- From: James Rosewell via WBS Mailer <sysbot+wbs@w3.org>
- Date: Mon, 12 Sep 2022 14:24:02 +0000
- To: public-new-work@w3.org
The following answers have been successfully submitted to 'Call for Review:
Private Advertising Technology Working Group Charter' (Advisory Committee)
for 51Degrees by James Rosewell.
The reviewer's organization suggests changes to this Charter, and only
supports the proposal if the changes are adopted [Formal Objection].
Additional comments about the proposal:
**51Degrees’ Formal Objection to Proposed Private Advertising
Technology Working
Group Charter**
**12 September 2022**
**Introduction**
This note sets out objections from 51Degrees concerning the Proposed
Private
Advertising Technology Working Group Charter (“the Charter”).
51Degrees is a business-to-business (B2B) data company used in sectors
including
finance, insurance, travel, publishing, eCommerce, content management,
analytics, fraud detection, and advertising. 51Degrees are a founding
member of
Movement for an Open (MOW)[^1] and are grateful for MOW’s support in
preparing
this Formal Objection (FO).
The Charter seeks to debate and create W3C recommendations for web
advertising
services that must be implemented to some extent within a web browser and
therefore provide web browser vendors significant control over the business
of
web advertising services in practice. It is a Charter for a working group
whose
mere existence will impact on competition.
Such a charter is very different to one which seeks to debate and create
W3C
recommendations for general purpose features which are not intended for
specific
markets and are demonstrably competitively neutral. For example, Cascading
Style
Sheet (CSS) or accessibility. As such this FO must also encompass the
inadequacies associated with W3C processes and practices where they relate
to
competition and due process.
All the issues raised can be addressed via modifications to the Charter
text to
detail exactly how the inadequacy will be addressed by the group[^2] and
also
optionally via changes to W3C policies and processes[^3] which would apply
to
all groups.
Further 51Degrees considers the Charter to be part of a mosaic of actions
by
those seeking to interfere with competition in digital markets via
standards
bodies. The discussions concerning advertising hosted by the W3C have
already
had an impact on competition even before a single recommendation has been
drafted and passed to the AC for review.[^4] As such the Charter cannot be
considered in isolation of these related actions and positions.
The objection relates to four issues and includes constrictive proposals
to
address them:
- **Issue 1: Starting assumptions about cross-site and cross-context
data
handling in relation to privacy.** We live in a data driven economy
and
while exceptions to the exchange of data that drives the economy are
provided for in the law, the general position is that data exchange is
permitted. The charter should revisit language that can be taken to
read
that some helpful data flows will be restricted.
- While there are areas where cross-site and cross-context can raise
concerns,
they are not universal, and there are also instances where handling
innocuous data across domains and contexts can be beneficial to users.
- Instead of focusing on these data flows, there is a need for a
workable
definition of “privacy” the Charter must define the actual scope of
“private
advertising” and “privacy”. The handling of information using
appropriate
safeguards does not directly raise consumer harms, and can confer
benefits,
so undue limitation of the scope for use cases in the Charter language
is
unwelcome.
- The UK Competition and Markets Authority (CMA) and Information
Commissioner’s Office (ICO) clearly state that there is no
distinction
between first and third party in their May 2021 joint statement in
determining privacy risks.[^5] The Charter must explicitly acknowledge
that
position if those who accept this regulator’s position are to
contribute.
- The Charter needs to specify the guidelines the group will use to
mitigate
risks to individuals from the collection and processing of their
personal
data regardless of which organisation is collecting and processing
Personal
Data.
- **Issue:** These are inadvertent implications of language choices
that
need to be clarified at the Charter stage. The Charter most not
take the
position that all data will be regulated, to avoid pre-empting a
debate
about which specific data handling practices raise concerns.
Explicitly
avoiding the use of first and third party and focusing on risk of
harm
will help this group and the work of the W3C more generally as
requested
in 51Degrees general communication in June 2022 concerning 1st and
3rd
party thinking[^6].
- **Issue 2: Potential commercial sensitivity of some proposed focal
areas.**
There are issues associated with inadvertently embedding sensitive
commercial decisions in the standards layer. This raises questions
about the
W3C’s antitrust guidelines[^7] and whether taking positions on
certain
specific functionalities complies with those policies. There is also a
need
to ensure that any standard, Working Group Charter, or debate, does
not
unduly restrict competition and that competing access to lawful data
flows
for responsible uses remains unimpeded.
- **Issue:** The Charter should omit references to commercially
sensitive
matters within standards definition, to be sure proposals discussed
will
not conflict with the antitrust policy. Alternatively, if
sensitive
matters are to be discussed, clean team arrangements should be in
place
to ensure that the commercial impact on participants in the debate
is
suitably firewalled.
- **Issue 3: Scope of success criteria.** Success criteria correctly
identify
users as a focus but omit other constituencies of direct and indirect
system
users.
- **Issue:** The success criteria should be extended to capture
direct and
indirect benefits from technology, such as foreseeable impacts on
publishers including smaller publishers.
- **Issue 4: Due process and potential conflicts of interests.**
Inevitably,
and appropriately, large technology companies have a major role to play
in
developing new technological standards. However, there are conflicts
of
interest if W3C members face financial impacts from system design
decisions.
