W3C home > Mailing lists > Public > public-privacycg@w3.org > June 2022

RE: Status of First-Party Sets

From: James Rosewell <james@51degrees.com>
Date: Sat, 4 Jun 2022 07:50:57 +0000
To: Kaustubha Govind <kaustubhag@google.com>, Theresa O'Connor <hober@apple.com>, Chris Wilson <cwilso@google.com>, "yoavweiss@chromium.org" <yoavweiss@chromium.org>, Léonie Watson <lwatson@tetralogical.com>, Travis Leithead <travis.leithead@microsoft.com>, "matthew.hancox@ing.com" <matthew.hancox@ing.com>, "david.verroken@ing.com" <david.verroken@ing.com>
CC: "public-privacycg@w3.org" <public-privacycg@w3.org>
Message-ID: <VI1PR02MB5341919BAE2EDF4AB7B14051A6A09@VI1PR02MB5341.eurprd02.prod.outlook.com>
Adding Matthew Hancox and David Verroken in their role as Monitoring Trustee<https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes#monitoring-trustee-report> of Google’s commitments with the CMA.

Adding the chairs of Web Incubation Community Group (WICG) as the future home of FPS to seek their advice on removing FPS from WICG.

To summarise the situations.

  1.  The chairs of Privacy CG who are employed by Apple, Microsoft, and Mozilla have made a decision after two years to finish work on the proposal due to a “lack of multi-implementer interest”.
  2.  The WICG, where two of the four chairs are employed by Google, and the other two Microsoft and Tetralogical, are now going to take the FPS forward because as the employee from Google asserts there is “multi-vendor and web developer interest”.
I would like to understand this interest based on the merits of the proposal rather than the market dominance of the proposer’s employer.

Google control the web via their Chrome web browser accounting for 64% share of the market and over 75% share of the market for Chromium based browsers of which Google have effect control. See Statcounter<https://gs.statcounter.com/browser-market-share#monthly-200901-202205>.

My interest in FPS is merely related to the fact that one cannot ignore any proposal from Google due to Google’s market dominance and control of Chromium. My interest is not related to any merits of the proposal. Is this also true of others in these groups? Who is interested based purely on the technical merits of the proposal? Could anyone even answer these questions openly due to the fear of being labelled “anti-Google” or “anti-privacy”?

I do not see any merits to the proposal as drafted beyond identifying that the removal of so-called third-party cookies (3PC) by Google creates revenue problems for Google’s own brands (YouTube and Google), and that the largest advertisers from which Google generates revenue will be impacted by 3PC
removal (Disney, ESPN, Hulu). Google’s Directors must find a way to protected that revenue. Large publishers operating multiple domains might also consider FPS as a hobbled way of continuing to operate their business once 3PC are removed, and therefore support the proposal as the “least worst” of Google’s proposals when considering their future revenues.

FPS is also flawed for the following reasons.

  1.  FPS does not align to GDPR as required under Google’s commitments with the CMA.
  2.  FPS centralizes administration of the web via an Independent Enforcement Entity (IEE).
  3.  FPS continues to propagate the myth that there is a distinction between first and third parties. Only data controllers and processors matter under GDPR. Any work to improve privacy must seek to upgrade the privacy boundary of the web in these terms and move away from domain names alone.
  4.  The W3C Technical Architecture Group (TAG) in their review<https://github.com/w3ctag/design-reviews/blob/main/reviews/first_party_sets_feedback.md#is-this-harmful-to-the-web> of FPS identified the competition impacting harm associated with FPS.
“It is likely that this proposal only benefits powerful, large entities that control both an implementation and services.”

  1.  Movement for an Open Web (MOW), of which I’m Director, also analysed<https://movementforanopenweb.com/in-depth-analysis-of-googles-first-quarterly-report/> Google’s first quarter report under the CMA commitments and identified the need to apply non-discriminatory definitions for proposals like FPS.
As WICG is in practice controlled by Google, and the “home” of Privacy Sandbox (PS) proposals, presumably to avoid the independence of other groups like Privacy CG which view PS proposals less favourably, I’m unsure how one would go about removing FPS from WICG. Perhaps the WICG chairs can advise?

However, my preference would be for FPS to be voluntarily abandoned by Google, and for Google to consider solutions that work for all participants of the web and not just a narrow set of large entities. To this end I have proposed the modified GDPR Validated Sets<https://github.com/WICG/first-party-sets/pull/86> (GVS) derivative.

As participants must follow every proposal from Google to ensure they can manage expectations within their businesses, with customers, and other stakeholders the removal of at least one PS proposal will be a welcome reduction in the PS “distraction tax” on the wider eco-system which is already causing much harm today.



From: Kaustubha Govind <kaustubhag@google.com>
Sent: 03 June 2022 15:02
To: Theresa O'Connor <hober@apple.com>
Cc: public-privacycg@w3.org
Subject: Re: Status of First-Party Sets

Hi PrivacyCG chairs and community members,

Thank you for the thoughtful discussion and feedback on First-Party Sets during our time incubating in the PrivacyCG. Given that the proposal continues to have multi-vendor and web developer interest, we will continue the incubation of this work in the WICG, and we invite those of you who are interested in the proposal to continue engagement with us in that forum. You can now find our repository at https://github.com/WICG/first-party-sets.

We plan to organize meetings within the WICG on a one-off basis when we've accumulated agenda items; which will be planned and announced via this GitHub issue<https://github.com/WICG/first-party-sets/issues/89>. Please Comment/Watch/Star the issue to follow along, or provide suggestions.

Thank you,

Kaustubha, Harneet, and Johann

On Thu, Jun 2, 2022 at 2:12 PM Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>> wrote:
Hi all,

As chairs of the W3C Privacy Community Group, we have decided to drop
First-Party Sets as a Work Item in the group. Given the discussions the
group has had and the lack of multi-implementer interest, we see it as
unlikely to exit incubation. With regards to the concerns about the
privacy properties of First-Party Sets that were raised in issue 88,
given the discussion in that issue and during our recent meetings, the
chairs find that there is no consensus in the CG.

This does not mean that the various use cases that First-Party Sets
attempted to solve are not worth solving. We welcome alternative
proposals to address some or all of the use cases First-Party Sets aimed
to address.

We want to thank everybody who participated in discussions of
First-Party Sets over the last couple of years. Special thanks to
Kaustubha Govind, Harneet Sidhana, and Johann Hofmann for all their hard
work on it.

Erik, Tanvi, & Tess
This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.
Received on Saturday, 4 June 2022 07:51:13 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 4 June 2022 07:51:14 UTC