[wg/pat] Formal Objection (charter review 2022) (51Degrees)

(from
   https://lists.w3.org/Archives/Public/public-new-work/2022Oct/0002.html
   https://www.w3.org/2002/09/wbs/33280/PATWG-charter-2022/results)

**51Degrees’ Formal Objection to Proposed Private Advertising Technology 
Working
Group Charter**

**05 October 2022** - updated footnote 4, 8, spacing, and section 
related to W3C
due process

***Due Process***

The timeframe for review of this proposed charter was extended because 
"it did
not gather enough reviews." The W3C process only allows for charter 
review to be
extended when a member requests an extension. If the charter did not gain
review from 5% of the membership within the alloted timeframe and no member
requested an extension then the charter failed to gain sufficient review 
and the
proposers would need to reflect on that before then considering 
resubmitting.

Indeed a proposed chair of the group rejected a
[request](https://github.com/patcg/patwg-charter/issues/38) related to the
timeframe for review prior to the AC review process commencing stating 
"I think
that [the chartering process timeframe] should allow plenty of time...".

For those already skeptical of the W3C's impartiality the failure to 
follow due
process for working group charters and formal objection handling further
erodes confidence in the W3C.

**Introduction**

This note sets out objections from 51Degrees concerning the Proposed Private
Advertising Technology Working Group Charter (“the Charter”).

51Degrees is a business-to-business (B2B) data company used in sectors 
including
finance, insurance, travel, publishing, eCommerce, content management,
analytics, fraud detection, and advertising. 51Degrees are a founding 
member of
Movement for an Open (MOW)[^1] and are grateful for MOW’s support in 
preparing
this Formal Objection (FO).

The Charter seeks to debate and create W3C recommendations for web 
advertising
services that must be implemented to some extent within a web browser and
therefore provide web browser vendors significant control over the 
business of
web advertising services in practice. It is a Charter for a working 
group whose
mere existence will impact on competition.

Such a charter is very different to one which seeks to debate and create W3C
recommendations for general purpose features which are not intended for 
specific
markets and are demonstrably competitively neutral. For example, 
Cascading Style
Sheet (CSS) or accessibility. As such this FO must also encompass the
inadequacies associated with W3C processes and practices where they 
relate to
competition and due process.

All the issues raised can be addressed via modifications to the Charter 
text to
detail exactly how the inadequacy will be addressed by the group[^2] and 
also
optionally via changes to W3C policies and processes[^3] which would 
apply to
all groups.

Further 51Degrees considers the Charter to be part of a mosaic of actions by
those seeking to interfere with competition in digital markets via standards
bodies. The discussions concerning advertising hosted by the W3C have 
already
had an impact on competition even before a single recommendation has been
drafted and passed to the AC for review.[^4] As such the Charter cannot be
considered in isolation of these related actions and positions.

The objection relates to four issues and includes constrictive proposals to
address them:

- **Issue 1: Starting assumptions about cross-site and cross-context data
handling in relation to privacy.** We live in a data driven economy and
while exceptions to the exchange of data that drives the economy are
provided for in the law, the general position is that data exchange is
permitted. The charter should revisit language that can be taken to read
that some helpful data flows will be restricted.

- While there are areas where cross-site and cross-context can raise 
concerns,
they are not universal, and there are also instances where handling
innocuous data across domains and contexts can be beneficial to users.

- Instead of focusing on these data flows, there is a need for a workable
definition of “privacy” the Charter must define the actual scope of “private
advertising” and “privacy”. The handling of information using appropriate
safeguards does not directly raise consumer harms, and can confer benefits,
so undue limitation of the scope for use cases in the Charter language is
unwelcome.

- The UK Competition and Markets Authority (CMA) and Information
Commissioner’s Office (ICO) clearly state that there is no distinction
between first and third party in their May 2021 joint statement in
determining privacy risks.[^5] The Charter must explicitly acknowledge that
position if those who accept this regulator’s position are to contribute.

- The Charter needs to specify the guidelines the group will use to mitigate
risks to individuals from the collection and processing of their personal
data regardless of which organisation is collecting and processing Personal
Data.

- **Issue:** These are inadvertent implications of language choices that
need to be clarified at the Charter stage. The Charter most not take the
position that all data will be regulated, to avoid pre-empting a debate
about which specific data handling practices raise concerns. Explicitly
avoiding the use of first and third party and focusing on risk of harm
will help this group and the work of the W3C more generally as requested
in 51Degrees general communication in June 2022 concerning 1st and 3rd
party thinking[^6].

- **Issue 2: Potential commercial sensitivity of some proposed focal 
areas.**
There are issues associated with inadvertently embedding sensitive
commercial decisions in the standards layer. This raises questions about the
W3C’s antitrust guidelines[^7] and whether taking positions on certain
specific functionalities complies with those policies. There is also a need
to ensure that any standard, Working Group Charter, or debate, does not
unduly restrict competition and that competing access to lawful data flows
for responsible uses remains unimpeded.

- **Issue:** The Charter should omit references to commercially sensitive
matters within standards definition, to be sure proposals discussed will
not conflict with the antitrust policy. Alternatively, if sensitive
matters are to be discussed, clean team arrangements should be in place
to ensure that the commercial impact on participants in the debate is
suitably firewalled.

- **Issue 3: Scope of success criteria.** Success criteria correctly 
identify
users as a focus but omit other constituencies of direct and indirect system
users.