At present, these can be objected to under the W3C Process Document,
but
there is no clear framework for how a commercial conflict of interest
should
be addressed as part of the group’s design process, especially given
the
under representation of small businesses in the W3C. There is also a
concern
that proposed group members have strong views in some of these
debates,
which may not represent the breadth of views of the membership[^8] or
all
participants in the web. There is a need for demonstrable neutrality.
- Unrestricted participation must be shown to demonstrate neutrality.
Further
work is needed on how unrestricted participation is assured within W3C.
For
example, it appears that the current W3C Process Document seeks to
assure
unrestricted participation by aiming for consensus and hence
negotiated
input from all where, at Section 5.2.1 it states that consensus is not
achieved if anybody registers a Formal Objection. If that Formal
Objection
is arbitrated by a neutral party on an objective basis, then
non-partisan
participation can more readily be shown to be taking place.
- **Issue:** The charter must articulate a clear framework to
address
conflicts of interest, particularly in those cases where debate
and
potential recommendations have a self-preferencing commercial
impact.
For example, there could be a process for such commercially
affected
members to stand aside while the matter is referred out to more
neutral
participants, such as consumers of the systems (e.g., publishers
rather
than technology vendors).
**Assessment**
The web is now used by five billion people and powers trillion US dollar
markets
where individual companies have market capitalizations measured in
trillions of
US dollars.
51Degrees observe that W3C fail to implement existing guidelines
concerning
antitrust[^9] and these guidelines are not suitable for a 501(c)(3) legal
entity[^10] governing the web. These observations are the subject of
separate
correspondence from MOW and further examples can be provided.
The newly appointed Board of Directors must address these issues before
this FO
is assessed. Without a process that an objector has confidence will be
followed
fairly the objector can never be satisfied with the outcome. Recent FO
assessment and resolution has not followed due process.
The Charter raises issues that are complex involving laws and economics.
They
are important to the mission of the W3C. If the W3C Team believes that the
FO
would be more efficiently handled by splitting out the different concerns,
then
51Degrees are willing to consider doing so. It is not possible via the
submission process for one organization to raise distinct FOs concerning
the
same charter.
1. **Issue 1: Starting assumptions about cross-domain and cross-context
data
handling**
*Elision of privacy and personal information*
The Charter refers to the interrelationship between advertising, privacy,
and
personal information as the core focus of the Working Group:
The purpose of these features is to support web advertising without
compromising
user privacy. Here “privacy" minimally refers to appropriate processing
of
personal information.
Indeed, “Privacy” within W3C has so far been defined as “Preventing
the
unintended or unauthorized disclosure of information about a
person.”[^11] This
definition aligns with applicable data protection regulations that
recognize
people’s privacy rights relate to information linked to specific
consumers,
natural persons, or data subjects.[^12]
However, it is becoming clear that the relationship between personal data
and
privacy is more nuanced:
- Privacy and personal information are not identical concepts.
Sometimes,
information that may link to a device, or even to a person, is not
private –
especially when a user is interacting with other members of society.
This
would be so with innocuous data. Consider an example like height.
Height is
visible and allowing advertising to use it *responsibly* may well be
helpful
in some contexts, even on a tailored basis (e.g., tall people finding
tall
clothing stores).
- As explored below, much marketing data is not linked to specific
individuals
at all, e.g., through pseudonymisation or other appropriate
privacy-by-design measures. But even if it were, substantial amounts
of
information sharing may be consumer friendly, if it helps people to
more
easily find products and services of interest. This also helps
publishers to
generate income, which indirectly helps consumers by funding their
access to
digital content and services.
- In other cases, data which is not about specific individuals might link
to
data protection or privacy concerns. Even a system that, strictly
speaking,
is not itself linking to identity could raise a concern if tailored
content
were to reveal something private, e.g. through shared device use.
Privacy
concerns could arise if identity can be revealed by someone else
(e.g.,
another system user) and shows that the definition of privacy does not
always align with personal data use from the user perspective.
- Still other situations involve data handling which is not personal at
all
(e.g., fully anonymised data) which seems not to raise a privacy
concern at
all. However, the legal side of the debate has not always taken that
position. A reference to protecting “personal information” in all
cases
could be taken to imply this, limiting beneficial use cases where data
should flow given the balance of interests favours the beneficial users
over
the risks to specific individuals.
In summary, because personal data and privacy are not the same thing, it
would
be mistaken to lay a foundation based on eliding the two. Instead, there
should
be an investigation to establish what is “private." The statement refers
to
“appropriate processing of personal information” and it may be that
“appropriate” already catches this concern, but it would seem wise, at
the
Charter stage, to preserve the position as regards the interrelationship
between
privacy and personal data. Simply omitting the sentence on the
relationship
between privacy and personal information will allow an open-minded debate
on
point.
*Cross-site and cross-context data handling*
The Charter takes a position on the use of data across sites and contexts:
“Ways in which new features might enable inappropriate processing include
(but
are not limited to) enabling of cross-site or cross context recognition of
users
or enabling same-site or same-context recognition of users across the
clearing
of state.”
There will be circumstances in which cross-site and cross context data
handling
raises concerns. For example, medical records call for strong protections
against out of context use. But as with the link between privacy and
personal
information, the picture is more nuanced.
Some user-friendly data handling happens across different sites and
different
contexts. Users have a strong interest in accessing free content.
