- From: James Rosewell via WBS Mailer <sysbot+wbs@w3.org>
- Date: Wed, 05 Oct 2022 20:54:02 +0000
- To: public-new-work@w3.org
The following answers have been successfully submitted to 'Call for Review: Private Advertising Technology Working Group Charter' (Advisory Committee) for 51Degrees by James Rosewell. The reviewer's organization suggests changes to this Charter, and only supports the proposal if the changes are adopted [Formal Objection]. Additional comments about the proposal: **51Degrees’ Formal Objection to Proposed Private Advertising Technology Working Group Charter** **05 October 2022** - updated footnote 4, 8, spacing, and section related to W3C due process ***Due Process*** The timeframe for review of this proposed charter was extended because "it did not gather enough reviews." The W3C process only allows for charter review to be extended when a member requests an extension. If the charter did not gain review from 5% of the membership within the alloted timeframe and no member requested an extension then the charter failed to gain sufficient review and the proposers would need to reflect on that before then considering resubmitting. Indeed a proposed chair of the group rejected a [request](https://github.com/patcg/patwg-charter/issues/38) related to the timeframe for review prior to the AC review process commencing stating "I think that [the chartering process timeframe] should allow plenty of time...". For those already skeptical of the W3C's impartiality the failure to follow due process for working group charters and formal objection handling further erodes confidence in the W3C. **Introduction** This note sets out objections from 51Degrees concerning the Proposed Private Advertising Technology Working Group Charter (“the Charter”). 51Degrees is a business-to-business (B2B) data company used in sectors including finance, insurance, travel, publishing, eCommerce, content management, analytics, fraud detection, and advertising. 51Degrees are a founding member of Movement for an Open (MOW)[^1] and are grateful for MOW’s support in preparing this Formal Objection (FO). The Charter seeks to debate and create W3C recommendations for web advertising services that must be implemented to some extent within a web browser and therefore provide web browser vendors significant control over the business of web advertising services in practice. It is a Charter for a working group whose mere existence will impact on competition. Such a charter is very different to one which seeks to debate and create W3C recommendations for general purpose features which are not intended for specific markets and are demonstrably competitively neutral. For example, Cascading Style Sheet (CSS) or accessibility. As such this FO must also encompass the inadequacies associated with W3C processes and practices where they relate to competition and due process. All the issues raised can be addressed via modifications to the Charter text to detail exactly how the inadequacy will be addressed by the group[^2] and also optionally via changes to W3C policies and processes[^3] which would apply to all groups. Further 51Degrees considers the Charter to be part of a mosaic of actions by those seeking to interfere with competition in digital markets via standards bodies. The discussions concerning advertising hosted by the W3C have already had an impact on competition even before a single recommendation has been drafted and passed to the AC for review.[^4] As such the Charter cannot be considered in isolation of these related actions and positions. The objection relates to four issues and includes constrictive proposals to address them: - **Issue 1: Starting assumptions about cross-site and cross-context data handling in relation to privacy.** We live in a data driven economy and while exceptions to the exchange of data that drives the economy are provided for in the law, the general position is that data exchange is permitted. The charter should revisit language that can be taken to read that some helpful data flows will be restricted. - While there are areas where cross-site and cross-context can raise concerns, they are not universal, and there are also instances where handling innocuous data across domains and contexts can be beneficial to users. - Instead of focusing on these data flows, there is a need for a workable definition of “privacy” the Charter must define the actual scope of “private advertising” and “privacy”. The handling of information using appropriate safeguards does not directly raise consumer harms, and can confer benefits, so undue limitation of the scope for use cases in the Charter language is unwelcome. - The UK Competition and Markets Authority (CMA) and Information Commissioner’s Office (ICO) clearly state that there is no distinction between first and third party in their May 2021 joint statement in determining privacy risks.[^5] The Charter must explicitly acknowledge that position if those who accept this regulator’s position are to contribute. - The Charter needs to specify the guidelines the group will use to mitigate risks to individuals from the collection and processing of their personal data regardless of which organisation is collecting and processing Personal Data. - **Issue:** These are inadvertent implications of language choices that need to be clarified at the Charter stage. The Charter most not take the position that all data will be regulated, to avoid pre-empting a debate about which specific data handling practices raise concerns. Explicitly avoiding the use of first and third party and focusing on risk of harm will help this group and the work of the W3C more generally as requested in 51Degrees general communication in June 2022 concerning 1st and 3rd party thinking[^6]. - **Issue 2: Potential commercial sensitivity of some proposed focal areas.** There are issues associated with inadvertently embedding sensitive commercial decisions in the standards layer. This raises questions about the W3C’s antitrust guidelines[^7] and whether taking positions on certain specific functionalities complies with those policies. There is also a need to ensure that any standard, Working Group Charter, or debate, does not unduly restrict competition and that competing access to lawful data flows for responsible uses remains unimpeded. - **Issue:** The Charter should omit references to commercially sensitive matters within standards definition, to be sure proposals discussed will not conflict with the antitrust policy. Alternatively, if sensitive matters are to be discussed, clean team arrangements should be in place to ensure that the commercial impact on participants in the debate is suitably firewalled. - **Issue 3: Scope of success criteria.