses, though any interactions that are mediated by the browser are in scope... for improvement.
I recognize that there is a general concern here that browsers are seeking a greater role in intermediating these communications. This only partly true. It is only true to the extent that it is necessary to achieve privacy goals. For example, @jwrosewell<https://github.com/jwrosewell>'s objections seem to be more grounded in objections to those privacy goals than anything this group might do. That is, the objection is to browsers seeking to prevent unsanctioned tracking (as defined in<https://w3ctag.github.io/privacy-principles/> various<https://privacycg.github.io/nav-tracking-mitigations/> places<https://www.w3.org/2001/tag/doc/unsanctioned-tracking/>).
This group is very explicitly NOT about preventing tracking. It does hold a general and non-specific assumption that the work to stop tracking is at least partly successful. After all, if tracking remains viable, then there is far less incentive to adopt the solutions that a group like this might offer. However, this group only seeks to provide the advertising industry means of conducting their business that is not dependent on practices that have - or can have - poor privacy outcomes for web users.
Back that general concern again, I appreciate that those who want to preserve the mechanisms that underpin tracking (and a number of less objectionable practices) find themselves with no venue to object to their removal. This is why we are seeing the focus on the topic here. There is no single "end tracking" working group (though Privacy CG comes pretty close; as chair, we'd welcome your contributions there) where concerned citizens might go to say "please stop". Without an obvious venue, this group seems like a nice place to have that discussion. It's not, but I understand the urge.
What has happened is that browsers have - for the most part - unilaterally taken actions to stop tracking. Browser vendors will claim - and I agree - that those decisions are entirely within their remit. (We might need to find a different forum to discuss that point, because this isn't necessarily a simple topic either.) This conclusion is something that the browser market has largely vindicated. The quality of anti-tracking measures is now an important point of product differentiation...or at least that is my sense both from reading press and from what our marketing team has reported. The consequence of those changes it that cross-site exchange of information - as it relates to specific users - increasingly is being pushed to channels under the control of user agents.
This is, in my opinion, a good thing on balance. It does change the competitive dynamics in markets like digital advertising, sometimes for the worse, but I'll get back to that point. However, the upside is huge. Information about how people use the web that flows between sites without any hope of user intervention - other than whatever the parties involved might deign to offer affected users - has done a lot of harm. These changes are putting user agents in a position to give users real control over those interactions. That will no doubt reduce the efficiency of those systems that depend on those information flows. But it allows us to give users the decision about what is or isn't appropriate rather than leaving it to those nameless entities that exchange that data.
...Mostly. What this group is going to be talking about is narrow carve-outs for things like measurement that won't (necessarily) involve user interaction in quite the same way. Robin's talk<https://raw.githubusercontent.com/patcg/meetings/main/2022/04/05-telecon/PAT-privacy-principles-202204.pdf> a few meetings back outlined the reasons for this (see slide 11 in particular, "PRIVACY CALLS FOR COLLECTIVE GOVERNANCE") where he points at the role of collective governance in handling systemic factors. For this, it is very much necessary for this group to identify the narrow bounds on what is appropriate within a specific context.
We do this for a number of reasons, but foremost is that the business of advertising has been important to the web and we would like to avoid unnecessary damage. It is also because we recognize that curtailing cross-site information flow disproportionately advantages those who have less need for it. Those with large or diverse web properties are often able to realize a lot of their advertising goals with just the information they see from their own site. By providing advertising use cases with better options for conducting their business we hope to address some of the imbalance.
Some of the things we produce will have a greater degree of user agent involvement. But those will be where there are fewer controls - such as consent dialogs...ugh - in place. In other places, such as FedCM, we will see things that start with far stronger user interaction requirements, but can be used to initiate direct B2B conversations about users without user agent involvement.
________________________________
A short note on the mention here of pseudonymous identifiers. My opinion, and what I understand to be the prevailing view of my peers, is that pseudonymous identifiers are a sham. There is a long and well-documented history of reidentification attacks on "anonymized" data sets that suggests that pseudonyms are ineffectual as a privacy measure.
—
Reply to this email directly, view it on GitHub<#52 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZYERR6QA6L437J3YR5SNMTVQO4XVANCNFSM5V4IQYHA>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
Since @joshuakoran is a new participant in this thread I wanted to quickly make some comments to focus on his input:
Inappropriate is indeed the focus. I'm unclear on your objection here. This does not require or suggest that there is an exclusive reliance on user agents. That said, this is a W3C group so any standards we write are intended to be implemented by user agents and this limits our capacity to discuss proposals that exist entirely outside of the scope of user agent APIs.
