- From: timcowen via GitHub <sysbot+gh@w3.org>
- Date: Mon, 27 Jun 2022 15:57:41 +0000
- To: public-patcg@w3.org
Martin, all, As the newcomer I hope that I have understood things properly and hesitate to offer a perspective from my experience, but thought it might be helpful to clarify a couple of key points on FRAND and Privacy Issues. FRAND You raise an issue about what “Fair Reasonable And Non Discriminatory” or FRAND means in this context. It is used as a basis for a remedy to an issue of market power. So, for example, if a company is dominant in the provision of something, such as a telecoms network, the policy position in many countries is to require access to that thing on “fair reasonable and non-discriminatory” terms. Since Patent rights needed for the implementation of standards may enhance and increase, if not confer market power, one frequently used method of avoiding any challenge to agreements for the use of standards that read on patents is to require FRAND access in agreements to the grant of the use of patents that read on standards, (aka Standards Essential Patents). (W3C has such provisions in its basis constitutional agreements to avoid any such issue). So if there is any risk of market power being enhanced or increased as a consequence of standards setting one preventative action would be to require the use of something that risks being controlled by a dominant entity, to licence that thing on FRAND terms. In one case that might be a patent licence on FRAND terms in another the use of data on FRAND terms. Privacy Issues I think the current debate is clouded by the fact that “Privacy” is used without definition. Different people may reasonably think that they are protecting privacy by different means and others will disagree and talk past each other by not defining terms. (A lawyer asking for clear definitions is hardly original but is expected!). Should the W3C discuss privacy or security or leave the parameters to be defined by markets? W3C should be about technical standards that allow things to work better; interoperate faster, improve functionality, speed, latency and increase quality of service and quality of experience. Since privacy and security affect all uses and their online services and experiences then it probably does need to be addressed: but in a technologically neutral way that does not provide a business benefit for one type of function, shape or structure of organisation over another. Parliaments deal with policy and define norms in laws. Different parliaments define laws which reflect the priorities of different societies. Laws necessarily strike a balance between different policies and rights and freedoms. Personal rights and commercial and economic freedoms can conflict. They also seek to secure public interests such as copyright protections that provide key sources of revenue for news publications and public goods such as freedom of expression and freedom of speech. Reference to one law or another is important if the W3C is to discuss privacy with any certainty. Pragmatically, GDPR probably applies to more commerce and interstate commerce globally and may be familiar to more W3C members than any other law. So as a privacy law that most are familiar with, might we not use that as a basis for privacy definitions that we can work with? With kind regards Tim From: Martin Thomson ***@***.***> Sent: 23 June 2022 02:30 To: patcg/meetings ***@***.***> Cc: Timothy Cowen | Preiskel & Co ***@***.***>; Comment ***@***.***> Subject: Re: [patcg/meetings] Agenda Request - Review Working Group Charter Changes (Issue #52) @jwrosewell<https://github.com/jwrosewell>, thanks for being brief. I'll do the same. FRAND: Like Nick, I still don't understand your points. I've made an attempt to clarify, but see no progress on this issue. Non-technical: It's not a monopoly. It is possible to do other work. I see no reason that other approaches will succeed. Convince me otherwise, preferably with action rather than more words. Parties: Your extensive note did little to clarify. Please frame your objection in specifics if you intend to make progress. Principles: We don't agree. We could add many words with contain no information content, but we should not. @joshuakoran<https://github.com/joshuakoran>, I'm not clear on how we might translate all of that into words in a charter. Or maybe I'm just not sure that we need to litigate this matters at the level of chartering. Let me try to explain more on the general point you make below, which I think is important enough to waste a lot of words on (sorry, it is a little lengthy). Either way, I invite you to suggest concrete changes rather than talking in the abstract. I don't know what you really want the charter to say differently based on this: I would hope we can revise the Charter to focus on improving privacy, while also ensuring we do not inadvertently restrict greater competition in digital markets. ________________________________ Regarding: ensuring not all B2B processing for digital advertising must be exclusively bundled within user agent consumer software Yes, a lot of the information and actions occur between businesses. For starters, the flow of money occurs there almost exclusively. But businesses already have the means to talk to each other. It is the inter-business exchanges that involve users that are in scope for the work. The charter starts with a scope of "[...] specify new web platform features intended to be implemented in browsers or similar user agents." That is, we are looking to support any communication that might need to transit a user agent. To that end, anything that happens outside of that, whether it be the bidding processes or even exchange of user data between servers (inappropriate or not), is simply out of scope. The charter cannot claim exclusivity over interactions between businesses, though any