- **Issue:** The success criteria should be extended to capture direct and
indirect benefits from technology, such as foreseeable impacts on
publishers including smaller publishers.

- **Issue 4: Due process and potential conflicts of interests.** Inevitably,
and appropriately, large technology companies have a major role to play in
developing new technological standards. However, there are conflicts of
interest if W3C members face financial impacts from system design decisions.
At present, these can be objected to under the W3C Process Document, but
there is no clear framework for how a commercial conflict of interest should
be addressed as part of the group’s design process, especially given the
under representation of small businesses in the W3C. There is also a concern
that proposed group members have strong views in some of these debates,
which may not represent the breadth of views of the membership[^8] or all
participants in the web. There is a need for demonstrable neutrality.

- Unrestricted participation must be shown to demonstrate neutrality. 
Further
work is needed on how unrestricted participation is assured within W3C. For
example, it appears that the current W3C Process Document seeks to assure
unrestricted participation by aiming for consensus and hence negotiated
input from all where, at Section 5.2.1 it states that consensus is not
achieved if anybody registers a Formal Objection. If that Formal Objection
is arbitrated by a neutral party on an objective basis, then non-partisan
participation can more readily be shown to be taking place.

- **Issue:** The charter must articulate a clear framework to address
conflicts of interest, particularly in those cases where debate and
potential recommendations have a self-preferencing commercial impact.
For example, there could be a process for such commercially affected
members to stand aside while the matter is referred out to more neutral
participants, such as consumers of the systems (e.g., publishers rather
than technology vendors).

**Assessment**

The web is now used by five billion people and powers trillion US dollar 
markets
where individual companies have market capitalizations measured in 
trillions of
US dollars.

51Degrees observe that W3C fail to implement existing guidelines concerning
antitrust[^9] and these guidelines are not suitable for a 501(c)(3) legal
entity[^10] governing the web. These observations are the subject of 
separate
correspondence from MOW and further examples can be provided.

The newly appointed Board of Directors must address these issues before 
this FO
is assessed. Without a process that an objector has confidence will be 
followed
fairly the objector can never be satisfied with the outcome. Recent FO
assessment and resolution has not followed due process.

The Charter raises issues that are complex involving laws and economics. 
They
are important to the mission of the W3C. If the W3C Team believes that 
the FO
would be more efficiently handled by splitting out the different 
concerns, then
51Degrees are willing to consider doing so. It is not possible via the
submission process for one organization to raise distinct FOs concerning the
same charter.

1. **Issue 1: Starting assumptions about cross-domain and cross-context data
handling**

*Elision of privacy and personal information*

The Charter refers to the interrelationship between advertising, 
privacy, and
personal information as the core focus of the Working Group:

The purpose of these features is to support web advertising without 
compromising
user privacy. Here “privacy" minimally refers to appropriate processing of
personal information.

Indeed, “Privacy” within W3C has so far been defined as “Preventing the
unintended or unauthorized disclosure of information about a 
person.”[^11] This
definition aligns with applicable data protection regulations that recognize
people’s privacy rights relate to information linked to specific consumers,
natural persons, or data subjects.[^12]

However, it is becoming clear that the relationship between personal 
data and
privacy is more nuanced:

- Privacy and personal information are not identical concepts. Sometimes,
information that may link to a device, or even to a person, is not private –
especially when a user is interacting with other members of society. This
would be so with innocuous data. Consider an example like height. Height is
visible and allowing advertising to use it *responsibly* may well be helpful
in some contexts, even on a tailored basis (e.g., tall people finding tall
clothing stores).

- As explored below, much marketing data is not linked to specific 
individuals
at all, e.g., through pseudonymisation or other appropriate
privacy-by-design measures. But even if it were, substantial amounts of
information sharing may be consumer friendly, if it helps people to more
easily find products and services of interest. This also helps publishers to
generate income, which indirectly helps consumers by funding their access to
digital content and services.

- In other cases, data which is not about specific individuals might link to
data protection or privacy concerns. Even a system that, strictly speaking,
is not itself linking to identity could raise a concern if tailored content
were to reveal something private, e.g. through shared device use. Privacy
concerns could arise if identity can be revealed by someone else (e.g.,
another system user) and shows that the definition of privacy does not
always align with personal data use from the user perspective.

- Still other situations involve data handling which is not personal at all
(e.g., fully anonymised data) which seems not to raise a privacy concern at
all. However, the legal side of the debate has not always taken that
position. A reference to protecting “personal information” in all cases
could be taken to imply this, limiting beneficial use cases where data
should flow given the balance of interests favours the beneficial users over
the risks to specific individuals.

In summary, because personal data and privacy are not the same thing, it 
would
be mistaken to lay a foundation based on eliding the two. Instead, there 
should
be an investigation to establish what is “private." The statement refers to
“appropriate processing of personal information” and it may be that
“appropriate” already catches this concern, but it would seem wise, at the
Charter stage, to preserve the position as regards the interrelationship 
between
privacy and personal data. Simply omitting the sentence on the relationship
between privacy and personal information will allow an open-minded debate on
point.

*Cross-site and cross-context data handling*

The Charter takes a position on the use of data across sites and contexts:

“Ways in which new features might enable inappropriate processing 
include (but
are not limited to) enabling of cross-site or cross context recognition 
of users
or enabling same-site or same-context recognition of users across the 
clearing
of state.”