The Charter is intended to establish the work mode, process, and scope of proposals considered. It's not the role of a charter to provide informational instruction on how particular user agents or OSs work, though we would invite fact sheets and documents on those topics in the WG or CG. With these responses in mind, if you agree with my points here, I think that addresses any objections to the charter remaining from Criteo? @joshuakoran please let me know if this has clarified the issue and dealt with the objections you've stated. |
|
First, yes, we see multiple objections to the WG charter here. Let's try and resolve them. We have not submitted the charter. Let's talk about FRAND some more:
If we are going to talk about FRAND, does this approach make sense to people including @timcowen and @jwrosewell?
As Martin has already noted (quoted above) we do not use concepts of first and third party. I'm unclear on what the objections are in that regard, however, as Martin has also noted, we were able to come to consensus on the minimal definition above. This was significantly discussed in a set of PRs concluding in patcg/patwg-charter#23 and then approved by consensus call on that PR and on a call. I do not see grounds at this moment, nor do I see a countering proposal to even discuss such grounds, to reverse that consensus call.
Our only use of the TAG Privacy Principles document is referencing its definitions as follows: Do you have specific objections to those specific definitions and if so on what grounds? Additionally, as I've noted before, the adoption of the TAG/PING privacy principles is a work of the W3C as a larger organization, and relevant to their work as review bodies of proposals within the structure of the W3C. It would be entirely inappropriate and also non-functional to try to include some objection to the Privacy Principles documents in the WG charter, even if consensus could be found to do so.
Because this is a W3C group, we cannot put text in the charter saying we are not bound by the W3C, which would be granting us this charter. This is completely impossible and also irrelevant to the work of the WG. You are trying to legislate the review work done by TAG and PING, and therefore your concerns should either be taken up with those groups, or with the larger W3C organization. I see no one but @jwrosewell attempting to place this type of text and, without any broad support that I can see, I do not intend to address further discussion on this topic.
This is a proposed technical working group that works within the bounds of the W3C to establish technical solutions. While we do not exclude any contributor, regardless of technical or non-technical backgrounds and professions, we are also neither a court or a trade body and have no interest or capacity to either find consensus on solutions that are primarily non-technical in nature nor to bind any particular set of interested parties to non-technical solutions. Binding of parties to non-technical solutions is work that does exist outside of the W3C, the LSPA by the IAB being one excellent example, though even there, signatories that I'd think should be part of the document can be difficult to get to participate, even with trade group membership involved. Since you seem to be describing some sort of other similarly contractually-locked scheme it seems clear to me that if the IAB, a trade org designed for such work, could not get all of its members to sign on to such a document, what hope would a single WG within the W3C have to get contractual agreement in that way, much less have the appropriate resources to enforce such a contract? This is not a criticism of the IAB, just noting that they, a much more appropriate venue for such style of work, have difficulties and it's hard to see how the WG could do better, even if it wanted to.
In response to this point: I agree the W3C does not have the mandate to define and implement laws. Nor does it have the capacity to enforce laws. The W3C is not a law enforcement body. It is not any sort of enforcement body. While it may establish standards, it has been clear historically that while it is advantageous for all user agents to apply those standards, the W3C does not force, nor have a mechanism to force, user agents to actually apply finalized standards. They are voluntary. If your position is
The charter neither requires nor prevents the use of FRAND in any proposal. As you have stated, the W3C has provisions that cover much of these concerns that would be automatically applied when they grant the charter. It seems to me that by stating our adoption of the W3C license and patent terms we have come to an agreement with respect to this charter. Do you agree?
That would be great, please advise here and within a potential working group should one be established. However, that work is for that group and it seems to me that we would both agree that it is inappropriate to somehow be written into the PATWG charter.
I agree that competition law is important and I think we both agree that it is established and successfully addressed by the existing W3C documents that we have adopted. If you feel that the existing W3C documents are somehow insufficient, then the place to address them is not within an individual W3C Working Group, but at the level of the W3C itself, right? Additionally, I did not intend to imply that there are no lawyers willing to contribute in regards to competition law or that the issue is entirely within the hands of lawyers, but that it is covered outside of the scope of the working group and should be addressed there.
This is covered in a variety of ways. First, the charter explicitly states: "Each normative specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users." This allows each specification to specifically address privacy law or definitions relevant to their context. This is an appropriate place to do so, and for the working group to discuss those concerns. Additionally the charter states: For all specifications, this Working Group will seek <a href="https://www.w3.org/Guide/documentreview/#how_to_get_horizontal_review">horizontal review</a> for
accessibility, internationalization, performance, privacy, and security with the relevant Working and
Interest Groups, and with the <a href="https://www.w3.org/2001/tag/" title="Technical Architecture Group">TAG</a>.