Personalised
advertising can yield up to 71% more return on investment to a content
publisher, indirectly furthering consumer interests. This was seen when
Apple’s
ITP began to block some of this data on Safari (See e.g., the UK
Competition and
Markets Authority’s Mobile Ecosystems Market Study Interim Report, p.
249)[^13].
For specialist websites with even more nuanced content, the figure may be
even
higher.
*Conformity with existing W3C approaches*
The web standards bodies and W3C members have proposed “origin,”
“site” and
“context”[^14] as potential boundaries across which user expectations
may not
align with lawful flows of data sharing. “Context” is frequently not a
boundary
of an origin (e.g., Wikipedia.org has multiple contexts but one origin per
language), yet the ambiguous term of "context” is proposed for use in
the
Charter itself.
The Charter needs to specify what is the touchstone by which this group
will
work by to mitigates risks to individuals from the collection and
processing of
their personal data. The current language is not precise enough to provide
sufficient guidance on when a proposal is improving privacy versus merely
specifying which organizations or category of web participant this group
believes ought to collect and process specific individual’s personal
data.
**Example of helpful cross-site and cross context data handling:**
A freelance product review writes a specialist blog for children’s car
seats.
The reviewer measures how seats fit for relatively rare use cases such as
requiring three car seats across a back seat. Some cars are large enough;
others
are not; and information available to the parents is poor.
The reviewer dutifully measures out the cars and provides reviews that
save
parents hours of time.
Using current cookie-based technology, the advertising technology behind
the
website would be able to provide at least some information on conversion
and
would allow at least some return on the investment of time via
pay-for-performance or affiliate marketing commissions.
This funding increases the supply of helpful reviews from smaller blogs.
Proposals to stop cross-context or cross-site data handling would limit or
even
eliminate this use case, replacing it with contextual advertising, or turn
it
into a monopoly by the largest platforms or internet gatekeepers. In cases
where
the blog is no longer written, this effectively puts the blog out of
business
and means that the lost income is 100%. So the 71% average loss for some
content
producers may, in fact, be a low end estimate.
The loss of this added value to content producers harms the user interest:
- The user interest is in having the information on the car seat, and
provided
that privacy-by-design safeguards are used, there is no clear downside
to
the user from the data flowing, *including across contexts and
domains*.
- On the contrary, there is an upside. This is especially true for
specialist
and minority interest which may be poorly catered to on purely
contextual
approaches, which have a “herd” tendency.
- There will be many similar examples where the consumer interest is in
having
innocuous data flow, provided that the relevant safeguards are in
place.
Indeed doodle.com[^15], often used by W3C participants to arrange
meetings,
is funded from advertising that operates as described and which the
group
intends to create web standards to interfere with.
This is a helpful use case, and Charter language should not diminish it at
the
debate framing stage, to ensure that the next generation of technology can
cater
to it.
*Reference to “users” rather than distinguishing between user identity
vs
pseudonymous identifiers kept distinct from identity-linked data*
There is also the difficulty that the reference to “users” elides the
important
difference between pseudonymised users and the identity of system users.
This
may not be intended, but may inadvertently decrease the scope for
discussion of
the role of privacy-by-design safeguards that have an important role to
play in
these debates.
However, there are also some positive points from 51Degrees’ point of
view. For
example, the reference to “inappropriate processing … across the
clearing of
state” seems sensible as a means to focus on what consumers want and to
protect
their choices (e.g., allowing those users who are concerned about a site
or
organization recognizing their web-enabled application after they exercise
their
right to be forgotten, such as by clearing state).
There is also much to like, from 51Degrees’ perspective, in the idea that
“The
Working Group may consider designs that allow user agents for the same user
—
including non-browser agents, like Operating Systems — to collaborate in
providing advertising features.” This seems sensible as it paves the way
for
focusing on risk management via a range of vendors and technical
solutions,
rather than isolating all control over data collection and processing to
web
browser vendors.
Indeed, this potentially helps to align with some trends in the wider data
policy community with which the proposed standards and Working Group will
engage.
It may simply be that the language about cross-site and cross domain
handling,
just like the privacy/personal information language, needs to be clarified
in
relation to protecting other rights (e.g., freedom of speech/expression,
freedom
to operate a business or cross-context data portability) to ensure it is
not
unduly restricting the scope for debate in the context of these
developments.
**Developments in wider data protection circles regarding cross-site and
cross
context data use**
51Degrees appreciates that the desire of the Working Group is to focus on
technology and not surrounding policy debates of general application.
However,
to the extent that de facto standards may contrast with the law and may be
very
widely deployed, it seems helpful to cast an eye on trends in developing
data
protection regulation. At least one participant, Google, is obliged to use
legal
definitions of privacy law in its proposals under a regulatory
settlement[^16]
with the UK Competition and Markets Authority, reflecting concerns that
shifting
or vague privacy definitions can harm rivals seeking to design systems
over
time. So, it seems to behove the Working Group at least to be mindful of
what
these trends are and whether the Charter aligns with them. 51Degrees
expects
Google to note this issue in their response to the Charter.
Data protection regulation has moved on in recent years towards emphasis
on
risks from data processing, rather than the existence of processing across
sites
and contexts. A good example is the UK Information Commissioner’s
Office’s
November 2021 AdTech Opinion, which expressly states that regulators
expect
emphasis on identifiable risk rather than hypothetical hazards from data
transmission. Indeed, Google successfully argued in Lloyd vs Google that
the
presence of third-party advertising tracking cookies is not unlawful[^17].