** Success criteria correctly identify users as a focus but omit other constituencies of direct and indirect system users. - **Issue:** The success criteria should be extended to capture direct and indirect benefits from technology, such as foreseeable impacts on publishers including smaller publishers. - **Issue 4: Due process and potential conflicts of interests.** Inevitably, and appropriately, large technology companies have a major role to play in developing new technological standards. However, there are conflicts of interest if W3C members face financial impacts from system design decisions. At present, these can be objected to under the W3C Process Document, but there is no clear framework for how a commercial conflict of interest should be addressed as part of the group’s design process, especially given the under representation of small businesses in the W3C. There is also a concern that proposed group members have strong views in some of these debates, which may not represent the breadth of views of the membership[^8] or all participants in the web. There is a need for demonstrable neutrality. - Unrestricted participation must be shown to demonstrate neutrality. Further work is needed on how unrestricted participation is assured within W3C. For example, it appears that the current W3C Process Document seeks to assure unrestricted participation by aiming for consensus and hence negotiated input from all where, at Section 5.2.1 it states that consensus is not achieved if anybody registers a Formal Objection. If that Formal Objection is arbitrated by a neutral party on an objective basis, then non-partisan participation can more readily be shown to be taking place. - **Issue:** The charter must articulate a clear framework to address conflicts of interest, particularly in those cases where debate and potential recommendations have a self-preferencing commercial impact. For example, there could be a process for such commercially affected members to stand aside while the matter is referred out to more neutral participants, such as consumers of the systems (e.g., publishers rather than technology vendors). **Assessment** The web is now used by five billion people and powers trillion US dollar markets where individual companies have market capitalizations measured in trillions of US dollars. 51Degrees observe that W3C fail to implement existing guidelines concerning antitrust[^9] and these guidelines are not suitable for a 501(c)(3) legal entity[^10] governing the web. These observations are the subject of separate correspondence from MOW and further examples can be provided. The newly appointed Board of Directors must address these issues before this FO is assessed. Without a process that an objector has confidence will be followed fairly the objector can never be satisfied with the outcome. Recent FO assessment and resolution has not followed due process. The Charter raises issues that are complex involving laws and economics. They are important to the mission of the W3C. If the W3C Team believes that the FO would be more efficiently handled by splitting out the different concerns, then 51Degrees are willing to consider doing so. It is not possible via the submission process for one organization to raise distinct FOs concerning the same charter. 1. **Issue 1: Starting assumptions about cross-domain and cross-context data handling** *Elision of privacy and personal information* The Charter refers to the interrelationship between advertising, privacy, and personal information as the core focus of the Working Group: The purpose of these features is to support web advertising without compromising user privacy. Here “privacy" minimally refers to appropriate processing of personal information. Indeed, “Privacy” within W3C has so far been defined as “Preventing the unintended or unauthorized disclosure of information about a person.”[^11] This definition aligns with applicable data protection regulations that recognize people’s privacy rights relate to information linked to specific consumers, natural persons, or data subjects.[^12] However, it is becoming clear that the relationship between personal data and privacy is more nuanced: - Privacy and personal information are not identical concepts. Sometimes, information that may link to a device, or even to a person, is not private – especially when a user is interacting with other members of society. This would be so with innocuous data. Consider an example like height. Height is visible and allowing advertising to use it *responsibly* may well be helpful in some contexts, even on a tailored basis (e.g., tall people finding tall clothing stores). - As explored below, much marketing data is not linked to specific individuals at all, e.g., through pseudonymisation or other appropriate privacy-by-design measures. But even if it were, substantial amounts of information sharing may be consumer friendly, if it helps people to more easily find products and services of interest. This also helps publishers to generate income, which indirectly helps consumers by funding their access to digital content and services. - In other cases, data which is not about specific individuals might link to data protection or privacy concerns. Even a system that, strictly speaking, is not itself linking to identity could raise a concern if tailored content were to reveal something private, e.g. through shared device use. Privacy concerns could arise if identity can be revealed by someone else (e.g., another system user) and shows that the definition of privacy does not always align with personal data use from the user perspective. - Still other situations involve data handling which is not personal at all (e.g., fully anonymised data) which seems not to raise a privacy concern at all. However, the legal side of the debate has not always taken that position. A reference to protecting “personal information” in all cases could be taken to imply this, limiting beneficial use cases where data should flow given the balance of interests favours the beneficial users over the risks to specific individuals. In summary, because personal data and privacy are not the same thing, it would be mistaken to lay a foundation based on eliding the two. Instead, there should be an investigation to establish what is “private." The statement refers to “appropriate processing of personal information” and it may be that “appropriate” already catches this concern, but it would seem wise, at the Charter stage, to preserve the position as regards the interrelationship between privacy and personal data. Simply omitting