There will be circumstances in which cross-site and cross context data 
handling
raises concerns. For example, medical records call for strong protections
against out of context use. But as with the link between privacy and 
personal
information, the picture is more nuanced.

Some user-friendly data handling happens across different sites and 
different
contexts. Users have a strong interest in accessing free content. 
Personalised
advertising can yield up to 71% more return on investment to a content
publisher, indirectly furthering consumer interests. This was seen when 
Apple’s
ITP began to block some of this data on Safari (See e.g., the UK 
Competition and
Markets Authority’s Mobile Ecosystems Market Study Interim Report, p. 
249)[^13].
For specialist websites with even more nuanced content, the figure may 
be even
higher.

*Conformity with existing W3C approaches*

The web standards bodies and W3C members have proposed “origin,” “site” and
“context”[^14] as potential boundaries across which user expectations 
may not
align with lawful flows of data sharing. “Context” is frequently not a 
boundary
of an origin (e.g., Wikipedia.org has multiple contexts but one origin per
language), yet the ambiguous term of "context” is proposed for use in the
Charter itself.

The Charter needs to specify what is the touchstone by which this group will
work by to mitigates risks to individuals from the collection and 
processing of
their personal data. The current language is not precise enough to provide
sufficient guidance on when a proposal is improving privacy versus merely
specifying which organizations or category of web participant this group
believes ought to collect and process specific individual’s personal data.

**Example of helpful cross-site and cross context data handling:**

A freelance product review writes a specialist blog for children’s car 
seats.
The reviewer measures how seats fit for relatively rare use cases such as
requiring three car seats across a back seat. Some cars are large 
enough; others
are not; and information available to the parents is poor.

The reviewer dutifully measures out the cars and provides reviews that save
parents hours of time.

Using current cookie-based technology, the advertising technology behind the
website would be able to provide at least some information on conversion and
would allow at least some return on the investment of time via
pay-for-performance or affiliate marketing commissions.

This funding increases the supply of helpful reviews from smaller blogs.

Proposals to stop cross-context or cross-site data handling would limit 
or even
eliminate this use case, replacing it with contextual advertising, or 
turn it
into a monopoly by the largest platforms or internet gatekeepers. In 
cases where
the blog is no longer written, this effectively puts the blog out of 
business
and means that the lost income is 100%. So the 71% average loss for some 
content
producers may, in fact, be a low end estimate.

The loss of this added value to content producers harms the user interest:

- The user interest is in having the information on the car seat, and 
provided
that privacy-by-design safeguards are used, there is no clear downside to
the user from the data flowing, *including across contexts and domains*.

- On the contrary, there is an upside. This is especially true for 
specialist
and minority interest which may be poorly catered to on purely contextual
approaches, which have a “herd” tendency.

- There will be many similar examples where the consumer interest is in 
having
innocuous data flow, provided that the relevant safeguards are in place.
Indeed doodle.com[^15], often used by W3C participants to arrange meetings,
is funded from advertising that operates as described and which the group
intends to create web standards to interfere with.

This is a helpful use case, and Charter language should not diminish it 
at the
debate framing stage, to ensure that the next generation of technology 
can cater
to it.

*Reference to “users” rather than distinguishing between user identity vs
pseudonymous identifiers kept distinct from identity-linked data*

There is also the difficulty that the reference to “users” elides the 
important
difference between pseudonymised users and the identity of system users. 
This
may not be intended, but may inadvertently decrease the scope for 
discussion of
the role of privacy-by-design safeguards that have an important role to 
play in
these debates.

However, there are also some positive points from 51Degrees’ point of 
view. For
example, the reference to “inappropriate processing … across the clearing of
state” seems sensible as a means to focus on what consumers want and to 
protect
their choices (e.g., allowing those users who are concerned about a site or
organization recognizing their web-enabled application after they 
exercise their
right to be forgotten, such as by clearing state).

There is also much to like, from 51Degrees’ perspective, in the idea 
that “The
Working Group may consider designs that allow user agents for the same 
user —
including non-browser agents, like Operating Systems — to collaborate in
providing advertising features.” This seems sensible as it paves the way for
focusing on risk management via a range of vendors and technical solutions,
rather than isolating all control over data collection and processing to web
browser vendors.

Indeed, this potentially helps to align with some trends in the wider data
policy community with which the proposed standards and Working Group will
engage.

It may simply be that the language about cross-site and cross domain 
handling,
just like the privacy/personal information language, needs to be 
clarified in
relation to protecting other rights (e.g., freedom of speech/expression, 
freedom
to operate a business or cross-context data portability) to ensure it is not
unduly restricting the scope for debate in the context of these 
developments.

**Developments in wider data protection circles regarding cross-site and 
cross
context data use**

51Degrees appreciates that the desire of the Working Group is to focus on
technology and not surrounding policy debates of general application. 
However,
to the extent that de facto standards may contrast with the law and may 
be very
widely deployed, it seems helpful to cast an eye on trends in developing 
data
protection regulation. At least one participant, Google, is obliged to 
use legal
definitions of privacy law in its proposals under a regulatory 
settlement[^16]
with the UK Competition and Markets Authority, reflecting concerns that 
shifting
or vague privacy definitions can harm rivals seeking to design systems over
time. So, it seems to behove the Working Group at least to be mindful of 
what
these trends are and whether the Charter aligns with them. 51Degrees expects
Google to note this issue in their response to the Charter.

