“What” not "who”: the need to amend 1st and 3rd party thinking

Dear PAT CG, PING , Privacy CG, TAG, W3C, and WICG members,

This email seeks to find a way forward that can be supported by the whole of the W3C and wider web participants, at a critical time in our development. I think that we would all agree that we want to promote a private, competitive, and user-friendly online world. We should be free to disagree about how to get there and I defend everyone’s right to freedom of expression.

We know from research, such as that published by Ofcom (the UK telecommunications regulator), that people spend an average of 4 hours a day of their social time online [1]. People are concerned about a wide range of potential harms including, scams, fraud, phishing, unwelcome friend or follow requests, unwelcome messages, content encouraging gambling, misinformation, and trolling [2]. See chart [1].

75% of Ofcom respondents are “Happy for companies to collect and use personal information” [3]. See chart [2].

I write to request you rethink the promotion of “First Party” based proposals justified by a supposed privacy improvement in W3C debates. Standards generated following such conditioning will only serve to offer a benefit to those that can collected and exploit the most “First Party” data. The market should be free to develop without being pre-empted by standards.

We could make more of work going on into these issues elsewhere, especially from privacy regulators. The UK’s Information Commissioner’s Office comes to mind. Its statement from May 2021 [4], about how to approach privacy online, is highly relevant. This document suggests a very limited role, if any, for concepts of “who” handles the data, and puts emphasis instead on “what” data is handled and achieving fair, transparent and legal data handling practices throughout the ecosystem and supply chain, with reference to end user outcomes. We can implement these steers.

In limiting any standard by reference to corporate structure we will undermine the open application of the standard. If we draw the line around technical solutions that can only be adopted by certain entities or groups of entity, then other forms of organization and structure cannot use them.

For example, smaller businesses with few domains that wish to work with other businesses will be adversely affected by First Party Sets (FPS) [5]. The FPS proposal benefits multinationals. If genuine privacy, security, and technical improvements are to apply across the Web, is this really the way forward? I think not and request you consider this.

From recent decisions, we now know that <2% of the Privacy CG participants support FPS. FPS supporters represent mainly entities with multiple branded domains. It would seem preferable to set standards for data handling – what is done with the data – which would allow a wide range of participants to comply while still achieving high quality, privacy-friendly outcomes.

A number of W3C participants are advancing a First Party “Agenda”, sometimes via official documents of the W3C. This can be seen in:

1)      The FPS proposals,
2)      Private Advertising Technologies (PAT) draft charter [6],
3)      The Security and Privacy Questionnaire [7],
4)      The “Privacy Principles” proposals [8].

The American Data Privacy and Protection Bill being advanced in the US legislature [9], with explicit support from Apple, demonstrates the idea that privacy can be achieved through First Party controls. In effect, this Bill is suggesting that advertising is reserved to First Parties. First Parties to transactions involved in commerce can, it is suggested, collect private data for advertising while the same collection by those operating as third parties would be outlawed. Other forms of corporate structure, such as adopted by many Open Web and online communities, will be discriminated against if the Bill is passed.

I would defend everyone in their right to freely express their views and to lobby their governments and put forward a position to any law-making body, anywhere. However, advancing an agenda that is in the interest only of a few members, is not a position that can be advanced in W3C prior to such a position becoming law.

W3C must operate as an Open Standards making body. It needs to reflect the input of all and promote standards that are in the broader public interest, not those that anticipate or reflect the political position of a few major companies or corporate groups.

The web enables collaboration and supports smaller organisations providing better solutions, often at a faster rate than their major corporate rivals. Advertising provides smaller publishers (aka authors) much needed funding and supports those who people buy from. Often such innovators exit – to be owned by multinationals who can scale up their business globally. If we deny the benefits of such a funding model to smaller businesses, we risk undermining this tech innovation cycle.