the sentence on the relationship between privacy and personal information will allow an open-minded debate on point. *Cross-site and cross-context data handling* The Charter takes a position on the use of data across sites and contexts: “Ways in which new features might enable inappropriate processing include (but are not limited to) enabling of cross-site or cross context recognition of users or enabling same-site or same-context recognition of users across the clearing of state.” There will be circumstances in which cross-site and cross context data handling raises concerns. For example, medical records call for strong protections against out of context use. But as with the link between privacy and personal information, the picture is more nuanced. Some user-friendly data handling happens across different sites and different contexts. Users have a strong interest in accessing free content. Personalised advertising can yield up to 71% more return on investment to a content publisher, indirectly furthering consumer interests. This was seen when Apple’s ITP began to block some of this data on Safari (See e.g., the UK Competition and Markets Authority’s Mobile Ecosystems Market Study Interim Report, p. 249)[^13]. For specialist websites with even more nuanced content, the figure may be even higher. *Conformity with existing W3C approaches* The web standards bodies and W3C members have proposed “origin,” “site” and “context”[^14] as potential boundaries across which user expectations may not align with lawful flows of data sharing. “Context” is frequently not a boundary of an origin (e.g., Wikipedia.org has multiple contexts but one origin per language), yet the ambiguous term of "context” is proposed for use in the Charter itself. The Charter needs to specify what is the touchstone by which this group will work by to mitigates risks to individuals from the collection and processing of their personal data. The current language is not precise enough to provide sufficient guidance on when a proposal is improving privacy versus merely specifying which organizations or category of web participant this group believes ought to collect and process specific individual’s personal data. **Example of helpful cross-site and cross context data handling:** A freelance product review writes a specialist blog for children’s car seats. The reviewer measures how seats fit for relatively rare use cases such as requiring three car seats across a back seat. Some cars are large enough; others are not; and information available to the parents is poor. The reviewer dutifully measures out the cars and provides reviews that save parents hours of time. Using current cookie-based technology, the advertising technology behind the website would be able to provide at least some information on conversion and would allow at least some return on the investment of time via pay-for-performance or affiliate marketing commissions. This funding increases the supply of helpful reviews from smaller blogs. Proposals to stop cross-context or cross-site data handling would limit or even eliminate this use case, replacing it with contextual advertising, or turn it into a monopoly by the largest platforms or internet gatekeepers. In cases where the blog is no longer written, this effectively puts the blog out of business and means that the lost income is 100%. So the 71% average loss for some content producers may, in fact, be a low end estimate. The loss of this added value to content producers harms the user interest: - The user interest is in having the information on the car seat, and provided that privacy-by-design safeguards are used, there is no clear downside to the user from the data flowing, *including across contexts and domains*. - On the contrary, there is an upside. This is especially true for specialist and minority interest which may be poorly catered to on purely contextual approaches, which have a “herd” tendency. - There will be many similar examples where the consumer interest is in having innocuous data flow, provided that the relevant safeguards are in place. Indeed doodle.com[^15], often used by W3C participants to arrange meetings, is funded from advertising that operates as described and which the group intends to create web standards to interfere with. This is a helpful use case, and Charter language should not diminish it at the debate framing stage, to ensure that the next generation of technology can cater to it. *Reference to “users” rather than distinguishing between user identity vs pseudonymous identifiers kept distinct from identity-linked data* There is also the difficulty that the reference to “users” elides the important difference between pseudonymised users and the identity of system users. This may not be intended, but may inadvertently decrease the scope for discussion of the role of privacy-by-design safeguards that have an important role to play in these debates. However, there are also some positive points from 51Degrees’ point of view. For example, the reference to “inappropriate processing … across the clearing of state” seems sensible as a means to focus on what consumers want and to protect their choices (e.g., allowing those users who are concerned about a site or organization recognizing their web-enabled application after they exercise their right to be forgotten, such as by clearing state). There is also much to like, from 51Degrees’ perspective, in the idea that “The Working Group may consider designs that allow user agents for the same user — including non-browser agents, like Operating Systems — to collaborate in providing advertising features.” This seems sensible as it paves the way for focusing on risk management via a range of vendors and technical solutions, rather than isolating all control over data collection and processing to web browser vendors. Indeed, this potentially helps to align with some trends in the wider data policy community with which the proposed standards and Working Group will engage. It may simply be that the language about cross-site and cross domain handling, just like the privacy/personal information language, needs to be clarified in relation to protecting other rights (e.g., freedom of speech/expression, freedom to operate a business or cross-context data portability) to ensure it is not unduly restricting the scope for debate in the context of these developments. **Developments in wider data protection circles regarding cross-site and cross context data use** 51Degrees appreciates that the desire of the Working Group is to focus on technology and not surrounding policy debates of general application. However, to the extent that de facto