Indeed, W3C’s 2015 document Unsanctioned Tracking[^18] is now out of step
with
this, as it simply asserts some concerning hazards, rather than modelling
risk.
In its crucial definition of harm at section (3), the document chiefly
relies on
a relatively vague and unquantified hazard (“undermine user trust”)
without
information on the context of when this concern does, and does not, arise.
The 2015 document does give one very striking example: the revelation of
pregnancy via the display of adverts, which would seem to be a core
privacy
concern. However, it does not engage with a *risk-based* approach to this
hazard. Such an approach might consider more tailored responses, such as
specifically banning health-related categorization. This would address
areas of
priority concern and allow a focus on them. It would also have the notable
benefit of allowing other data to continue to flow, in cases where risk is
low
or even zero. By contrast, many recent proposals (e.g., First Party
Sets[^19])
seem minded to apply the thinking from before this change in regulation and
to
implement this through restrictions in the technical standards layer.
It is unwise to build an obsolescent approach to these risks into the
Working
Group Charter as this would cut across the work undertaken by regulators to
help
prioritise high risk concerns, while allowing the benefits of non-harmful
processing to continue. There is scope for the Working Group to help move
forward the debate from the 2015 document, and the Charter should take an
open-minded approach to the question.
*The role of privacy-by-design safeguards*
Privacy-by-design safeguards seem to be understated in the current scope
definitions. A large part of the debate seems likely to concern how to
design
technical systems to ensure that privacy concerns do not arise, and the
role of
privacy-by-design measures to this end (as opposed to simply decreasing
data
flows) seems helpful to add. In the construction of the Charter draft
participants were unwilling to recognise the role of non-engineering
professions
such as economists and lawyers in privacy-by-design solutions. This is a
major
concern to 51Degrees who do not believe optimum solutions to complex
problems
are found in only one profession. The Charter would fully embrace
privacy-by-design by replacing the word “Technology” in the title with
“Solutions” and removing the words “primarily non-technical” from
the text.
*Privacy Principles*
51Degrees object to the direction of the work underway by TAG to create a
Privacy Principles note[^20]. These objections are articulated by MOW[^21]
and
are yet to be assessed by TAG or PING. As such a resolution to this concern
that
51Degrees would find acceptable cannot be found in the Privacy Principles
as
currently drafted or under the direction of the current editor.
2. **Issue 2: Potential commercial sensitivity of some proposed focal
areas.**
The section of the proposed Charter on Private Attribution Measurement
raises
some concerns about commercial sensitivity in technical design decisions:
- **Conversion data definition:** There is a starting assumption that
user-level conversion data should not be gathered: “This
specification
defines how to privately measure advertisement attribution/conversion
rates
without revealing whether any individual user converts or does not.”
This
example helpfully illustrates again that some cross-context and
cross-organizational data sharing (e.g., in this case attribution
matching
of user interactions with a marketer’s property to prior exposure to
content
on media owner properties) is both expected and beneficial. The
Charter
needs to clarify exactly why specific organizations should collect and
process such data for business advertising purposes, and how the risk
they
pose to individuals is or can be appropriately mitigated such that
other
organizations and new entrants can follow suit without unreasonable
barriers
to entry.
- Without clarifying such rationales, this type of specification may
restrict
competition or unfairly discriminate against organizations that
operate
business-to-business (B2B) advertising solutions, but do not also
manufacture business-to-consumer OS or web application software. As
there
may be no privacy concern (e.g., Random ID 123 bought shoes after
seeing Ad
ABC), it is unclear why this is ruled out of scope for only
organizations
that do not manufacture such software at the technical design stage.
- As another example, if “first party” were to be used as a criterion
for a
privacy boundary this would effectively favour larger incumbent
content
authors and media owners at the expense of smaller rivals whose niche
content might appeal to otherwise underserved minority interests. Thus
any
specification that favours those organizations who already have larger
audiences, would be using a technical standard to effectively distort
the
market away from sites that could otherwise provide the most
user-centric
ad-funded content and services.
- **The list of normative specifications:** Many of the specifications
listed
are the subject of competition between providers. Each of the three
stages
concerned raises commercial sensitivities, because different companies
are
affected by them differently:
- **Pre-campaign planning** including critical points on audience
definition, context to engage the “right” audience, time of
day, day of
week by geo-region**;**
- **Intra-campaign optimization** including critical points on
budget
allocation, price, and messaging adjustment;
- **Post-campaign reporting and attribution** including critical
points on
feeding decision making to reduce waste in media spend that drives
higher revenues for media owners**;**
In all three cases, there is scope for technical standards to cut
across
commercial business-to-business decision making. The risk is
greatest if
they were used by large browser vendors to prevent competing B2B
data
flows and processing which do not themselves raise consumer
concerns. So
while 51Degrees admires the desire to focus down on technical
matters,
any standard must ensure it does not restrict competition by
focusing on
which type of organizations engages in business-to-business
processing
of non-sensitive or low risk input data.
