Re: [meetings] Agenda Request - Review Working Group Charter Changes (#52)

First, yes, we see multiple objections to the WG charter here. Let's try and resolve them. We have not submitted the charter. 

Let's talk about FRAND some more: 

1. As discussed in the meeting we will be addressing a variety of proposals. It is unclear if concerns that you seek to address with FRAND would even be present in all proposals and even if they were, they would have to be addressed in different ways that are dependent on the mechanics of any such proposals. So, I do not believe that it is worthwhile to continue to discuss FRAND within the context of the charter. Any attempt to apply FRAND, which I'm unclear is even needed since @timcowen seems to note that the W3C does indeed have provisions in its constitutional agreements to avoid these issues, would have to be done on the proposals and intended standards themselves, not in the scope of a charter. Charters, as noted previously, are intended to describe the work mode, process and scope of work for a W3C group and should not be the place to add specifics about how proposals are supposed to work (especially since a good WG is likely to work on many such proposals). I would request that participants here who are concerned about FRAND, remove that concern to the specific relevant proposals when they arrive. 

If we are going to talk about FRAND, does this approach make sense to people including @timcowen and @jwrosewell?

2. First vs Third Party discussion

@jwrosewell:
> Address the flawed [notion of first and third party](https://lists.w3.org/Archives/Public/public-patcg/2022Jun/0074.html) which the charter draft adopts. 

@martinthomson:

> There is no mention of first or third party in the charter (the word "party" is not found), so I am guessing that you refer to this minimal definition of privacy:

> > Ways in which new features might enable inappropriate processing include (but are not limited to) enabling of [cross-site or cross context recognition](https://w3ctag.github.io/privacy-principles/#hl-recognition-cross-site) of users or enabling [same-site or same-context recognition](https://w3ctag.github.io/privacy-principles/#hl-recognition-same-site) of users across the clearing of state.

> This was discussed extensively and I believe that there is consensus for this specific language. As you observed yourself, this is useful in ensuring that the working group doesn't undertake work outside of an agreed scope. In this case, it is to ensure that work does not violate some these elementary privacy expectations. I understand that you disagree with this conclusion, but my understanding is that your position is at odds with established consensus.

As Martin has already noted (quoted above) we do not use concepts of first and third party. I'm unclear on what the objections are in that regard, however, as Martin has also noted, we were able to come to consensus on the minimal definition above. This was significantly discussed in a set of PRs concluding in https://github.com/patcg/patwg-charter/pull/23 and then approved by consensus call on that PR and on a call. I do not see grounds at this moment, nor do I see a countering proposal to even discuss such grounds, to reverse that consensus call. 

3. Privacy Principles:

> Explicitly reject the position of the 'Privacy Principles' draft until rechartering at the earliest to enable the authors of that document to address the feedback provided [here](https://movementforanopenweb.com/mows-in-depth-commentary-on-the-draft-w3c-privacy-principles/) and [here](https://movementforanopenweb.com/4-issues-with-w3cs-privacy-principles/). Align to GDPR for any questions related to privacy.

Our only use of the TAG Privacy Principles document is referencing its definitions as follows:

```
<a href="https://w3ctag.github.io/privacy-principles/#hl-recognition-cross-site">cross-site
            or cross context recognition</a> of users or
            enabling <a href="https://w3ctag.github.io/privacy-principles/#hl-recognition-same-site">same-site
            or same-context recognition</a> of users across the clearing of
```

Do you have specific objections to those specific definitions and if so on what grounds? 

Additionally, as I've noted before, the adoption of the TAG/PING privacy principles is a work of the W3C as a larger organization, and relevant to their work as review bodies of proposals within the structure of the W3C. It would be entirely inappropriate and also non-functional to try to include some objection to the Privacy Principles documents in the WG charter, even if consensus could be found to do so.

> there should be no issue amending the document o state that the group is not bound by the position of any documents or work that are not explicitly listed in the charter or the W3C Process. Do we agree?

Because this is a W3C group, we cannot put text in the charter saying we are not bound by the W3C, which would be granting us this charter. This is completely impossible and also irrelevant to the work of the WG, you are trying to legislate the review work done by TAG and PING, and therefore your concerns should either be taken up with those groups, or with the larger W3C organization. 

I see no one but @jwrosewell attempting to place this type of text and, without any broad support that I can see, I do not intend to address further discussion on this topic. 

4. Non-Technical Features

@jwrosewell:
> Remove "Features that support advertising but provide privacy by means that are primarily non-technical should be proposed elsewhere."

@martinthomson:

> This is a key scoping provision in the charter. It is in the name of the group even.
> If you want to pursue non-technical approaches, I suggest that you seek to form a working group for that purpose.

@jwrosewell:

> Re: Non-technical - I wish to establish the best solutions for the 5bn+ users of the web. Establishing a group that consumes the limited resources of the W3C and our collective energies that explicitly excludes professions other than engineering is limiting. Why should engineers and technology monopolise the solutions? We know from regulators other professions have a role.

This is a proposed technical working group that works within the bounds of the W3C to establish technical solutions. While we do not exclude any contributor, regardless of technical or non-technical backgrounds and professions, we are also neither a court or a trade body and have no interest or capacity to either find consensus on solutions that are primarily non-technical in nature nor to bind any particular set of interested parties to non-technical solutions. 

Binding of parties to non-technical solutions is work that does exist outside of the W3C, the LSPA by the IAB being one excellent example, though even there, signatories that I'd think should be part of the document can be difficult to get to participate, even with trade group measurement. Since you seem to be describing some sort of other similarly contractually-locked scheme it seems clear to me that if the IAB, a trade org designed for such work, could not get all of its members to sign on to such a document, what hope would a single WG within the W3C have to get contractual agreement in that way, much less have the appropriate resources to enforce such a contract? This is not a criticism of the IAB, just noting that they, a much more appropriate venue for such style of work, have difficulties and it's hard to see how the WG could do better, even if it wanted to. 

@jwrosewell:

>  My position is that browsers MUST enable lawful data sharing between data controllers and processors and do nothing to prevent it or interfere with it. Anything else is to create quasi-laws that you, me, the W3C and IETF do not have the mandate to define and implement.

In response to this point: I agree the W3C does not have the mandate to define and implement laws. Nor does it have the capacity to enforce laws. The W3C is not a law enforcement body. It is not any sort of enforcement body. While it may establish standards, it has been clear historically that while it is advantageous for all user agents to apply those standards, the W3C does not force, nor have a mechanism to force, user agents to actually apply finalized standards. They are voluntary. If your position is `browsers MUST enable lawful data sharing between data controllers and processors and do nothing to prevent it or interfere with it` that's fine, but there is no way to handle that within the scope of the W3C, instead you should be dealing with lawmakers and browsers on a legal basis. If we do come to any point where a proposed standard acts in contradiction to a particular law, I will note that the internet is a global system, and it will be up to implementers to handle those contradictions and the WG to attempt to work on ways to assure that the proposed standard can accommodate different positions, potentially between user agents, or between different areas of enforcement. Attempting to establish some sort of enforcement or requirement at the level of the charter is wholly inappropriate for all these reasons. 

5. @timcowen's specific objections beyond what has been addressed on FRAND

The charter neither requires nor prevents the use of FRAND in any proposal. As you have stated, the W3C has provisions that cover much of these concerns that would be automatically applied when they grant the charter. It seems to me that by stating our adoption of the W3C license and patent terms we have come to an agreement with respect to this charter. Do you agree?

> I am a lawyer and would support the creation of a legal working group to help develop and advise on these points with representatives of any other organizations who would be willing to participate. I am aware that a number of other organizations involved in this discussion have lawyers who may be available.

That would be great, please advise here and within a potential working group should one be established. However, that work is for that group and it seems to me that we would both agree that it is inappropriate to somehow be written into the PATWG charter. 

> J. Rosewell raised the issue of competition law compliance. It was met with a response that implied issue is something for lawyers and there are no lawyers willing to contribute. [...] I would suggest that competition law compliance is for all. Advice on the law is for lawyers.

I agree that competition law is important and I think we both agree that it is established and successfully addressed by the existing W3C documents that we have adopted. If you feel that the existing W3C documents are somehow insufficient, then the place to address them is not within an individual W3C Working Group, but at the level of the W3C itself, right? 

Additionally, I did not intend to imply that there are no lawyers willing to contribute in regards to competition law or that the issue is entirely within the hands of lawyers, but that it is covered outside of the scope of the working group and should be addressed there. 

@timcowen:

> “Privacy” needs to be defined. If not defined with relation to a Privacy Law or laws there is a risk of inconsistency with that law or laws.

This is covered in a variety of ways. 

First, the charter explicitly states: "Each normative specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users."

This allows each specification to specifically address privacy law or definitions relevant to their context. This is an appropriate place to do so, and for the working group to discuss those concerns. Additionally the charter states:

```HTML
For all specifications, this Working Group will seek <a href="https://www.w3.org/Guide/documentreview/#how_to_get_horizontal_review">horizontal review</a> for
accessibility, internationalization, performance, privacy, and security with the relevant Working and
Interest Groups, and with the <a href="https://www.w3.org/2001/tag/" title="Technical Architecture Group">TAG</a>.
Invitation for review must be issued during each major standards-track document transition, including
<a href="https://www.w3.org/Consortium/Process/#RecsWD" title="First Public Working Draft">FPWD</a>.
```

Should a legal working group be established by the W3C, then it would be included in the "relevant working and interest groups" and would be doing a horizontal review. Should such a group get a charter, though it would not be necessary, we would be glad to add them explicitly, even though they would be included regardless. 

Finally, on the question of definition, as previously stated Privacy has been minimally defined, and the definition has reached broad consensus, as documented in the Scope section. Specific privacy concerns may arise within other proposals in which case they should be dealt with for that discussion. Does this address your concerns? 

-----

I would like to move forward with the Working Group Charter being submitted and I will note that we have rough consensus on this charter. Moving forward on wider review would not lock the charter's text at this time so I don't see why the current set of narrow and not broadly supported objections should put a pause on the next step, especially since it seems that these objections are not addressable by this charter. 

To remind the group of how this process works, I will quote the CG charter on [rough consensus](https://datatracker.ietf.org/doc/html/rfc7282):

> Rough consensus does not require unanimous agreement.  Using rough consensus
recognizes the potential for there to be some disagreement with decisions.
Rough consensus prioritizes progress over seeking full agreement, allowing a
decision to be reached over objections if those objection are heard, understood,
and recognized.

Are there further objections that should stop wider review? 

-- 
GitHub Notification of comment by AramZS
Please view or discuss this issue at https://github.com/patcg/meetings/issues/52#issuecomment-1167716215 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 27 June 2022 18:21:27 UTC