interactions that are mediated by the browser are in scope... for improvement. I recognize that there is a general concern here that browsers are seeking a greater role in intermediating these communications. This only partly true. It is only true to the extent that it is necessary to achieve privacy goals. For example, @jwrosewell<https://github.com/jwrosewell>'s objections seem to be more grounded in objections to those privacy goals than anything this group might do. That is, the objection is to browsers seeking to prevent unsanctioned tracking (as defined in<https://w3ctag.github.io/privacy-principles/> various<https://privacycg.github.io/nav-tracking-mitigations/> places<https://www.w3.org/2001/tag/doc/unsanctioned-tracking/>). This group is very explicitly NOT about preventing tracking. It does hold a general and non-specific assumption that the work to stop tracking is at least partly successful. After all, if tracking remains viable, then there is far less incentive to adopt the solutions that a group like this might offer. However, this group only seeks to provide the advertising industry means of conducting their business that is not dependent on practices that have - or can have - poor privacy outcomes for web users. Back that general concern again, I appreciate that those who want to preserve the mechanisms that underpin tracking (and a number of less objectionable practices) find themselves with no venue to object to their removal. This is why we are seeing the focus on the topic here. There is no single "end tracking" working group (though Privacy CG comes pretty close; as chair, we'd welcome your contributions there) where concerned citizens might go to say "please stop". Without an obvious venue, this group seems like a nice place to have that discussion. It's not, but I understand the urge. What has happened is that browsers have - for the most part - unilaterally taken actions to stop tracking. Browser vendors will claim - and I agree - that those decisions are entirely within their remit. (We might need to find a different forum to discuss that point, because this isn't necessarily a simple topic either.) This conclusion is something that the browser market has largely vindicated. The quality of anti-tracking measures is now an important point of product differentiation...or at least that is my sense both from reading press and from what our marketing team has reported. The consequence of those changes it that cross-site exchange of information - as it relates to specific users - increasingly is being pushed to channels under the control of user agents. This is, in my opinion, a good thing on balance. It does change the competitive dynamics in markets like digital advertising, sometimes for the worse, but I'll get back to that point. However, the upside is huge. Information about how people use the web that flows between sites without any hope of user intervention - other than whatever the parties involved might deign to offer affected users - has done a lot of harm. These changes are putting user agents in a position to give users real control over those interactions. That will no doubt reduce the efficiency of those systems that depend on those information flows. But it allows us to give users the decision about what is or isn't appropriate rather than leaving it to those nameless entities that exchange that data. ...Mostly. What this group is going to be talking about is narrow carve-outs for things like measurement that won't (necessarily) involve user interaction in quite the same way. Robin's talk<https://raw.githubusercontent.com/patcg/meetings/main/2022/04/05-telecon/PAT-privacy-principles-202204.pdf> a few meetings back outlined the reasons for this (see slide 11 in particular, "PRIVACY CALLS FOR COLLECTIVE GOVERNANCE") where he points at the role of collective governance in handling systemic factors. For this, it is very much necessary for this group to identify the narrow bounds on what is appropriate within a specific context. We do this for a number of reasons, but foremost is that the business of advertising has been important to the web and we would like to avoid unnecessary damage. It is also because we recognize that curtailing cross-site information flow disproportionately advantages those who have less need for it. Those with large or diverse web properties are often able to realize a lot of their advertising goals with just the information they see from their own site. By providing advertising use cases with better options for conducting their business we hope to address some of the imbalance. Some of the things we produce will have a greater degree of user agent involvement. But those will be where there are fewer controls - such as consent dialogs...ugh - in place. In other places, such as FedCM, we will see things that start with far stronger user interaction requirements, but can be used to initiate direct B2B conversations about users without user agent involvement. ________________________________ A short note on the mention here of pseudonymous identifiers. My opinion, and what I understand to be the prevailing view of my peers, is that pseudonymous identifiers are a sham. There is a long and well-documented history of reidentification attacks on "anonymized" data sets that suggests that pseudonyms are ineffectual as a privacy measure. — Reply to this email directly, view it on GitHub<https://github.com/patcg/meetings/issues/52#issuecomment-1163823743>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZYERR6QA6L437J3YR5SNMTVQO4XVANCNFSM5V4IQYHA>. You are receiving this because you commented.Message ID: ***@***.******@***.***>> -- GitHub Notification of comment by timcowen Please view or discuss this issue at https://github.com/patcg/meetings/issues/52#issuecomment-1167532329 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 June 2022 15:57:43 UTC