W3C’s existing Antitrust and Competition Guidance[^22] requires that:
“**W3C does not** play any role in the competitive decisions of W3C
participants
nor **in any way restrict competition**…. [P]articipants should not
discuss
product pricing, methods or channels of product distribution, division of
markets, allocation of customers, or any other topic that should not be
discussed among competitors.” (emphasis added)
An open standard allowing data flows among business-to-business processing
required by the digital properties people choose to visit would support
competition and hence not violate this W3C antitrust proscription. However,
many
of the proposed Attribution Measurement proposals seem to restrict which
types
of organizations are allowed to provide such business-to-business ad
solutions,
this could amount to transgressing the W3C’s antitrust policy, for
example if
defining certain audience-related capabilities effectively “allocate[s]
customers” (or at least demand) into particular vendors or amounts to a
division
of markets away from other rival solutions. “Methods or channels of
product
distribution” also seem to be implicated, because the definitions seem
likely to
affect how, by whom, and to whom advertising services are sold and
provided
hence “restrict[ing] competition.”
A worst-case scenario is that modelling how well proposals work directly
implicates price and performance of products, which is an area where
companies
are required to compete and accordingly a topic which representatives
should not
discuss.
To the extent that standards framers from affected organisations
necessarily
must discuss commercially sensitive design decisions, care is needed to
employ
the antitrust guidelines. It will also be helpful to consider how
restrictions
on competition resulting from the application of standards, such as
restrictions
to data flows, could be addressed.
A typical means to do so is to apply a Fair Reasonable and
Non-Discriminatory
(FRAND) licensing policy to any data flows that are brought under control
by the
standard. In this case, that would mean specifying what the relevant
privacy
safeguards are and applying the same criteria in a non-discriminatory
manner so
that other compliant businesses can serve a wide range of use cases. In
many
cases, closing off access to legally compliant data flows can impede valid
use
cases, and the requirement to define relevant safeguards for broad
application
would be a practical means to avoid undue limitations. Participants in the
group
need to agree to such licensing terms as a condition of membership.
Even if one were to believe that consumers should control the
business-to-business advertising decisions that marketers make when
choosing to
subsidize specific publishers, then it would make more sense to enable
consumers
to choose which advertising vendors they wish to operate advertising
solutions
for the sites they visit, rather than have this choice removed by bundling
business-to-business ad systems into the web browser they select to access
various publisher’s digital content and services.
**It would be helpful to have some remarks on how this might be done in
the
Charter** given the sensitivity of a number of the listed topics**.**
**Possible practical safeguards: Clean teams and conflict of interest
protocols**
A practical approach to these risks would be to adopt so-called “clean
teams”
from organisations affected, who could not see the impact of the standard
on
their business so as to have clean hands when coming to discussion. This
could
be done by pseudonymising data input and creating firewalls.
Indeed, participants are *already* required for at least one member
(Google)
under the UK CMA Privacy Sandbox Commitments[^23] (See especially Paragraph
30,
requiring non-discriminatory design and implementation decisions). A
“trust but
verify” approach would require clean team safeguards to avoid risks of
this
taking place, given the significant potential conflict of interest.
As things stand, however, no such safeguards are in place, which seems
unnecessarily to engage risk to the W3C and participants in such activity
that
would restrict competition in violation of the antitrust provisions
incorporated
into the Working Group Charter (section 10).
3. **Issue 3: Scope of success criteria.**
51Degrees agrees that it is important to consider what success looks like
at the
start of a project to compare the relative merits of alternate proposals.
However, there are significant concerns that the current definition is
incomplete:
Each normative specification should contain separate sections detailing
all
known **security and privacy implications** for implementers, Web authors,
and
end users.
There can be no doubt that these are correct criteria, but there are
others
besides security and privacy[^24]. The most secure web system would simply
be to
abolish the web, because then no data would flow, and there would be no
risks to
security or privacy. This is clearly, however, against the user interest
and W3C
mission. There are unspecified success criteria here, and they should be
fleshed
out. 51Degrees edited success criteria[^25] within the Improving Web
Advertising
Business Group which provides guidance on how this can be addressed. The
proposers should incorporate and update that document as an appendix to
the
Charter before progressing.
There needs to be focus on other important considerations. The most
important
relates to how technical standards on advertising have indirect consumer
impacts
from the way that they can (sometimes inadvertently) alter incentives
facing
publishers and restrict beneficial access to those serving minority
interests.
For example, a paywall-led model or a logged-in model of the internet
might
maximise “security and privacy” but not be in the consumer interest for
those
who are economically disadvantaged. Issues arise with:
- **The user experience,** e.g., unnecessary pop ups to gain consent for
business-to-business processing, where properly providing information
to
consumers makes informed decisions is challenging, even where data
handling
risks are low or zero.
- **Content creation** where this is supported by technologies that are
not
the *most* secure, but do not pose any meaningful security risk on an
evidenced basis (e.g., a blog using an affiliate marketing system that
relies on sponsorship payments).
- **Incentives towards paywalls** if free content is diminished. Given
the
likely discrimination against the economically disadvantaged, the user
interest would be to ensure continued access of “free” ad-funded
content,
whereby the marketer subsidizes the consumer’s access, rather than
restricting data flows, provided that safeguards are applied.
- **By requiring people to log in** to receive services when they would
not
otherwise need to does not advances people’s privacy online and is
not
considered privacy-by-design.
It is positive that “There should be testing plans for each
specification,
starting from the earliest drafts,” which addresses concerns about
earlier
unilateral proposals not showing a clear testing paper trail nor a balance
of
interests including the indirect interests of individuals alone or
society,
which represents groups of individuals. This is immensely welcome and helps
to
implement part of Google’s Commitments to the UK CMA (para 17© on
testing).