standards may contrast with the law and may be very widely deployed, it seems helpful to cast an eye on trends in developing data protection regulation. At least one participant, Google, is obliged to use legal definitions of privacy law in its proposals under a regulatory settlement[^16] with the UK Competition and Markets Authority, reflecting concerns that shifting or vague privacy definitions can harm rivals seeking to design systems over time. So, it seems to behove the Working Group at least to be mindful of what these trends are and whether the Charter aligns with them. 51Degrees expects Google to note this issue in their response to the Charter. Data protection regulation has moved on in recent years towards emphasis on risks from data processing, rather than the existence of processing across sites and contexts. A good example is the UK Information Commissioner’s Office’s November 2021 AdTech Opinion, which expressly states that regulators expect emphasis on identifiable risk rather than hypothetical hazards from data transmission. Indeed, Google successfully argued in Lloyd vs Google that the presence of third-party advertising tracking cookies is not unlawful[^17]. Indeed, W3C’s 2015 document Unsanctioned Tracking[^18] is now out of step with this, as it simply asserts some concerning hazards, rather than modelling risk. In its crucial definition of harm at section (3), the document chiefly relies on a relatively vague and unquantified hazard (“undermine user trust”) without information on the context of when this concern does, and does not, arise. The 2015 document does give one very striking example: the revelation of pregnancy via the display of adverts, which would seem to be a core privacy concern. However, it does not engage with a *risk-based* approach to this hazard. Such an approach might consider more tailored responses, such as specifically banning health-related categorization. This would address areas of priority concern and allow a focus on them. It would also have the notable benefit of allowing other data to continue to flow, in cases where risk is low or even zero. By contrast, many recent proposals (e.g., First Party Sets[^19]) seem minded to apply the thinking from before this change in regulation and to implement this through restrictions in the technical standards layer. It is unwise to build an obsolescent approach to these risks into the Working Group Charter as this would cut across the work undertaken by regulators to help prioritise high risk concerns, while allowing the benefits of non-harmful processing to continue. There is scope for the Working Group to help move forward the debate from the 2015 document, and the Charter should take an open-minded approach to the question. *The role of privacy-by-design safeguards* Privacy-by-design safeguards seem to be understated in the current scope definitions. A large part of the debate seems likely to concern how to design technical systems to ensure that privacy concerns do not arise, and the role of privacy-by-design measures to this end (as opposed to simply decreasing data flows) seems helpful to add. In the construction of the Charter draft participants were unwilling to recognise the role of non-engineering professions such as economists and lawyers in privacy-by-design solutions. This is a major concern to 51Degrees who do not believe optimum solutions to complex problems are found in only one profession. The Charter would fully embrace privacy-by-design by replacing the word “Technology” in the title with “Solutions” and removing the words “primarily non-technical” from the text. *Privacy Principles* 51Degrees object to the direction of the work underway by TAG to create a Privacy Principles note[^20]. These objections are articulated by MOW[^21] and are yet to be assessed by TAG or PING. As such a resolution to this concern that 51Degrees would find acceptable cannot be found in the Privacy Principles as currently drafted or under the direction of the current editor. 2. **Issue 2: Potential commercial sensitivity of some proposed focal areas.** The section of the proposed Charter on Private Attribution Measurement raises some concerns about commercial sensitivity in technical design decisions: - **Conversion data definition:** There is a starting assumption that user-level conversion data should not be gathered: “This specification defines how to privately measure advertisement attribution/conversion rates without revealing whether any individual user converts or does not.” This example helpfully illustrates again that some cross-context and cross-organizational data sharing (e.g., in this case attribution matching of user interactions with a marketer’s property to prior exposure to content on media owner properties) is both expected and beneficial. The Charter needs to clarify exactly why specific organizations should collect and process such data for business advertising purposes, and how the risk they pose to individuals is or can be appropriately mitigated such that other organizations and new entrants can follow suit without unreasonable barriers to entry. - Without clarifying such rationales, this type of specification may restrict competition or unfairly discriminate against organizations that operate business-to-business (B2B) advertising solutions, but do not also manufacture business-to-consumer OS or web application software. As there may be no privacy concern (e.g., Random ID 123 bought shoes after seeing Ad ABC), it is unclear why this is ruled out of scope for only organizations that do not manufacture such software at the technical design stage. - As another example, if “first party” were to be used as a criterion for a privacy boundary this would effectively favour larger incumbent content authors and media owners at the expense of smaller rivals whose niche content might appeal to otherwise underserved minority interests. Thus any specification that favours those organizations who already have larger audiences, would be using a technical standard to effectively distort the market away from sites that could otherwise provide the most user-centric ad-funded content and services. - **The list of normative specifications:** Many of the specifications listed are the subject of competition between providers. Each of the three stages concerned raises commercial sensitivities, because different companies are affected by them differently: - **Pre-campaign planning** including critical points on audience definition, context to engage the “right” audience, time of day, day of week by geo-region**;** - **Intra-campaign optimization** including critical points on budget