Re: [meetings] Agenda Request - Review Working Group Charter Changes (#52)

@jwrosewell, thanks for being brief.  I'll do the same.

FRAND: Like Nick, I still don't understand your points.  I've made an attempt to clarify, but see no progress on this issue.

Non-technical: It's not a monopoly.  It is possible to do other work.  I see no reason that other approaches will succeed.  Convince me otherwise, preferably with action rather than more words.

Parties: Your extensive note did little to clarify.  Please frame your objection in specifics if you intend to make progress.

Principles: We don't agree.  We could add many words with contain no information content, but we should not.

@joshuakoran, I'm not clear on how we might translate all of that into words in a charter.  Or maybe I'm just not sure that we need to litigate this matters at the level of chartering.  Let me try to explain more on the general point you make below, which I think is important enough to waste a lot of words on (sorry, it is a little lengthy).

Either way, I invite you to suggest concrete changes rather than talking in the abstract.  I don't know what you really want the charter to say differently based on this:

> I would hope we can revise the Charter to focus on improving privacy, while also ensuring we do not inadvertently restrict greater competition in digital markets.

---

Regarding:

> ensuring not all B2B processing for digital advertising must be exclusively bundled within user agent consumer software

Yes, a lot of the information and actions occur between businesses.  For starters, the flow of money occurs there almost exclusively.  But businesses already have the means to talk to each other.  It is the inter-business exchanges that involve users that are in scope for the work.

The charter starts with a scope of "[...] specify new web platform features intended to be implemented in browsers or similar user agents."  That is, we are looking to support any communication that might need to transit a user agent.  To that end, anything that happens outside of that, whether it be the bidding processes or even exchange of user data between servers (inappropriate or not), is simply out of scope.  The charter cannot claim exclusivity over interactions between businesses, though any interactions that are mediated by the browser are in scope... for improvement.

I recognize that there is a general concern here that browsers are seeking a greater role in intermediating these communications.  This only partly true.  It is only true to the extent that it is necessary to achieve privacy goals.  For example, @jwrosewell's objections seem to be more grounded in objections to those privacy goals than anything this group might do.  That is, the objection is to browsers seeking to prevent unsanctioned tracking (as defined [in](https://w3ctag.github.io/privacy-principles/) [various](https://privacycg.github.io/nav-tracking-mitigations/) [places](https://www.w3.org/2001/tag/doc/unsanctioned-tracking/)).

This group is very explicitly NOT about preventing tracking.  It does hold a general and non-specific assumption that the work to stop tracking is at least partly successful.  After all, if tracking remains viable, then there is far less incentive to adopt the solutions that a group like this might offer.  However, this group only seeks to provide the advertising industry means of conducting their business that is not dependent on practices that have - or can have - poor privacy outcomes for web users.

Back that general concern again, I appreciate that those who want to preserve the mechanisms that underpin tracking (and a number of less objectionable practices) find themselves with no venue to object to their removal.  This is why we are seeing the focus on the topic here.  There is no single "end tracking" working group (though Privacy CG comes pretty close; as chair, we'd welcome your contributions there) where concerned citizens might go to say "please stop".  Without an obvious venue, this group seems like a nice place to have that discussion.  It's not, but I understand the urge.

What has happened is that browsers have - for the most part - unilaterally taken actions to stop tracking.  Browser vendors will claim - and I agree - that those decisions are entirely within their remit.  (We might need to find a different forum to discuss that point, because this isn't necessarily a simple topic either.)  This conclusion is something that the browser market has largely vindicated.  The quality of anti-tracking measures is now an important point of product differentiation...or at least that is my sense both from reading press and from what our marketing team has reported.  The consequence of those changes it that cross-site exchange of information - as it relates to specific users - increasingly is being pushed to channels under the control of user agents.

This is, in my opinion, a good thing on balance.  It does change the competitive dynamics in markets like digital advertising, sometimes for the worse, but I'll get back to that point.  However, the upside is huge.  Information about how people use the web that flows between sites without any hope of user intervention - other than whatever the parties involved might deign to offer affected users - has done a lot of harm.  These changes are putting user agents in a position to give users real control over those interactions. That will no doubt reduce the efficiency of those systems that depend on those information flows.  But it allows us to give users the decision about what is or isn't appropriate rather than leaving it to those nameless entities that exchange that data.

...Mostly.  What this group is going to be talking about is narrow carve-outs for things like measurement that won't (necessarily) involve user interaction in quite the same way.  [Robin's talk](https://raw.githubusercontent.com/patcg/meetings/main/2022/04/05-telecon/PAT-privacy-principles-202204.pdf) a few meetings back outlined the reasons for this (see slide 11 in particular, "PRIVACY CALLS FOR COLLECTIVE GOVERNANCE") where he points at the role of collective governance in handling systemic factors.  For this, it is very much necessary for this group to identify the narrow bounds on what is appropriate within a specific context.

We do this for a number of reasons, but foremost is that the business of advertising has been important to the web and we would like to avoid unnecessary damage.  It is also because we recognize that curtailing cross-site information flow disproportionately advantages those who have less need for it.  Those with large or diverse web properties are often able to realize a lot of their advertising goals with just the information they see from their own site.  By providing advertising use cases with better options for conducting their business we hope to address some of the imbalance.

Some of the things we produce will have a greater degree of user agent involvement.  But those will be where there are fewer controls - such as consent dialogs...ugh - in place.  In other places, such as FedCM, we will see things that start with far stronger user interaction requirements, but can be used to initiate direct B2B conversations about users without user agent involvement.

---
A short note on the mention here of pseudonymous identifiers.  My opinion, and what I understand to be the prevailing view of my peers, is that pseudonymous identifiers are a sham.  There is a long and well-documented history of reidentification attacks on "anonymized" data sets that suggests that pseudonyms are ineffectual as a privacy measure.

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/patcg/meetings/issues/52#issuecomment-1163823743 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 June 2022 01:29:21 UTC