However, for this testing to be meaningful, it will need to define things
to
test against, beyond just privacy of security, or, by definition, the sole
focus
on those prioritised variables (however defined) must logically
predominate. The
Charter authors need to include impacts on publishers and the consumer
interest
more broadly construed, to avoid testing from becoming too narrow and thus
departing from the interest of users, including groups of users and
indirect
impacts on users. This reflects the fact that the user interest is not only
in
privacy and security maximisation, but in content creation and ad-funded
access
as well. Without sufficient competition among the business-to-business
processing associated with ad-funded access, then content producers and
media
owners might pay more than what the competitive market rate would normally
be,
thus diminishing investments in consumer-facing innovations, content and
services they ordinarily would have provided but-for the less.
The text of the charter needs to be modified to include an outline test
plan and
show clearly how a proposal will be tested from the perspective of
competition
and market impact. There will be no point conducting engineering tests of
a
proposal if it fails to pass a test of compliance with competition law.
1. **Issue 4: Due process and potential conflicts of interests**
51Degrees notes that the Charter proposes to follow the W3C Process
Document[^26], with attention drawn specifically to Section 5,
Decisions[^27].
51Degrees agrees with and supports the desire for consensus expressed in
Section
5.2,in particular.
However, there are concerns that the sensitivity of the commercial impact
of the
standards, as well as a number of fundamental points of debate about the
role of
data handling, mean that consensus building may prove unusually
challenging
here. For example, one prominent W3C member, Google, expresses a strong
view
that the “aim” of its Privacy Sandbox proposals is to support key ads
use cases
without cross-site tracking.” (Google’s Q2 2022 Update Report[^28] to
the CMA,
p.11, 25 July 2022). This engages fundamental debate of the sort outlined
at
(I), and it seems likely that disagreement will occur over commercially
sensitive matters such as the scope to handle data between sites and
contexts in
cases where risks are low. Another participant in the envisaged Working
Group,
endorsed by a proposed chair, has expressed a view that consensus will be
used
to address some of the issues raised in this FO[^29].
The Charter envisages a majority vote to resolve such an issue:
“if a decision is necessary for timely progress and consensus is not
achieved
after careful consideration of the range of views presented, the Chairs may
call
for a Working Group vote and record a decision along with any formal
objections…
A call for consensus (CfC) will be issued for all resolutions (for example,
via
GitHub issue or web-based survey), with a response period from one week to
10
working days.”
This is a good starting point for addressing the need to balance debate
and
consensus building. However, it contains a number of weaknesses:
- **Risk of dominance by a few companies:** A majority can easily be
constituted by well-represented members, regardless of the quality of
the
substance of the objection; even the most principled objection from a
smaller company could be ignored on numbers rather than on the merits;
- **Delay**: In a case where the majority voting envisages results in
overruling a valid substantive concern, there is a risk of a Formal
Objection, because the Section 5.2.1 definition of Consensus in the
W3C
Process Document states that consensus is *not* achieved if anybody
“in the
set registers a Formal Objection.”
Both the Charter and the W3C Process Document contemplate circumstances
where it
is possible to proceed without Consent:
The [Chair](https://www.w3.org/2021/Process-20211102/#GeneralChairs) *may*
record a decision where there is
[dissent](https://www.w3.org/2021/Process-20211102/#def-Dissent) (i.e.,
there is
at least one [Formal
Objection](https://www.w3.org/2021/Process-20211102/#FormalObjection)) so
that
the group can make progress (for example, to produce a deliverable in a
timely
manner). Dissenters cannot stop a group’s work simply by saying that they
cannot
live with a decision. When the Chair believes that the Group has duly
considered
the legitimate concerns of dissenters as far as is possible and reasonable,
the
group *should* move on.
(5.2.2, Managing Dissent)
However, the Formal Objection would remain and has to be identified before
Advisory Committee review (5.6, Recording and Reporting Formal Objections).
This
creates uncertainty and the potential for unnecessary delay during
resolution.
The most concerning case would be that of a direct conflict of commercial
interest, such as a proposal that alters data flows to the commercial
benefit of
a member. That would seem to be a serious concern, and rather than having
a
hostage to fortune in the Advisory Committee review, it would seem
preferable to
address possible conflicts of interest in the Working Group charter.
Indeed, this is envisaged by the W3C Process Document:
As part of making a decision where there is dissent, the Chair is expected
to be
aware of which participants work for the same (or related) Member
organizations
and weigh their input accordingly.
(5.2.2)
Applying that principle here would require commensurately low weighting to
companies affected by commercial decision making. A practical approach
would be
to give more weight to purchasers of the technologies, such as content
producers, and less to companies with a “dog in the race”. User
interests could
also be employed, provided that user evidence is collected carefully to
account
for the difficulty in users understanding some of the technological
aspects
associated with business processing purposes (e.g., surveys would need to
explain privacy-by-design safeguards, unlike many existing surveys). The
Charter
needs to ensure explicitly that content creator, media owner and publisher
interests are given greater weight than the interests of user agent
implementors. The debate prior to the submission of the proposed Charter
agreed
such input should come from a Community Group[^30] but this approach has
not
been included in the Charter text. The use of a Community Group to gain
wider
input on decision making must be enshrined in the Charter text.