I am deeply concerned about privacy in practice. No one’s privacy is improved when the only ad -funded economic model for the web requires people to be signed in or otherwise provide directly identifiable information such as an email address; often to a web browser or platform. That route will provide directly identifiable personal data to a “First Party”, risking harm to people should that party use their directly identifiable data in a way they did not expect. This further shows the need to focus on what is done and not the party doing it, as there is a risk of missing bad action by first parties. The real concern is bad practice. In the Ofcom survey 19% of responders cited scams, fraud, and phishing as a potential harm they experienced. The same survey also showed how well-educated people are concerning online risks. The potential harm of scams, fraud, and phishing will be exacerbated the more often people are required to provide directly identifiable information or sign into services they did not previously need to.

Similar to the now limited choice in browser engines, over time a small number of “First Parties” will in practice control identity on the web. People will then have very limited choice over how they access and consume the web. I consider this outcome to be incompatible with the mission of the W3C and the membership agreement.

As such identity management is at the crux of the future of the web. Identity management solutions could be very helpful if they promote different ways of achieving data protection compliance and solve many online harms. For example;

- Tech platforms could enable people to choose to only receive information from people whose offline identity has been verified.
- Publishers might limit risks associated with the publication of lawful content, but which might cause offence to some, by better understanding individual readers. Such preference recommendations might be determined by machine learning algorithms fed from individuals browsing history across a broad range of publishers. People would benefit by being able to control their exposure to content that they might consider inappropriate, but others might not. Large platforms would benefit by not needing to make these choices for their users.

There would seem to be a risk, though, in replicating the same error from the first party / third party distinction – if we focus on the entity we focus on the “who” rather than the “what” of data handling – which could happen if identity and sign-in systems are dominated by a few First Parties. Our considerations, debates, and proposals should leave room for principled and careful data handling systems to compete as well, and on an equal footing. Innovations over privacy and other elements may often also best be achieved by smaller specialized providers, and later adopted by bigger players. We should respect the fact that the cutting edge of innovation is for the market to determine and never the W3C or other standards bodies.

A significant concern in this context is also the possibility of competition regulatory action in the event that proposals do not align to the clearly articulated position of regulators. There are risks for all and for the W3C in ignoring their positions. For example, the action taken against the GSMA, which was found by the DOJ to be discriminating in the interest of a small number of members [10].

There also seems to be an acute concern in competition authorities about privacy being misused on a First Party basis, with the recent news about further investigations into Apple’s ATT in Germany [11] and the UK [12], alongside France [13]. Whilst we can’t pre-empt the outcome of these investigations, we do know that Google and the UK CMA have roundly rejected the false First Party distinction in their February 2022 global commitments [14]. It remains a disappointment to me that Google representatives at W3C have not amended their contributions to reflect these commitments and can only assume this is a matter of time as they are yet to receive the required training.

In its Final Report on the Market Study into Mobile Ecosystems published on 10th June 2022 [15], the CMA acknowledged that “Apple and Google’s duopoly means they have a stranglehold over these key gateways”. The CMA found that: “Apple and Google have a tight grip over these increasingly crucial ecosystems” … “Both companies unilaterally determine the ‘rules of the game’, making it difficult for rival businesses such as browsers or alternative app stores to compete.”

Of course, Apple and Google, as major tech vendors, necessarily have a seat at the table: no one would deny their major role. But the onus is on larger companies to show that solutions they propose leave space for smaller and medium sized businesses like mine, and many of yours, to have a seat at the table as well.

Certainly, no W3C standard should stray across the express position from regulators as to what not to do. The UK CMA identified in its Report the need to intervene in the relevant market to tackle Apple and Google’s market power and harmful practices, and to prevent Apple and Google from exploiting their power by introducing several changes to:

- ensure they cannot unfairly favour their own businesses – particularly where they are offering their own apps and browsers;
- provide greater transparency and information about their decision-making (e.g., app review process, app store rankings); and
- ensure others can access their platforms on fair and reasonable terms – including fair commission rates.

A number of these concerns relate chiefly to the actions of the companies themselves, but some do arise in relation to standard setting (e.g., API design). Very recently, the UK Department for Digital, Culture, Media and Sport published a statement on 13th June 2022 as part of its New Digital Strategy which advocates “collaborating on international digital trade and tech governance systems centred around freedom and openness.”[16] We must strike the same tone and ensure that our systems allow open and free competition while still addressing the concerns the systems are designed to address.

To demonstrate what this means I have put forward a concrete alternative to FPS which allows for a more open approach while still ensuring good outcomes for people, and support for the goals of FPS. The proposal is GDPR Validated Sets (GVS) [17]. As a web primitive or general-purpose standard GVS would contribute to addressing many harms people are concerned about as well as improving privacy.

We must rethink our approach to privacy protection and come up with a position across the work of the W3C which considers a fuller set of online harms rather than attempting to address an undefined problem across multiple groups, while balancing the need not to lock down digital data flows to a few select entities that then become chokepoints.

With this background I invite the Privacy Taskforce, TAG and PING to rethink their Privacy Principles document, which, whilst well intentioned, is harmful to the web and the standards-setting process due to its narrow focus and emphasis on the “who” rather than “what”. Movement for an Open Web, of which I’m a Director and which has many contributors, have provided detailed analysis of the currently published Privacy Principles document [18] for you and the Privacy Taskforce, TAG and PING to consider. I’m grateful to the people that both worked on this analysis and edited this message with me. Aligning to privacy laws rather than pre-empting them and moving away from domain names being used as the privacy boundary for the web, are essential changes we now need to adopt. Continuing to do something, like using domain names as a privacy boundary, just because it is “a cornerstone of current policy” is no justification to continue to do so especially where the privacy policy specialists are now using different concepts.

I see the context and position that is unfolding around us in the world as highly relevant to standards-making. We have to be aware that new laws have been made and are no longer in doubt to address concerns about technology platforms in many countries, such as European Union’s Digital Markets Act [19] and Digital Services Act [20], and the UK’s impending Online Safety Bill [21]. There are different Bills being proposed in the US house and senate including the American Innovation and Choice Online Act [22], to name only a few. We must comply with laws passed and work to produce open technical standards which make their implementation easier. We cannot allow the W3C to pre-empt laws proposed or become a body that supports the interest of the few over those of the many by creating quasi-laws. I trust that those interested in wide public interest outcomes will agree.

Regards,

James

[1] https://www.ofcom.org.uk/__data/assets/pdf_file/0013/220414/online-nation-2021-report.pdf

[2] https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/online-nation/interactive

[3] https://www.ofcom.org.uk/research-and-data/media-literacy-research/adults/adults-media-use-and-attitudes/interactive-tool

[4] https://ico.org.uk/media/about-the-ico/documents/2619797/cma-ico-public-statement-20210518.pdf

[5] https://github.com/WICG/first-party-sets | https://github.com/w3ctag/design-reviews/blob/main/reviews/first_party_sets_feedback.md

[6] https://patcg.github.io/patwg-charter/charter.html

[7] https://www.w3.org/TR/security-privacy-questionnaire/

[8] https://www.w3.org/TR/privacy-principles/

[9] https://www.dropbox.com/s/xxc10g9hvfjarbr/Bipartisan_Privacy_Discussion_Draft_Bill_Text%20%282%29.pdf?dl=0

[10] https://www.justice.gov/opa/pr/justice-department-issues-business-review-letter-gsma-related-innovative-esims-standard

[11] https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2022/14_06_2022_Apple.html

[12] https://www.gov.uk/government/publications/mobile-ecosystems-market-study-final-report

[13] https://www.autoritedelaconcurrence.fr/en/press-release/targeted-advertising-apples-implementation-att-framework-autorite-does-not-issue

[14] https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes#decision-to-accept-binding-commitments

[15] https://www.gov.uk/government/publications/mobile-ecosystems-market-study-final-report

[16] https://www.gov.uk/government/publications/uks-digital-strategy/uk-digital-strategy

[17] https://github.com/WICG/first-party-sets/pull/86

[18] https://movementforanopenweb.com/mows-in-depth-commentary-on-the-draft-w3c-privacy-principles/

[19] https://www.consilium.europa.eu/media/56086/st08722-xx22.pdf

[20] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0825&from=en

[21] https://bills.parliament.uk/bills/3137/publications

[22] https://www.congress.gov/bill/117th-congress/senate-bill/2992 | https://www.congress.gov/bill/117th-congress/house-bill/3816
This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.