allocation, price, and messaging adjustment; - **Post-campaign reporting and attribution** including critical points on feeding decision making to reduce waste in media spend that drives higher revenues for media owners**;** In all three cases, there is scope for technical standards to cut across commercial business-to-business decision making. The risk is greatest if they were used by large browser vendors to prevent competing B2B data flows and processing which do not themselves raise consumer concerns. So while 51Degrees admires the desire to focus down on technical matters, any standard must ensure it does not restrict competition by focusing on which type of organizations engages in business-to-business processing of non-sensitive or low risk input data. W3C’s existing Antitrust and Competition Guidance[^22] requires that: “**W3C does not** play any role in the competitive decisions of W3C participants nor **in any way restrict competition**…. [P]articipants should not discuss product pricing, methods or channels of product distribution, division of markets, allocation of customers, or any other topic that should not be discussed among competitors.” (emphasis added) An open standard allowing data flows among business-to-business processing required by the digital properties people choose to visit would support competition and hence not violate this W3C antitrust proscription. However, many of the proposed Attribution Measurement proposals seem to restrict which types of organizations are allowed to provide such business-to-business ad solutions, this could amount to transgressing the W3C’s antitrust policy, for example if defining certain audience-related capabilities effectively “allocate[s] customers” (or at least demand) into particular vendors or amounts to a division of markets away from other rival solutions. “Methods or channels of product distribution” also seem to be implicated, because the definitions seem likely to affect how, by whom, and to whom advertising services are sold and provided hence “restrict[ing] competition.” A worst-case scenario is that modelling how well proposals work directly implicates price and performance of products, which is an area where companies are required to compete and accordingly a topic which representatives should not discuss. To the extent that standards framers from affected organisations necessarily must discuss commercially sensitive design decisions, care is needed to employ the antitrust guidelines. It will also be helpful to consider how restrictions on competition resulting from the application of standards, such as restrictions to data flows, could be addressed. A typical means to do so is to apply a Fair Reasonable and Non-Discriminatory (FRAND) licensing policy to any data flows that are brought under control by the standard. In this case, that would mean specifying what the relevant privacy safeguards are and applying the same criteria in a non-discriminatory manner so that other compliant businesses can serve a wide range of use cases. In many cases, closing off access to legally compliant data flows can impede valid use cases, and the requirement to define relevant safeguards for broad application would be a practical means to avoid undue limitations. Participants in the group need to agree to such licensing terms as a condition of membership. Even if one were to believe that consumers should control the business-to-business advertising decisions that marketers make when choosing to subsidize specific publishers, then it would make more sense to enable consumers to choose which advertising vendors they wish to operate advertising solutions for the sites they visit, rather than have this choice removed by bundling business-to-business ad systems into the web browser they select to access various publisher’s digital content and services. **It would be helpful to have some remarks on how this might be done in the Charter** given the sensitivity of a number of the listed topics**.** **Possible practical safeguards: Clean teams and conflict of interest protocols** A practical approach to these risks would be to adopt so-called “clean teams” from organisations affected, who could not see the impact of the standard on their business so as to have clean hands when coming to discussion. This could be done by pseudonymising data input and creating firewalls. Indeed, participants are *already* required for at least one member (Google) under the UK CMA Privacy Sandbox Commitments[^23] (See especially Paragraph 30, requiring non-discriminatory design and implementation decisions). A “trust but verify” approach would require clean team safeguards to avoid risks of this taking place, given the significant potential conflict of interest. As things stand, however, no such safeguards are in place, which seems unnecessarily to engage risk to the W3C and participants in such activity that would restrict competition in violation of the antitrust provisions incorporated into the Working Group Charter (section 10). 3. **Issue 3: Scope of success criteria.** 51Degrees agrees that it is important to consider what success looks like at the start of a project to compare the relative merits of alternate proposals. However, there are significant concerns that the current definition is incomplete: Each normative specification should contain separate sections detailing all known **security and privacy implications** for implementers, Web authors, and end users. There can be no doubt that these are correct criteria, but there are others besides security and privacy[^24]. The most secure web system would simply be to abolish the web, because then no data would flow, and there would be no risks to security or privacy. This is clearly, however, against the user interest and W3C mission. There are unspecified success criteria here, and they should be fleshed out. 51Degrees edited success criteria[^25] within the Improving Web Advertising Business Group which provides guidance on how this can be addressed. The proposers should incorporate and update that document as an appendix to the Charter before progressing. There needs to be focus on other important considerations. The most important relates to how technical standards on advertising have indirect consumer impacts from the way that they can (sometimes inadvertently) alter incentives facing publishers and restrict beneficial access to those serving minority interests. For example, a paywall-led model or a logged-in model of the internet might maximise “security and privacy” but not be in the consumer interest for those who are economically disadvantaged. Issues arise with: - **The user experience,** e.g., unnecessary pop ups to gain consent for business-to-business processing, where properly providing information to consumers makes informed decisions is challenging, even where data handling risks are low or zero. - **Content creation** where this is supported by technologies that are not the *most* secure, but do not pose any meaningful security risk on an evidenced basis (e.g., a blog using an affiliate marketing system that relies on sponsorship payments). - **Incentives towards paywalls** if free content is diminished. Given the likely discrimination against the economically disadvantaged, the user interest would be to ensure continued access of “free” ad-funded content, whereby the marketer subsidizes the consumer’s access, rather than restricting data flows, provided that safeguards are applied. - **By requiring people to log in** to receive services when they would not otherwise need to does not advances people’s privacy online and is not considered privacy-by-design. It is positive that “There should be testing plans for each specification, starting from the earliest drafts,” which addresses concerns about earlier unilateral proposals not showing a clear testing paper trail nor a balance of interests including the indirect interests of individuals alone or society, which represents groups of individuals. This is immensely welcome and helps to implement part of Google’s Commitments to the UK CMA (para 17© on testing). However, for this testing to be meaningful, it will need to define things to test against, beyond just privacy of security, or, by definition, the sole focus on those prioritised variables (however defined) must logically predominate. The Charter authors need to include impacts on publishers and the consumer interest more broadly construed, to avoid testing from becoming too narrow and thus departing from the interest of users, including groups of users and indirect impacts on users. This reflects the fact that the user interest is not only in privacy and security maximisation, but in content creation and ad-funded access as well. Without sufficient competition among the business-to-business processing associated with ad-funded access, then content producers and media owners might pay more than what the competitive market rate would normally be, thus diminishing investments in consumer-facing innovations, content and services they ordinarily would have provided but-for the less. The text of the charter needs to be modified to include an outline test plan and show clearly how a proposal will be tested from the perspective of competition and market impact. There will be no point conducting engineering tests of a proposal if it fails to pass a test of compliance with competition law. 1. **Issue 4: Due process and potential conflicts of interests** 51Degrees notes that the Charter proposes to follow the W3C Process Document[^26], with attention drawn specifically to Section 5, Decisions[^27]. 51Degrees agrees with and supports the desire for consensus expressed in Section 5.2,in particular. However, there are concerns that the sensitivity of the commercial impact of the standards, as well as a number of fundamental points of debate about the role of data handling, mean that consensus building may prove unusually challenging here. For example, one prominent W3C member, Google, expresses a strong view that the “aim” of its Privacy Sandbox proposals is to support key ads use cases without cross-site tracking.” (Google’s Q2 2022 Update Report[^28] to the CMA, p.11, 25 July 2022). This engages fundamental debate of the sort outlined at (I), and it seems likely that disagreement will occur over commercially sensitive matters such as the scope to handle data between sites and contexts in cases where risks are low. Another participant in the envisaged Working Group, endorsed by a proposed chair, has expressed a view that consensus will be used to address some of the issues raised in this FO[^29]. The Charter envisages a majority vote to resolve such an issue: “if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a Working Group vote and record a decision along with any formal objections… A call for consensus (CfC) will be issued for all resolutions (for example, via GitHub issue or web-based survey), with a response period from one week to 10 working days.” This is a good starting point for addressing the need to balance debate and consensus building. However, it contains a number of weaknesses: - **Risk of dominance by a few companies:** A majority can easily be constituted by well-represented members, regardless of the quality of the substance of the objection; even the most principled objection from a smaller company could be ignored on numbers rather than on the merits; - **Delay**: In a case where the majority voting envisages results in overruling a valid substantive concern, there is a risk of a Formal Objection, because the Section 5.2.1 definition of Consensus in the W3C Process Document states that consensus is *not* achieved if anybody “in the set registers a Formal Objection.” Both the Charter and the W3C Process Document contemplate circumstances where it is possible to proceed without Consent: The [Chair](https://www.w3.org/2021/Process-20211102/#GeneralChairs) *may* record a decision where there is [dissent](https://www.w3.org/2021/Process-20211102/#def-Dissent) (i.e., there is at least one [Formal Objection](https://www.w3.org/2021/Process-20211102/#FormalObjection)) so that the group can make progress (for example, to produce a deliverable in a timely manner). Dissenters cannot stop a group’s work simply by saying that they cannot live with a decision. When the Chair believes that the Group has duly considered the legitimate concerns of dissenters as far as is possible and reasonable, the group *should* move on. (5.2.2, Managing Dissent) However, the Formal Objection would remain and has to be identified before Advisory Committee review (5.6, Recording and Reporting Formal Objections). This creates uncertainty and the potential for unnecessary delay during resolution. The most concerning case would be that of a direct conflict of commercial interest, such as a proposal that alters data flows to the commercial benefit of a member. That would seem to be a serious concern, and rather than having a hostage to fortune in the Advisory Committee review, it would seem preferable to address possible conflicts of interest in the Working Group charter. Indeed, this is envisaged by the W3C Process Document: As part of making a decision where there is dissent, the Chair is expected to be aware of which participants work for the same (or related) Member organizations and weigh their input accordingly. (5.2.2) Applying that principle here would require commensurately low weighting to companies affected by commercial decision making. A practical approach would be to give more weight to purchasers of the technologies, such as content producers, and less to companies with a “dog in the race”. User interests could also be employed, provided that user evidence is collected carefully to account for the difficulty in users understanding some of the technological aspects associated with business processing purposes (e.g., surveys would need to explain privacy-by-design safeguards, unlike many existing surveys). The Charter needs to ensure explicitly that content creator, media owner and publisher interests are given greater weight than the interests of user agent implementors. The debate prior to the submission of the proposed Charter agreed such input should come from a Community Group[^30] but this approach has not been included in the Charter text. The use of a Community Group to gain wider input on decision making must be enshrined in the Charter text. We note that the long-standing Priority of Constituencies[^31] referenced from the Private Advertising Community Group Charter[^32] is notably absent from this Charter of this Working Group of the same name. However, what is likely not to work well is for technical specifications to be proposed by those who benefit from other companies receiving less data. Indeed, this would seem likely to contravene the UK CMA Commitments, at least in Google’s case, and could result in protracted uncertainties surrounding work product as those points are resolved. To address the point now, the Charter could helpfully discuss how it proposes to address conflicts of interest, e.g.: - By using clean teams within organisations (see above); - By adopting different voting majority rules (majority of companies rather than voting members); and/or - By altering voting constituencies (e.g., to account for a wider range of technology users, rather than web browser vendors). In summary the process for establishing consensus and decision making that is used widely across the W3C is not appropriate for this Charter given the significance of the decisions and work of the group to competition. This has previously been raised with the Advisory Board[^33] and is likely to form the first order of business for the newly appointed Board of Directors. **U.S. Department of Justice guidance on how to address due process concerns in standard setting bodies** There is helpful guidance on this point from the U.S. Department of Justice: “Standards development organizations (SDOs) use a variety of safeguards to achieve the benefits of standardization while minimizing potential antitrust risks. These safeguards include, as articulated in guidance circulated by OMB, taking steps to ensure that the standards-development process is “open to interested parties,” **balanced, and** **consensus based**, and that SDOs’ procedures provide for due process and appeals.” (Antitrust Division Economics Director of Enforcement Jeffrey Wilder at the IAM and GCR Connect SEP Summit, Sept. 29, 2021) The focus on the W3C documentation on fostering consensus is helpful, but concerns could arise related to: 1. The contemplated scenarios in the Working Group charter which would depart from consensus (e.g. bare majority voting); and 2. Whether the additional requirement for “balance” is addressed. The speech refers out to a memorandum on standard setting by the federal government known as Circular No. A-119 Revised (Feb. 10, 1998). This is designed to stop government standards from unduly restricting purchasing choices. Although this is a slightly different context, to the extent that the proposed standards would de facto alter data handling on a widespread basis, affecting many vendor / purchaser / user relationships, the same safeguards carry over. The suggested safeguards are: “openness, balance of interest, due process, an appeals process, and consensus defined as general agreement, but not necessarily unanimity and includes a **process for attempting to resolve objections by interested parties, as long as all comments have been fairly considered, each objector is advised of the disposition of his or her objection(s) and the reasons why, and the consensus body members are given an opportunity to change their votes after reviewing the comments.”** Circular No. A-119 Revised, at 4.a(1) (emphasis added) Applying these safeguards, it would be helpful for the Charter to: - Identify the process to attempt to resolve objections, including: - Who handles a conflict-of-interest complaint and how this is “fairly considered” including the crucial question of *who* considers the complaint - Identify a timeline for resolution and an appeals process, and how this relates to the work in progress. - Identify how reasons for resolution will be shared, including the power to hold the vote again once these reasons are known. The current proposal to use a simple majority vote on a compressed timeframe (e.g., via online polls of as little as one week) seems very unlikely to meet these requirements. It is unclear how reasons would be articulated and disseminated in time for a meaningful repeat vote after resolution. This seems to be an area in need of some additional specificity to comply with the due process requirements outlined above. [^1]: <https://movementforanopenweb.com/> [^2]: For example, appointing an independent monitor to verify that competition issues are not present and advising the chairs and group participants where there are problems, or establishing clean team arrangements for those that participate in the group from dominant companies. [^3]: For example, amending the W3C antitrust guidelines to align to DoJ and other guidelines and ensuring that they are enforced. [^4]: See for example, UK CMA note that Google's request for market actors to participate in W3C and other forums, and announcements by its senior staff, have had a likely anti-competitive impact on rivals. <https://assets.publishing.service.gov.uk/media/60c21e54d3bf7f4bcc0652cd/Notice_of_intention_to_accept_binding_commitments_offered_by_Google_publication.pdf> | Martin Thomson of Mozilla noting that "After all, if tracking remains viable, then there is far less incentive to adopt the solutions that a group like this might offer" thus acknowledging that in a situation where participants have choice they will not favour the work product of the proposed group. <https://github.com/patcg/meetings/issues/52#issuecomment-1163823743> [^5]: <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/987358/Joint_CMA_ICO_Public_statement_-_final_V2_180521.pdf> \- “There is no explicit reference to the distinction between first-party and third-party data in data protection law.” [^6]: <https://lists.w3.org/Archives/Public/public-patcg/2022Jun/0074.html> [^7]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance> [^8]: Mozilla do not believe privacy-by-design and lawful proposals to improve privacy are legitimate unless they are controlled by web browsers and implemented entirely by the profession of engineering. See analysis of SWAN and UID2 which contains a number of factual errors advised to Mozilla - <https://blog.mozilla.org/mozilla/swan-uid2-privacy/>. Mozilla representatives have sought to restrict the Charter in its development. At least one of the proposed chairs of the group has publicly expressed positions that are concerning to other participants. See the following Tweet in relation to a B2B business called TransUnion <https://twitter.com/Chronotope/status/1564246061773950979?s=20&t=-ecWJdXh5TyvaiyTm_LO6Q>, or the following analysis of another advertising proposal <http://aramzs.github.io/web-standards/2022/08/04/topics-api-review.html>. The employer of one of the proposed chairs is active in the publishing and advertising sectors <https://washingtonmonthly.com/2022/06/20/jeff-bezoss-next-monopoly-the-press/>. [^9]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance> [^10]: <https://www.w3.org/2022/06/pressrelease-w3c-le.html.en> [^11]: Composite Capabilities/Preference Profiles: Terminology and Abbreviations, W3C Working Draft (21 July 2000), <https://www.w3.org/TR/CCPP-ta>. *See also* The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation 16 April 2002, which was used for 16 years before replacement on obsoleted on the basis of limited adoption, but not on any limitations as to privacy definitions, on 30 August 2018), where in Scenario 3 describing a website vendor’s cookies used in providing frequency capping that “do not reveal information about any individual users.“ - <https://www.w3.org/TR/P3P>. [^12]: *See* GDPR, Art 4: “personal data’ means any information relating to an **identified or identifiable natural person (‘data subject’)**….” versus “‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a **specific data subject** without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are **not attributed to an identified or identifiable natural person**.” CPRA, 1798.140(v)(1) “Personal information” means information that identifies, relates to, describes, is *reasonably* capable of being associated with, or could reasonably be linked, directly or indirectly, with a **particular consumer or household**.” (emphasis added) [^13]: <https://www.gov.uk/cma-cases/mobile-ecosystems-market-study> [^14]: <https://html.spec.whatwg.org/multipage/origin.html> and <https://tess.oconnor.cx/2020/10/parties> [^15]: <https://doodle.com/advertising/> [^16]: <https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf> [^17]: <https://www.pinsentmasons.com/out-law/analysis/lloyd-v-google-supreme-court-representative-action> [^18]: <https://www.w3.org/2001/tag/doc/unsanctioned-tracking/> [^19]: <https://github.com/WICG/first-party-sets/issues/108> [^20]: <https://www.w3.org/TR/privacy-principles/> [^21]: <https://movementforanopenweb.com/mows-in-depth-commentary-on-the-draft-w3c-privacy-principles/> [^22]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance> [^23]: <https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf> [^24]: See Ofcom reports <https://www.ofcom.org.uk/__data/assets/pdf_file/0013/220414/online-nation-2021-report.pdf> \|https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/online-nation/interactive\|https://www.ofcom.org.uk/research-and-data/media-literacy-research/adults/adults-media-use-and-attitudes/interactive-tool [^25]: <https://github.com/w3c/web-advertising/blob/main/success-criteria.md> [^26]: [https://www.w3.org/Consortium/Process](https://www.w3.org/Consortium/Process/) [^27]: [https://www.w3.org/Consortium/Process/\#decisions](https://www.w3.org/Consortium/Process/#decisions) [^28]: <https://assets.publishing.service.gov.uk/media/62e14c98e90e0766a8081720/_Privacy_Sandbox_Progress_Report_to_the_CMA_2022_Q2_.pdf> [^29]: [https://github.com/patcg/patwg-charter/issues/31\#issuecomment-1170857845](https://github.com/patcg/patwg-charter/issues/31#issuecomment-1170857845) [^30]: <https://github.com/patcg/patwg-charter/issues/13> [^31]: HTML Design Principles, W3C Working Draft (26 November 2007), <https://web.archive.org/web/20071130082925/https://www.w3.org/TR/html-design-principles>: “In case of conflict, consider users over **authors over implementors** over specifiers over theoretical purity. In other words costs or difficulties to the user should be given more weight than **costs to authors; which in turn should be given more weight than costs to implementors**; which should be given more weight than costs to authors of the spec itself, which should be given more weight than those proposing changes for theoretical reasons alone. Of course, it is preferred to make things better for multiple constituencies at once.” Recently updated, but signifying the same order of web stakeholders, Web Platform Design Principles, W3C Group Note, (24 August 2022) [https://www.w3.org/TR/design-principles/\#priority-of-constituencies](https://www.w3.org/TR/design-principles/#priority-of-constituencies): “User needs come before the needs **of web page authors, which come before the needs of user agent implementors**, which come before the needs of specification writers, which come before theoretical purity.” (emphasis added) [^32]: <https://patcg.github.io/charter.html> [^33]: <https://github.com/w3c/AB-memberonly/issues/88> The reviewer's organization intends to participate in these groups: - Private Advertising Technology Working Group The reviewer's organization: - intends to review drafts as they are published and send comments. - intends to develop experimental implementations and send experience reports. - intends to develop products based on this work. - intends to apply this technology in our operations. Comments about the deliverables: The details will depend on the deliverables and process used by the group. However the field of "Private Advertising" is of great importance to our business. We led the creation of Secure Web Addressability Network (SWAN) at https://swan.community. Comments about implementation schedule: Too early to say. General comments: See submission. Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/PATWG-charter-2022/ until 2022-10-05. Regards, The Automatic WBS Mailer
Received on Wednesday, 5 October 2022 20:54:07 UTC