We note that the long-standing Priority of Constituencies[^31] referenced
from
the Private Advertising Community Group Charter[^32] is notably absent from
this
Charter of this Working Group of the same name.
However, what is likely not to work well is for technical specifications to
be
proposed by those who benefit from other companies receiving less data.
Indeed,
this would seem likely to contravene the UK CMA Commitments, at least in
Google’s case, and could result in protracted uncertainties surrounding
work
product as those points are resolved.
To address the point now, the Charter could helpfully discuss how it
proposes to
address conflicts of interest, e.g.:
- By using clean teams within organisations (see above);
- By adopting different voting majority rules (majority of companies
rather
than voting members); and/or
- By altering voting constituencies (e.g., to account for a wider range
of
technology users, rather than web browser vendors).
In summary the process for establishing consensus and decision making that
is
used widely across the W3C is not appropriate for this Charter given the
significance of the decisions and work of the group to competition. This
has
previously been raised with the Advisory Board[^33] and is likely to form
the
first order of business for the newly appointed Board of Directors.
**U.S. Department of Justice guidance on how to address due process
concerns in
standard setting bodies**
There is helpful guidance on this point from the U.S. Department of
Justice:
“Standards development organizations (SDOs) use a variety of safeguards
to
achieve the benefits of standardization while minimizing potential
antitrust
risks. These safeguards include, as articulated in guidance circulated by
OMB,
taking steps to ensure that the standards-development process is “open
to
interested parties,” **balanced, and** **consensus based**, and that
SDOs’
procedures provide for due process and appeals.”
(Antitrust Division Economics Director of Enforcement Jeffrey Wilder at the
IAM
and GCR Connect SEP Summit, Sept. 29, 2021)
The focus on the W3C documentation on fostering consensus is helpful, but
concerns could arise related to:
1. The contemplated scenarios in the Working Group charter which would
depart
from consensus (e.g. bare majority voting); and
2. Whether the additional requirement for “balance” is addressed.
The speech refers out to a memorandum on standard setting by the federal
government known as Circular No. A-119 Revised (Feb. 10, 1998). This is
designed
to stop government standards from unduly restricting purchasing choices.
Although this is a slightly different context, to the extent that the
proposed
standards would de facto alter data handling on a widespread basis,
affecting
many vendor / purchaser / user relationships, the same safeguards carry
over.
The suggested safeguards are:
“openness, balance of interest, due process, an appeals process, and
consensus
defined as general agreement, but not necessarily unanimity and includes a
**process for attempting to resolve objections by interested parties, as
long as
all comments have been fairly considered, each objector is advised of the
disposition of his or her objection(s) and the reasons why, and the
consensus
body members are given an opportunity to change their votes after reviewing
the
comments.”**
Circular No. A-119 Revised, at 4.a(1) (emphasis added)
Applying these safeguards, it would be helpful for the Charter to:
- Identify the process to attempt to resolve objections, including:
- Who handles a conflict-of-interest complaint and how this is
“fairly
considered” including the crucial question of *who* considers
the
complaint
- Identify a timeline for resolution and an appeals process, and how
this
relates to the work in progress.
- Identify how reasons for resolution will be shared, including the
power
to hold the vote again once these reasons are known.
The current proposal to use a simple majority vote on a compressed
timeframe
(e.g., via online polls of as little as one week) seems very unlikely to
meet
these requirements. It is unclear how reasons would be articulated and
disseminated in time for a meaningful repeat vote after resolution. This
seems
to be an area in need of some additional specificity to comply with the
due
process requirements outlined above.
[^1]: <https://movementforanopenweb.com/>
[^2]: For example, appointing an independent monitor to verify that
competition
issues are not present and advising the chairs and group participants
where
there are problems, or establishing clean team arrangements for those
that
participate in the group from dominant companies.
[^3]: For example, amending the W3C antitrust guidelines to align to DoJ
and other
guidelines and ensuring that they are enforced.
[^4]: See for example, UK CMA note that Google's request for market actors
to
participate in W3C and other forums, and announcements by its senior
staff,
have had a likely anti-competitive impact on rivals.
<https://assets.publishing.service.gov.uk/media/60c21e54d3bf7f4bcc0652cd/Notice_of_intention_to_accept_binding_commitments_offered_by_Google_publication.pdf>
[^5]:
<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/987358/Joint_CMA_ICO_Public_statement_-_final_V2_180521.pdf>
\- “There is no explicit reference to the distinction between
first-party and
third-party data in data protection law.”
[^6]:
<https://lists.w3.org/Archives/Public/public-patcg/2022Jun/0074.html>
[^7]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>
[^8]: Mozilla do not believe privacy-by-design and lawful proposals to
improve
privacy are legitimate unless they are controlled by web browsers and
implemented entirely by the profession of engineering. See analysis of
SWAN
and UID2 which contains a number of factual errors advised to Mozilla
-
<https://blog.mozilla.org/mozilla/swan-uid2-privacy/>. Mozilla
representatives have sought to restrict the Charter in its development.
At
least one of the proposed chairs of the group has publicly expressed
positions that are concerning to other participants. See the following
Tweet
in relation to a B2B business called TransUnion
<https://twitter.com/Chronotope/status/1564246061773950979?s=20&t=-ecWJdXh5TyvaiyTm_LO6Q>.