Invitation for review must be issued during each major standards-track document transition, including
<a href="https://www.w3.org/Consortium/Process/#RecsWD" title="First Public Working Draft">FPWD</a>.Should a legal working group be established by the W3C, then it would be included in the "relevant working and interest groups" and would be doing a horizontal review. Should such a group get a charter, though it would not be necessary, we would be glad to add them explicitly, even though they would be included regardless. Finally, on the question of definition, as previously stated Privacy has been minimally defined, and the definition has reached broad consensus, as documented in the Scope section. Specific privacy concerns may arise within other proposals in which case they should be dealt with for that discussion. Does this address your concerns? I would like to move forward with the Working Group Charter being submitted and I will note that we have rough consensus on this charter. Moving forward on wider review would not lock the charter's text at this time so I don't see why the current set of narrow and not broadly supported objections should put a pause on the next step, especially since it seems that these objections are not addressable by this charter. To remind the group of how this process works, I will quote the CG charter on rough consensus:
Are there further objections that should stop wider review? |
|
I support submitting the Working Group Charter in its current form. |
|
The charter is not ready for submissions for at least the following reasons. At the moment one would have to follow WICG, PATCG, Privacy CG, PING, Federated Id, IWA BG, TAG reviews, Privacy Taskforce, and numerous IETF groups to contribute fully to the debate. Those working for large organisations will find this easier than smaller ones. A small number of the more active people in this group are fortunate to be able to have a job that provides them the mandate and therefore time to engage so fully across these groups. However they do not represent the majority of participants at W3C or the wider web community. All W3C members need to be in a position to understand the boundaries of a group. They do fund them via their membership fees after all. If defined well then members can be certain concerning the likely output from the group. However if defined poorly we find problems. Most recently the Decentralized IDentifiers (DID) and Payments groups received Formal Objections to their work. Those familiar with DID will likely agree that the charter was the root cause of the issues. i.e. The Formal Objections should have related to the charter not the eventual output of the group. Over the past 26 months I have observed a repeated problem concerning the definition of 'privacy'. As an example; what constitutes 'inappropriate'? There are many different views. We need to agree one. I have argued that something is either lawful or not. It should be easy to define privacy in relation to GDPR for the reasons that @timcowen points out. Anything that is not required by law is irrelevant and potentially anti competitive. There is then the issue of data sharing. This must be based on the "what" not the "who". Just because the charter does not mention specific words such as 'party', it is clear from the other content in the charter that proposers intend to advance a position where only web browsers can perform certain data processing. I disagree with that position. There are many examples where privacy is achieved without such a restriction. For example; the payments industry. Such a restriction merely serves to concentrate features into the web browser and is thus anti competitive. @timcowen has raised an innovative suggestion concerning FRAND terms for the data needed to implement a standard. There is nothing that would prevent such a clause being part of the charter therefore providing all web participants the certainty that should they wish to implement independently the standards of the group those that worked on them have already agreed to not only licence the intellectual property related to patents but also access to the necessary input data from their products. As a concrete example I would know that if Google and Mozilla joined the Working Group that they would licence me the data needed to implement the standard outside of a web browser and there would be no need to negotiate such an agreement with them in the future. However Apple if they did not join the group would be under no such obligation. This concept is identical to intellectual property associated with patents and seems very important where functionality is desirable to implement outside the web browser to avoid the web browser becoming a chokepoint. Rather than cycling through the minutia of specific text the principles raised need to be dealt with clearly and visibility before this charter goes to the membership. There needs to be a short 200 word set of principles to make it clear to the members the boundaries of the group and how these familiar but yet to be resolved issues will be addressed by the group. Leaving the membership and participants to work these things out from references to cross-site in other documents is not very helpful and likely ambiguous leading to many different understandings of the same document. The minutia can then be added once these principles are clear. |
|
"this is a W3C group, we cannot put text in the charter saying we are not bound by the W3C" Referencing the W3C Process only and not referencing documents that are not part of the Process achieves what we're both requesting. The only exception is the Antitrust Guidelines which for reasons I don't understand are not part of the W3C Process. I'm unsure why you're dismissing this simplification? |
