[wbs] response to 'Call for Review: Distributed Tracing Working Group Charter' from James Rosewell via WBS Mailer on 2020-06-22 (public-new-work@w3.org from June 2020)

From: James Rosewell via WBS Mailer <sysbot+wbs@w3.org>
Date: Mon, 22 Jun 2020 18:15:02 +0000
To: public-new-work@w3.org
Message-Id: <wbs-2b31ba9b059a33a5f3c73241490eccfc@w3.org>

The following answers have been successfully submitted to 'Call for Review:
Distributed Tracing Working Group Charter' (Advisory Committee) for James
Rosewell.


The reviewer's organization suggests changes to this Charter, but supports
the proposal whether or not the changes are adopted.

Additional comments about the proposal:
   This charter, and all other W3C charters and documents referencing
security and privacy, need to define how the following sentence will be
interpreted.
 
"The revision must define mechanisms that mitigate both fingerprinting and
other privacy risks exposed by Trace Context."
 
The W3C lacks a definition of the threats posed by supposed fingerprinting
in practice and a method of balancing multiple concerns. For example; it is
unclear to me how a fair assessment of a standard that will improve tracing
at a small theoretical risk of increasing entropy for fingerprinting would
be evaluated taking into consideration all the W3C’s values.
 
The W3C appears to have adopted a paternalistic and narrow view of privacy
which ignores factors such as the ability of an individual to choose who
they trust or the wider needs of society. For example; someone visiting a
publisher’s website may trust the publisher AND the publisher’s supply
chain of third parties including third party tracing companies.
 
The focus of security and privacy work seems to have been to remove or
limit standards for interoperability that might be used by bad actors to
perform bad acts without considering good actors and good acts. There has
been very little work done to audit the use of personal data and support
legal frameworks to impose sanctions on bad actors who perform bad acts.
For example; GDPR or TCF.



The reviewer's organization:
   - intends to review drafts as they are published and send comments.


Comments about the deliverables:
   The approach taken to tracing will impact solutions that also involve
identifiers such as improved web advertising. It is important the W3C are
consistent and perhaps a single solution could be found to support multiple
use cases.



General comments:
   Within the W3C Improved Web Advertising Business Group I have been
working with other W3C members and participants to define a set of success
criteria [1] for web advertising considering the needs of society, people,
advertisers, publishers, supply chains and access providers including
browser vendors. These success criteria could easily be adapted to this
group, or even applied cross the W3C to consider a range of stakeholder
requirements on many subjects.
[1] https://github.com/w3c/web-advertising/blob/master/success-criteria.md


Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/dt-2020/ until 2020-06-30.

 Regards,

 The Automatic WBS Mailer

Received on Monday, 22 June 2020 18:15:04 UTC