Data protection regulation has moved on in recent years towards emphasis on
risks from data processing, rather than the existence of processing 
across sites
and contexts. A good example is the UK Information Commissioner’s Office’s
November 2021 AdTech Opinion, which expressly states that regulators expect
emphasis on identifiable risk rather than hypothetical hazards from data
transmission. Indeed, Google successfully argued in Lloyd vs Google that the
presence of third-party advertising tracking cookies is not unlawful[^17].

Indeed, W3C’s 2015 document Unsanctioned Tracking[^18] is now out of 
step with
this, as it simply asserts some concerning hazards, rather than 
modelling risk.
In its crucial definition of harm at section (3), the document chiefly 
relies on
a relatively vague and unquantified hazard (“undermine user trust”) without
information on the context of when this concern does, and does not, arise.

The 2015 document does give one very striking example: the revelation of
pregnancy via the display of adverts, which would seem to be a core privacy
concern. However, it does not engage with a *risk-based* approach to this
hazard. Such an approach might consider more tailored responses, such as
specifically banning health-related categorization. This would address 
areas of
priority concern and allow a focus on them. It would also have the notable
benefit of allowing other data to continue to flow, in cases where risk 
is low
or even zero. By contrast, many recent proposals (e.g., First Party 
Sets[^19])
seem minded to apply the thinking from before this change in regulation 
and to
implement this through restrictions in the technical standards layer.

It is unwise to build an obsolescent approach to these risks into the 
Working
Group Charter as this would cut across the work undertaken by regulators 
to help
prioritise high risk concerns, while allowing the benefits of non-harmful
processing to continue. There is scope for the Working Group to help move
forward the debate from the 2015 document, and the Charter should take an
open-minded approach to the question.

*The role of privacy-by-design safeguards*

Privacy-by-design safeguards seem to be understated in the current scope
definitions. A large part of the debate seems likely to concern how to 
design
technical systems to ensure that privacy concerns do not arise, and the 
role of
privacy-by-design measures to this end (as opposed to simply decreasing data
flows) seems helpful to add. In the construction of the Charter draft
participants were unwilling to recognise the role of non-engineering 
professions
such as economists and lawyers in privacy-by-design solutions. This is a 
major
concern to 51Degrees who do not believe optimum solutions to complex 
problems
are found in only one profession. The Charter would fully embrace
privacy-by-design by replacing the word “Technology” in the title with
“Solutions” and removing the words “primarily non-technical” from the text.

*Privacy Principles*

51Degrees object to the direction of the work underway by TAG to create a
Privacy Principles note[^20]. These objections are articulated by 
MOW[^21] and
are yet to be assessed by TAG or PING. As such a resolution to this 
concern that
51Degrees would find acceptable cannot be found in the Privacy Principles as
currently drafted or under the direction of the current editor.

2. **Issue 2: Potential commercial sensitivity of some proposed focal 
areas.**

The section of the proposed Charter on Private Attribution Measurement 
raises
some concerns about commercial sensitivity in technical design decisions:

- **Conversion data definition:** There is a starting assumption that
user-level conversion data should not be gathered: “This specification
defines how to privately measure advertisement attribution/conversion rates
without revealing whether any individual user converts or does not.” This
example helpfully illustrates again that some cross-context and
cross-organizational data sharing (e.g., in this case attribution matching
of user interactions with a marketer’s property to prior exposure to content
on media owner properties) is both expected and beneficial. The Charter
needs to clarify exactly why specific organizations should collect and
process such data for business advertising purposes, and how the risk they
pose to individuals is or can be appropriately mitigated such that other
organizations and new entrants can follow suit without unreasonable barriers
to entry.

- Without clarifying such rationales, this type of specification may 
restrict
competition or unfairly discriminate against organizations that operate
business-to-business (B2B) advertising solutions, but do not also
manufacture business-to-consumer OS or web application software. As there
may be no privacy concern (e.g., Random ID 123 bought shoes after seeing Ad
ABC), it is unclear why this is ruled out of scope for only organizations
that do not manufacture such software at the technical design stage.

- As another example, if “first party” were to be used as a criterion for a
privacy boundary this would effectively favour larger incumbent content
authors and media owners at the expense of smaller rivals whose niche
content might appeal to otherwise underserved minority interests. Thus any
specification that favours those organizations who already have larger
audiences, would be using a technical standard to effectively distort the
market away from sites that could otherwise provide the most user-centric
ad-funded content and services.

- **The list of normative specifications:** Many of the specifications 
listed
are the subject of competition between providers. Each of the three stages
concerned raises commercial sensitivities, because different companies are
affected by them differently:

- **Pre-campaign planning** including critical points on audience
definition, context to engage the “right” audience, time of day, day of
week by geo-region**;**

- **Intra-campaign optimization** including critical points on budget
allocation, price, and messaging adjustment;

- **Post-campaign reporting and attribution** including critical points on
feeding decision making to reduce waste in media spend that drives
higher revenues for media owners**;**

In all three cases, there is scope for technical standards to cut across
commercial business-to-business decision making. The risk is greatest if
they were used by large browser vendors to prevent competing B2B data
flows and processing which do not themselves raise consumer concerns. So
while 51Degrees admires the desire to focus down on technical matters,
any standard must ensure it does not restrict competition by focusing on
which type of organizations engages in business-to-business processing
of non-sensitive or low risk input data.

W3C’s existing Antitrust and Competition Guidance[^22] requires that:

“**W3C does not** play any role in the competitive decisions of W3C 
participants
nor **in any way restrict competition**…. [P]articipants should not discuss
product pricing, methods or channels of product distribution, division of
markets, allocation of customers, or any other topic that should not be
discussed among competitors.” (emphasis added)

An open standard allowing data flows among business-to-business processing
required by the digital properties people choose to visit would support
competition and hence not violate this W3C antitrust proscription. 
However, many
of the proposed Attribution Measurement proposals seem to restrict which 
types
of organizations are allowed to provide such business-to-business ad 
solutions,
this could amount to transgressing the W3C’s antitrust policy, for 
example if
defining certain audience-related capabilities effectively “allocate[s]
customers” (or at least demand) into particular vendors or amounts to a 
division
of markets away from other rival solutions. “Methods or channels of product
distribution” also seem to be implicated, because the definitions seem 
likely to
affect how, by whom, and to whom advertising services are sold and provided
hence “restrict[ing] competition.”

A worst-case scenario is that modelling how well proposals work directly
implicates price and performance of products, which is an area where 
companies
are required to compete and accordingly a topic which representatives 
should not
discuss.

To the extent that standards framers from affected organisations necessarily
must discuss commercially sensitive design decisions, care is needed to 
employ
the antitrust guidelines. It will also be helpful to consider how 
restrictions
on competition resulting from the application of standards, such as 
restrictions
to data flows, could be addressed.

A typical means to do so is to apply a Fair Reasonable and 
Non-Discriminatory
(FRAND) licensing policy to any data flows that are brought under 
control by the
standard. In this case, that would mean specifying what the relevant privacy
safeguards are and applying the same criteria in a non-discriminatory 
manner so
that other compliant businesses can serve a wide range of use cases. In many
cases, closing off access to legally compliant data flows can impede 
valid use
cases, and the requirement to define relevant safeguards for broad 
application
would be a practical means to avoid undue limitations. Participants in 
the group
need to agree to such licensing terms as a condition of membership.

Even if one were to believe that consumers should control the
business-to-business advertising decisions that marketers make when 
choosing to
subsidize specific publishers, then it would make more sense to enable 
consumers
to choose which advertising vendors they wish to operate advertising 
solutions
for the sites they visit, rather than have this choice removed by bundling
business-to-business ad systems into the web browser they select to access
various publisher’s digital content and services.

**It would be helpful to have some remarks on how this might be done in the
Charter** given the sensitivity of a number of the listed topics**.**

**Possible practical safeguards: Clean teams and conflict of interest
protocols**

A practical approach to these risks would be to adopt so-called “clean 
teams”
from organisations affected, who could not see the impact of the standard on
their business so as to have clean hands when coming to discussion. This 
could
be done by pseudonymising data input and creating firewalls.

Indeed, participants are *already* required for at least one member (Google)
under the UK CMA Privacy Sandbox Commitments[^23] (See especially 
Paragraph 30,
requiring non-discriminatory design and implementation decisions). A 
“trust but
verify” approach would require clean team safeguards to avoid risks of this
taking place, given the significant potential conflict of interest.

As things stand, however, no such safeguards are in place, which seems
unnecessarily to engage risk to the W3C and participants in such 
activity that
would restrict competition in violation of the antitrust provisions 
incorporated
into the Working Group Charter (section 10).

3. **Issue 3: Scope of success criteria.**

51Degrees agrees that it is important to consider what success looks 
like at the
start of a project to compare the relative merits of alternate proposals.
However, there are significant concerns that the current definition is
incomplete:

Each normative specification should contain separate sections detailing all
known **security and privacy implications** for implementers, Web 
authors, and
end users.

There can be no doubt that these are correct criteria, but there are others
besides security and privacy[^24]. The most secure web system would 
simply be to
abolish the web, because then no data would flow, and there would be no 
risks to
security or privacy. This is clearly, however, against the user interest 
and W3C
mission. There are unspecified success criteria here, and they should be 
fleshed
out. 51Degrees edited success criteria[^25] within the Improving Web 
Advertising
Business Group which provides guidance on how this can be addressed. The
proposers should incorporate and update that document as an appendix to the
Charter before progressing.

There needs to be focus on other important considerations. The most 
important
relates to how technical standards on advertising have indirect consumer 
impacts
from the way that they can (sometimes inadvertently) alter incentives facing
publishers and restrict beneficial access to those serving minority 
interests.
For example, a paywall-led model or a logged-in model of the internet might
maximise “security and privacy” but not be in the consumer interest for 
those
who are economically disadvantaged. Issues arise with:

- **The user experience,** e.g., unnecessary pop ups to gain consent for
business-to-business processing, where properly providing information to
consumers makes informed decisions is challenging, even where data handling
risks are low or zero.

- **Content creation** where this is supported by technologies that are not
the *most* secure, but do not pose any meaningful security risk on an
evidenced basis (e.g., a blog using an affiliate marketing system that
relies on sponsorship payments).

- **Incentives towards paywalls** if free content is diminished. Given the
likely discrimination against the economically disadvantaged, the user
interest would be to ensure continued access of “free” ad-funded content,
whereby the marketer subsidizes the consumer’s access, rather than
restricting data flows, provided that safeguards are applied.

- **By requiring people to log in** to receive services when they would not
otherwise need to does not advances people’s privacy online and is not
considered privacy-by-design.

It is positive that “There should be testing plans for each specification,
starting from the earliest drafts,” which addresses concerns about earlier
unilateral proposals not showing a clear testing paper trail nor a 
balance of
interests including the indirect interests of individuals alone or society,
which represents groups of individuals. This is immensely welcome and 
helps to
implement part of Google’s Commitments to the UK CMA (para 17© on testing).

However, for this testing to be meaningful, it will need to define things to
test against, beyond just privacy of security, or, by definition, the 
sole focus
on those prioritised variables (however defined) must logically 
predominate. The
Charter authors need to include impacts on publishers and the consumer 
interest
more broadly construed, to avoid testing from becoming too narrow and thus
departing from the interest of users, including groups of users and indirect
impacts on users. This reflects the fact that the user interest is not 
only in
privacy and security maximisation, but in content creation and ad-funded 
access
as well. Without sufficient competition among the business-to-business
processing associated with ad-funded access, then content producers and 
media
owners might pay more than what the competitive market rate would 
normally be,
thus diminishing investments in consumer-facing innovations, content and
services they ordinarily would have provided but-for the less.

The text of the charter needs to be modified to include an outline test 
plan and
show clearly how a proposal will be tested from the perspective of 
competition
and market impact. There will be no point conducting engineering tests of a
proposal if it fails to pass a test of compliance with competition law.

1. **Issue 4: Due process and potential conflicts of interests**

51Degrees notes that the Charter proposes to follow the W3C Process
Document[^26], with attention drawn specifically to Section 5, 
Decisions[^27].
51Degrees agrees with and supports the desire for consensus expressed in 
Section
5.2,in particular.

However, there are concerns that the sensitivity of the commercial 
impact of the
standards, as well as a number of fundamental points of debate about the 
role of
data handling, mean that consensus building may prove unusually challenging
here. For example, one prominent W3C member, Google, expresses a strong view
that the “aim” of its Privacy Sandbox proposals is to support key ads 
use cases
without cross-site tracking.” (Google’s Q2 2022 Update Report[^28] to 
the CMA,
p.11, 25 July 2022). This engages fundamental debate of the sort outlined at
(I), and it seems likely that disagreement will occur over commercially
sensitive matters such as the scope to handle data between sites and 
contexts in
cases where risks are low. Another participant in the envisaged Working 
Group,
endorsed by a proposed chair, has expressed a view that consensus will 
be used
to address some of the issues raised in this FO[^29].

The Charter envisages a majority vote to resolve such an issue:

“if a decision is necessary for timely progress and consensus is not 
achieved
after careful consideration of the range of views presented, the Chairs 
may call
for a Working Group vote and record a decision along with any formal 
objections…
A call for consensus (CfC) will be issued for all resolutions (for 
example, via
GitHub issue or web-based survey), with a response period from one week 
to 10
working days.”

This is a good starting point for addressing the need to balance debate and
consensus building. However, it contains a number of weaknesses:

- **Risk of dominance by a few companies:** A majority can easily be
constituted by well-represented members, regardless of the quality of the
substance of the objection; even the most principled objection from a
smaller company could be ignored on numbers rather than on the merits;

- **Delay**: In a case where the majority voting envisages results in
overruling a valid substantive concern, there is a risk of a Formal
Objection, because the Section 5.2.1 definition of Consensus in the W3C
Process Document states that consensus is *not* achieved if anybody “in the
set registers a Formal Objection.”

Both the Charter and the W3C Process Document contemplate circumstances 
where it
is possible to proceed without Consent:

The [Chair](https://www.w3.org/2021/Process-20211102/#GeneralChairs) *may*
record a decision where there is
[dissent](https://www.w3.org/2021/Process-20211102/#def-Dissent) (i.e., 
there is
at least one [Formal
Objection](https://www.w3.org/2021/Process-20211102/#FormalObjection)) 
so that
the group can make progress (for example, to produce a deliverable in a 
timely
manner). Dissenters cannot stop a group’s work simply by saying that 
they cannot
live with a decision. When the Chair believes that the Group has duly 
considered
the legitimate concerns of dissenters as far as is possible and 
reasonable, the
group *should* move on.

(5.2.2, Managing Dissent)

However, the Formal Objection would remain and has to be identified before
Advisory Committee review (5.6, Recording and Reporting Formal 
Objections). This
creates uncertainty and the potential for unnecessary delay during 
resolution.

The most concerning case would be that of a direct conflict of commercial
interest, such as a proposal that alters data flows to the commercial 
benefit of
a member. That would seem to be a serious concern, and rather than having a
hostage to fortune in the Advisory Committee review, it would seem 
preferable to
address possible conflicts of interest in the Working Group charter.

Indeed, this is envisaged by the W3C Process Document:

As part of making a decision where there is dissent, the Chair is 
expected to be
aware of which participants work for the same (or related) Member 
organizations
and weigh their input accordingly.

(5.2.2)

Applying that principle here would require commensurately low weighting to
companies affected by commercial decision making. A practical approach 
would be
to give more weight to purchasers of the technologies, such as content
producers, and less to companies with a “dog in the race”. User 
interests could
also be employed, provided that user evidence is collected carefully to 
account
for the difficulty in users understanding some of the technological aspects
associated with business processing purposes (e.g., surveys would need to
explain privacy-by-design safeguards, unlike many existing surveys). The 
Charter
needs to ensure explicitly that content creator, media owner and publisher
interests are given greater weight than the interests of user agent
implementors. The debate prior to the submission of the proposed Charter 
agreed
such input should come from a Community Group[^30] but this approach has not
been included in the Charter text. The use of a Community Group to gain 
wider
input on decision making must be enshrined in the Charter text.

We note that the long-standing Priority of Constituencies[^31] 
referenced from
the Private Advertising Community Group Charter[^32] is notably absent 
from this
Charter of this Working Group of the same name.

However, what is likely not to work well is for technical specifications 
to be
proposed by those who benefit from other companies receiving less data. 
Indeed,
this would seem likely to contravene the UK CMA Commitments, at least in
Google’s case, and could result in protracted uncertainties surrounding work
product as those points are resolved.

To address the point now, the Charter could helpfully discuss how it 
proposes to
address conflicts of interest, e.g.:

- By using clean teams within organisations (see above);

- By adopting different voting majority rules (majority of companies rather
than voting members); and/or

- By altering voting constituencies (e.g., to account for a wider range of
technology users, rather than web browser vendors).

In summary the process for establishing consensus and decision making 
that is
used widely across the W3C is not appropriate for this Charter given the
significance of the decisions and work of the group to competition. This has
previously been raised with the Advisory Board[^33] and is likely to 
form the
first order of business for the newly appointed Board of Directors.

**U.S. Department of Justice guidance on how to address due process 
concerns in
standard setting bodies**

There is helpful guidance on this point from the U.S. Department of Justice:

“Standards development organizations (SDOs) use a variety of safeguards to
achieve the benefits of standardization while minimizing potential antitrust
risks. These safeguards include, as articulated in guidance circulated 
by OMB,
taking steps to ensure that the standards-development process is “open to
interested parties,” **balanced, and** **consensus based**, and that SDOs’
procedures provide for due process and appeals.”

(Antitrust Division Economics Director of Enforcement Jeffrey Wilder at 
the IAM
and GCR Connect SEP Summit, Sept. 29, 2021)

The focus on the W3C documentation on fostering consensus is helpful, but
concerns could arise related to:

1. The contemplated scenarios in the Working Group charter which would 
depart
from consensus (e.g. bare majority voting); and
2. Whether the additional requirement for “balance” is addressed.

The speech refers out to a memorandum on standard setting by the federal
government known as Circular No. A-119 Revised (Feb. 10, 1998). This is 
designed
to stop government standards from unduly restricting purchasing choices.
Although this is a slightly different context, to the extent that the 
proposed
standards would de facto alter data handling on a widespread basis, 
affecting
many vendor / purchaser / user relationships, the same safeguards carry 
over.

The suggested safeguards are:

“openness, balance of interest, due process, an appeals process, and 
consensus
defined as general agreement, but not necessarily unanimity and includes a
**process for attempting to resolve objections by interested parties, as 
long as
all comments have been fairly considered, each objector is advised of the
disposition of his or her objection(s) and the reasons why, and the 
consensus
body members are given an opportunity to change their votes after 
reviewing the
comments.”**

Circular No. A-119 Revised, at 4.a(1) (emphasis added)

Applying these safeguards, it would be helpful for the Charter to:

- Identify the process to attempt to resolve objections, including:

- Who handles a conflict-of-interest complaint and how this is “fairly
considered” including the crucial question of *who* considers the
complaint

- Identify a timeline for resolution and an appeals process, and how this
relates to the work in progress.

- Identify how reasons for resolution will be shared, including the power
to hold the vote again once these reasons are known.

The current proposal to use a simple majority vote on a compressed timeframe
(e.g., via online polls of as little as one week) seems very unlikely to 
meet
these requirements. It is unclear how reasons would be articulated and
disseminated in time for a meaningful repeat vote after resolution. This 
seems
to be an area in need of some additional specificity to comply with the due
process requirements outlined above.

[^1]: <https://movementforanopenweb.com/>

[^2]: For example, appointing an independent monitor to verify that 
competition
issues are not present and advising the chairs and group participants where
there are problems, or establishing clean team arrangements for those that
participate in the group from dominant companies.

[^3]: For example, amending the W3C antitrust guidelines to align to DoJ 
and other
guidelines and ensuring that they are enforced.

[^4]: See for example, UK CMA note that Google's request for market 
actors to
participate in W3C and other forums, and announcements by its senior staff,
have had a likely anti-competitive impact on rivals.
<https://assets.publishing.service.gov.uk/media/60c21e54d3bf7f4bcc0652cd/Notice_of_intention_to_accept_binding_commitments_offered_by_Google_publication.pdf>
| Martin Thomson of Mozilla noting that "After all, if tracking remains
viable, then there is far less incentive to adopt the solutions that a group
like this might offer" thus acknowledging that in a situation where
participants have choice they will not favour the work product of the
proposed group.
<https://github.com/patcg/meetings/issues/52#issuecomment-1163823743>

[^5]: 
<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/987358/Joint_CMA_ICO_Public_statement_-_final_V2_180521.pdf>
\- “There is no explicit reference to the distinction between 
first-party and
third-party data in data protection law.”

[^6]: <https://lists.w3.org/Archives/Public/public-patcg/2022Jun/0074.html>

[^7]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>

[^8]: Mozilla do not believe privacy-by-design and lawful proposals to 
improve
privacy are legitimate unless they are controlled by web browsers and
implemented entirely by the profession of engineering. See analysis of SWAN
and UID2 which contains a number of factual errors advised to Mozilla -
<https://blog.mozilla.org/mozilla/swan-uid2-privacy/>. Mozilla
representatives have sought to restrict the Charter in its development. At
least one of the proposed chairs of the group has publicly expressed
positions that are concerning to other participants. See the following Tweet
in relation to a B2B business called TransUnion
<https://twitter.com/Chronotope/status/1564246061773950979?s=20&t=-ecWJdXh5TyvaiyTm_LO6Q>,
or the following analysis of another advertising proposal
<http://aramzs.github.io/web-standards/2022/08/04/topics-api-review.html>.
The employer of one of the proposed chairs is active in the publishing and
advertising sectors
<https://washingtonmonthly.com/2022/06/20/jeff-bezoss-next-monopoly-the-press/>.

[^9]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>

[^10]: <https://www.w3.org/2022/06/pressrelease-w3c-le.html.en>

[^11]: Composite Capabilities/Preference Profiles: Terminology and 
Abbreviations,
W3C Working Draft (21 July 2000), <https://www.w3.org/TR/CCPP-ta>. *See
also* The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C
Recommendation 16 April 2002, which was used for 16 years before replacement
on obsoleted on the basis of limited adoption, but not on any limitations as
to privacy definitions, on 30 August 2018), where in Scenario 3 describing a
website vendor’s cookies used in providing frequency capping that “do not
reveal information about any individual users.“ -
<https://www.w3.org/TR/P3P>.

[^12]: *See* GDPR, Art 4: “personal data’ means any information relating 
to an
**identified or identifiable natural person (‘data subject’)**….” versus
“‘pseudonymisation’ means the processing of personal data in such a manner
that the personal data can no longer be attributed to a **specific data
subject** without the use of additional information, provided that such
additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are **not
attributed to an identified or identifiable natural person**.” CPRA,
1798.140(v)(1) “Personal information” means information that identifies,
relates to, describes, is *reasonably* capable of being associated with, or
could reasonably be linked, directly or indirectly, with a **particular
consumer or household**.” (emphasis added)

[^13]: <https://www.gov.uk/cma-cases/mobile-ecosystems-market-study>

[^14]: <https://html.spec.whatwg.org/multipage/origin.html> and
<https://tess.oconnor.cx/2020/10/parties>

[^15]: <https://doodle.com/advertising/>

[^16]: 
<https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf>

[^17]: 
<https://www.pinsentmasons.com/out-law/analysis/lloyd-v-google-supreme-court-representative-action>

[^18]: <https://www.w3.org/2001/tag/doc/unsanctioned-tracking/>

[^19]: <https://github.com/WICG/first-party-sets/issues/108>

[^20]: <https://www.w3.org/TR/privacy-principles/>

[^21]: 
<https://movementforanopenweb.com/mows-in-depth-commentary-on-the-draft-w3c-privacy-principles/>

[^22]: <https://www.w3.org/Consortium/Legal/2017/antitrust-guidance>

[^23]: 
<https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf>

[^24]: See Ofcom reports
<https://www.ofcom.org.uk/__data/assets/pdf_file/0013/220414/online-nation-2021-report.pdf>
\|https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/online-nation/interactive\|https://www.ofcom.org.uk/research-and-data/media-literacy-research/adults/adults-media-use-and-attitudes/interactive-tool

[^25]: 
<https://github.com/w3c/web-advertising/blob/main/success-criteria.md>

[^26]: 
[https://www.w3.org/Consortium/Process](https://www.w3.org/Consortium/Process/)

[^27]: 
[https://www.w3.org/Consortium/Process/\#decisions](https://www.w3.org/Consortium/Process/#decisions)

[^28]: 
<https://assets.publishing.service.gov.uk/media/62e14c98e90e0766a8081720/_Privacy_Sandbox_Progress_Report_to_the_CMA_2022_Q2_.pdf>

[^29]: 
[https://github.com/patcg/patwg-charter/issues/31\#issuecomment-1170857845](https://github.com/patcg/patwg-charter/issues/31#issuecomment-1170857845)

[^30]: <https://github.com/patcg/patwg-charter/issues/13>

[^31]: HTML Design Principles, W3C Working Draft (26 November 2007),
<https://web.archive.org/web/20071130082925/https://www.w3.org/TR/html-design-principles>:
“In case of conflict, consider users over **authors over implementors** over
specifiers over theoretical purity. In other words costs or difficulties to
the user should be given more weight than **costs to authors; which in turn
should be given more weight than costs to implementors**; which should be
given more weight than costs to authors of the spec itself, which should be
given more weight than those proposing changes for theoretical reasons
alone. Of course, it is preferred to make things better for multiple
constituencies at once.” Recently updated, but signifying the same order of
web stakeholders, Web Platform Design Principles, W3C Group Note, (24 August
2022)
[https://www.w3.org/TR/design-principles/\#priority-of-constituencies](https://www.w3.org/TR/design-principles/#priority-of-constituencies):
“User needs come before the needs **of web page authors, which come before
the needs of user agent implementors**, which come before the needs of
specification writers, which come before theoretical purity.” (emphasis
added)

[^32]: <https://patcg.github.io/charter.html>

[^33]: <https://github.com/w3c/AB-memberonly/issues/88>

Received on Wednesday, 10 January 2024 15:56:50 UTC