This appears to answer my question above about what was meant by licensing of input data: the mandatory sale or sharing of data about users and their online activities to other organizations. Mandatory sale or sharing of browsing history would be deeply concerning to user advocates, and I expect to many people in a group working on private advertising technology. This proposal seems confused about what it means to implement a standard (do you mean instead: provide similar functionality in a different way from any proposed interoperable interface?), but also who has the right to sell data from a user's device or software. It would not be identical to royalty-free licensing of intellectual property in the design of a standard; it would instead be a novel mandate for organizations that participate in a standard-setting process to proactively sell or share data about users of their products. It also seems extremely unlikely that adding mandatory sale of user data to a charter would be generally acceptable to W3C membership. |
|
@jwrosewell The user agent does not always have the ability to negotiate FRAND terms on which to share its user's personal information. In many places, the user must consent, or has the right to opt out. The user agent can't commit to FRAND terms, or any specific terms. The user agent can only control its own actions. A workable FRAND requirement might be something like, "If the user agent does not have consent to share some piece of user data on FRAND terms, the user agent will not use that data for on-device ad placement or reporting"? @npdoty I agree that a positive data sharing mandate on browsers is unworkable. It might be more workable to limit on-device advertising placement and reporting to only act on FRAND-licensed data. (We still don't know what percentage of users will consent to any of the systems proposed in this CG. Unless users have a high level of math and infosec knowledge, it's unlikely that they will consent substantially more or less to on-device processing compared to multi-party/FRAND processing.) |
|
Nick,
The following is agreed:
“….has raised an innovative suggestion concerning FRAND terms for the data needed to implement a standard. There is nothing that would prevent such a clause being part of the charter therefore providing all web participants the certainty that should they wish to implement independently the standards of the group those that worked on them have already agreed to not only licence the intellectual property related to patents but also access to the necessary input data from their products. As a concrete example I would know that if Google and Mozilla joined the Working Group that they would licence me the data needed to implement the standard outside of a web browser and there would be no need to negotiate such an agreement with them in the future. However Apple if they did not join the group would be under no such obligation. This concept is identical to intellectual property associated with patents and seems very important where functionality is desirable to implement outside the web browser to avoid the web browser becoming a chokepoint.”
The next point but it was not what I was seeking to put forward.
With kind regards,
Tim
Tim Cowen | Chair Antitrust Practice
ddl +44 20 7332 5645<tel:+44%2020%207332%205645> m +44 78 0224 1629<tel:+44%2078%200224%201629>
***@***.***
Preiskel & Co LLP, 4 King's Bench Walk, Temple, London EC4Y 7DL
t +44 20 7332 5640<tel:+44%2020%207332%205640> f +44 20 7332 5641<tel:+44%2020%207332%205641>
www.preiskel.com<http://www.preiskel.com/> personal profile<http://www.preiskel.com/people/tim-cowen/>
Chambers & Partners Competition, IT & Telecoms Leading Firm 2018
Legal 500 Technology, Media and Telecoms Leading Firm 2017
WhosWhoLegal Telecoms Media & Tech Leading Lawyers 2017
Global Law Experts Communications Law Firm of the Year 2016
Preiskel & Co LLP is a law firm authorised and regulated by the Solicitors Regulation Authority and is incorporated in England & Wales with partnership number OC306371 and Registered Office at 4 King's Bench Walk, Temple, London EC4Y 7DL. A list of members is available for inspection at the office. The SRA rules can be found at http://www.sra.org.uk/solicitors/handbook/code/content.page.
Preiskel & Co LLP takes the privacy and security of personal data and confidential information seriously. The content of this e-mail, including any attachments, is intended only for the recipient(s) named above, and may be confidential, privileged or otherwise legally protected against disclosure. If you have received this e-mail in error please notify us ***@***.******@***.***> and delete it from your system.
On 28 Jun 2022, at 16:58, Nick Doty ***@***.***> wrote:
has raised an innovative suggestion concerning FRAND terms for the data needed to implement a standard. There is nothing that would prevent such a clause being part of the charter therefore providing all web participants the certainty that should they wish to implement independently the standards of the group those that worked on them have already agreed to not only licence the intellectual property related to patents but also access to the necessary input data from their products. As a concrete example I would know that if Google and Mozilla joined the Working Group that they would licence me the data needed to implement the standard outside of a web browser and there would be no need to negotiate such an agreement with them in the future. However Apple if they did not join the group would be under no such obligation. This concept is identical to intellectual property associated with patents and seems very important where functionality is desirable to implement outside the web browser to avoid the web browser becoming a chokepoint.