[^9]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>
[^10]: <https://www.w3.org/2022/06/pressrelease-w3c-le.html.en>
[^11]: Composite Capabilities/Preference Profiles: Terminology and
Abbreviations,
W3C Working Draft (21 July 2000), <https://www.w3.org/TR/CCPP-ta>.
*See
also* The Platform for Privacy Preferences 1.0 (P3P1.0) Specification,
W3C
Recommendation 16 April 2002, which was used for 16 years before
replacement
on obsoleted on the basis of limited adoption, but not on any
limitations as
to privacy definitions, on 30 August 2018), where in Scenario 3
describing a
website vendor’s cookies used in providing frequency capping that
“do not
reveal information about any individual users.“ -
<https://www.w3.org/TR/P3P>.
[^12]: *See* GDPR, Art 4: “personal data’ means any information
relating to an
**identified or identifiable natural person (‘data
subject’)**….” versus
“‘pseudonymisation’ means the processing of personal data in such
a manner
that the personal data can no longer be attributed to a **specific
data
subject** without the use of additional information, provided that
such
additional information is kept separately and is subject to technical
and
organisational measures to ensure that the personal data are **not
attributed to an identified or identifiable natural person**.” CPRA,
1798.140(v)(1) “Personal information” means information that
identifies,
relates to, describes, is *reasonably* capable of being associated
with, or
could reasonably be linked, directly or indirectly, with a
**particular
consumer or household**.” (emphasis added)
[^13]: <https://www.gov.uk/cma-cases/mobile-ecosystems-market-study>
[^14]: <https://html.spec.whatwg.org/multipage/origin.html> and
<https://tess.oconnor.cx/2020/10/parties>
[^15]: <https://doodle.com/advertising/>
[^16]:
<https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf>
[^17]:
<https://www.pinsentmasons.com/out-law/analysis/lloyd-v-google-supreme-court-representative-action>
[^18]: <https://www.w3.org/2001/tag/doc/unsanctioned-tracking/>
[^19]: <https://github.com/WICG/first-party-sets/issues/108>
[^20]: <https://www.w3.org/TR/privacy-principles/>
[^21]:
<https://movementforanopenweb.com/mows-in-depth-commentary-on-the-draft-w3c-privacy-principles/>
[^22]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>
[^23]:
<https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf>
[^24]: See Ofcom reports
<https://www.ofcom.org.uk/__data/assets/pdf_file/0013/220414/online-nation-2021-report.pdf>
\|https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/online-nation/interactive\|https://www.ofcom.org.uk/research-and-data/media-literacy-research/adults/adults-media-use-and-attitudes/interactive-tool
[^25]:
<https://github.com/w3c/web-advertising/blob/main/success-criteria.md>
[^26]:
[https://www.w3.org/Consortium/Process](https://www.w3.org/Consortium/Process/)
[^27]:
[https://www.w3.org/Consortium/Process/\#decisions](https://www.w3.org/Consortium/Process/#decisions)
[^28]:
<https://assets.publishing.service.gov.uk/media/62e14c98e90e0766a8081720/_Privacy_Sandbox_Progress_Report_to_the_CMA_2022_Q2_.pdf>
[^29]:
[https://github.com/patcg/patwg-charter/issues/31\#issuecomment-1170857845](https://github.com/patcg/patwg-charter/issues/31#issuecomment-1170857845)
[^30]: <https://github.com/patcg/patwg-charter/issues/13>
[^31]: HTML Design Principles, W3C Working Draft (26 November 2007),
<https://web.archive.org/web/20071130082925/https://www.w3.org/TR/html-design-principles>:
“In case of conflict, consider users over **authors over
implementors** over
specifiers over theoretical purity. In other words costs or
difficulties to
the user should be given more weight than **costs to authors; which in
turn
should be given more weight than costs to implementors**; which should
be
given more weight than costs to authors of the spec itself, which
should be
given more weight than those proposing changes for theoretical reasons
alone. Of course, it is preferred to make things better for multiple
constituencies at once.” Recently updated, but signifying the same
order of
web stakeholders, Web Platform Design Principles, W3C Group Note, (24
August
2022)
[https://www.w3.org/TR/design-principles/\#priority-of-constituencies](https://www.w3.org/TR/design-principles/#priority-of-constituencies):
“User needs come before the needs **of web page authors, which come
before
the needs of user agent implementors**, which come before the needs of
specification writers, which come before theoretical purity.”
(emphasis
added)
[^32]: <https://patcg.github.io/charter.html>
[^33]: <https://github.com/w3c/AB-memberonly/issues/88>
The reviewer's organization intends to participate in these groups:
- Private Advertising Technology Working Group
The reviewer's organization:
- intends to review drafts as they are published and send comments.
- intends to develop experimental implementations and send experience
reports.
- intends to develop products based on this work.
- intends to apply this technology in our operations.
Comments about the deliverables:
The details will depend on the deliverables and process used by the
group.
However the field of "Private Advertising" is of great importance to our
business. We led the creation of Secure Web Addressability Network (SWAN)
at https://swan.community.
Comments about implementation schedule:
Too early to say.
General comments:
See submission.
Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/PATWG-charter-2022/ until 2022-09-21.
Regards,
The Automatic WBS Mailer
Received on Monday, 12 September 2022 14:24:06 UTC