|
|
Hi Tim, I'm not sure what you meant about "the next point" or what you weren't putting forward -- either the paragraph you quoted or my reply. Our mix of Github, email and other tools can at times be confusing, so I thought I should try to clarify. |
|
Nick, I agreed that when James Rosewell summarised my points about FRAND that he was correctly doing so. The subsequent confusion appears to have arisen with your and D Marti’s assumption that end users would have to consent to FRAND, which conflates privacy with competition issues and overlooks the highlighted text in the sentence starting “ @timcowen has raised an innovative suggestion concerning FRAND terms for the data needed to implement a standard. There is nothing that would prevent such a clause being part of the charter therefore providing all web participants the certainty that should they wish to implement independently the standards of the group those that worked on them have already agreed to not only licence the intellectual property related to patents but also access to the necessary input data from their products. [etc] “ FRAND. The FRAND issue is one that arises for those that have market power ( Browsers from Apple and Google – see CMA Mobile Ecosystem Market Study 2022). So, the idea I advanced is that to help W3C (and members) comply with competition law, the Charter should make it clear that FRAND should apply to necessary input data and that discrimination by dominant browsers is not supported or endorsed by W3C. FRAND is a preventative mechanism to help W3C comply and address the economic and market power problem that may arise in developing standards. So, the way it works with relation to Patents (and other IPR) is that when a member of a standards organisation joins that organisation, the organisation requires, in its membership contract, that the IPR owners agree to licence IPRs on FRAND terms. If the implementer of a standard then in its implementation uses and reads on the patent or other IPR, that IPR is licensed on FRAND terms to those that use it. In doing so the standards body avoids the problem that has come up in the past of being complicit in a situation where an IPR holder then seeks to extract a rent from those implementing the standard (this famously happened between Google and Microsoft with relation to IPRs used in X Box). So, to be clear, the point is not about end users licensing anything. It is about ensuring that those that join the group under a Charter and the Charter needs to make it clear that FRAND applies to any essential input data used by browsers. (which may not be clear in the current W3C documents). It was also observed that W3C standards are voluntary. That is not correct as a matter of competition law since they are in effect mandatory being endorsed by dominant browser owners (see further below). Privacy The privacy issue that is raised when data is shared is a different issue from FRAND. The control and use of personal data under privacy laws may be addressed in a number of different ways. Much depends on whether the data is personal data from the perspective of identifying a living individual (“personal” or “identity” data). Then there are the methods that may be adopted to control or mitigate risks to that personal data. In the context of browser input data I don’t know if any data would be personal data or not. You may be able to assess that more closely. If the use of data does not involve the use of personal data then there would not be a personal data protection issue to address. If personal data is being used, then there are mechanisms that address risk to privacy such as how meaningful consent is obtained and how the individual is informed to ensure that there are no dark patterns being used to obtain meaningful consent, and whether the end user is informed properly about the specific use to which the data is being put etc. Each issue should be addressed separately. Conflation of each needs to be avoided if engineering solutions are going to work and comply with the law. Compliance Finally, and hopefully to avoid any residual confusion, as a matter of compliance for all, I have observed that the Charter could be improved if it included an express reference to licencing necessary input data on FRAND terms. That would be the basis on which agreement to the work of the groups would operate. While it has been observed that W3C makes voluntary standards, they are in effect mandatory since they will be endorsed by the dominant browser organisations and become the basis on which all others in their ecosystems then trade. ( see for further information on competition law, FRAND and standards Section 7 in the following: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52011XC0114(04) I trust that this issue concerning the charter is now clear and we can make the change to the charter as suggested. With kind regards Tim |
A list of the W3C documents we reference in the charter:
As far as I can tell this set of links satisfies your request to have the charter "Referencing the W3C Process only and not referencing documents that are not part of the Process." Am I wrong? Please specify which, if any, of these document references you specifically object to. |
|
Suggest we start new issues as there are too many in this single thread. I've made a start. |
|
Fine by me. Splitting this thread works to make these conversations easier to track. I will close this thread and either add comments to your threads or open responses. |
|
@AramZS, to be clear, is your intention to move the charter forward to wider review now, given that it does not lock the text and the group seems to have rough consensus to do so, while these other issues are addressed? |
|
@eriktaubeneck I understand that only this meeting related issue has been closed so that the specific issues that it highlighted can be addressed individually under the charter. |
|
Looking at the meeting notes which this issue refers to, it seems pretty clear that there was rough consensus (as defined above) to move forward with submitting the charter for wider review, and that @AramZS set a deadline of doing so within 72 hours of that meeting concluding. The time has elapsed, and I don't see any other objections to submitting the charter. As submitting does not preclude continuing addressing issues on the charter repo, I am simply asking if @AramZS intends to submit as stated in the meeting notes. |
Agenda+: Reviewing remaining PRs on the Working Group that are labeled Call for Consensus
Our goal here is to review Calls for Consensus and close PRs on the Working Group charter, with the intent to finalize it.
Links
https://github.com/patcg/patwg-charter/pulls?q=is%3Aopen+is%3Apr+label%3Acall-for-consensus
The text was updated successfully, but these errors were encountered: