jwrosewell: "primarily non-technical" -> "do not have any technical component" #8
Comments
|
On the other side, see Alex Cone's |
ekr
changed the title
I am afraid that the output of this particular change will make it hard for any participant to differentiate the scope of work between PATCG and PATWG. |
|
I don't know whether @lukwlodarczyk is objecting on the basis that the charters remain consistent or whether it is about the specific change here. The former is a technicality (we surely could handle with a change to both charters), the latter is substantial. I am also opposed, but for the substantial reason. The choice of phrasing here is quite deliberate. I don't not want to spend my time on proposals that provide no technical guarantees. That is, the "primarily" piece is important here. |
|
The original idea for the creation of this group was to only focus on the technical details for advertising use cases, with an aim to actually make progress. There are many things that technology can support in other areas that are primarily non-technical (e.g. helping to guarantee a legal constraint or a societal norm), but if we broaden the scope of this group to "anything with a technical component", I worry it will fragment our focus too much. |
|
Why would the explicit exclusion of supporting professions and components of solutions they develop do anything other than improve the chances of the group producing solutions that provide the best outcome for the 5 billion users of the web? There is plenty of precedent for such considerations including First Party Sets that requires an Independent Enforcement Entity (IEE) to be viable. The W3C itself is pre-occupied with issues of ethics and values with selective consideration of unintended consequences.
Why would providing legal guarantees support by technical guarantees not be a good proposal to improve privacy in advertising using technology? I'm interested in finding the best proposals and not constraining innovation by restricting proposals.
Why would the W3C not want to include such approaches to Private Advertising Technology (PATs) in its work?
The only difference is incubation (CG) versus standards setting (WG).
Now that the group has met a few times and more people joined I'm advocating to broaden that and ensure that solutions other than those that restrict data sharing are bought forward in the standards setting arena. There are already enough groups that require W3C member attention! |
|
This and the CG represent Private Advertising Technology development interests. Emphasis here on Technology. Where proposals do not have either Advertising or Technology as a primary focus they are out of scope. I would consider both the IEE and the First Party Sets proposals for instance to be out of scope of both PAT CG and WG since the first is not primarily a technology project and the second is a broad technology not focused on just advertising. PAT CG & the proposed WG are singularly focused on this specific combination of privacy, advertising and technology. Anything that does not rise to this standard is out of scope by design.
See above. There are venues appropriate to such measures already in existence as per their technical specifics.
Without constraints all discussions will grow infinitely. The scope of this WG and the PAT CG are intentionally narrow.
I have not seen any indication in our meetings or discussions that there is an interest for such an increase in scope of the CG. I have not seen any of the proposed changes to the CG charter provide language that would intend to increase scope in that way. The CG can, of course, coordinate and alert membership to proposals relevant to our interests and discussions, but that does not make it the appropriate location for such discussions. I am also opposed to such a change. |
|
@AramZS I agree with your points and am also opposed to this change. There are other venues for non-technical or primarily non-technical proposals. |
|
I also do not think that we should make this change. The focus of this group should be technical mechanisms |
|
@jwrosewell I am seeing fairly broad opposition against your suggested change. With the added context on scope of this WG in mind, would you be willing to drop this objection before the meeting so we can focus on other concerns? |
|
@AramZS If the group is intending to develop a specific proposal like IPA as a technical standard then I can understand why the change I propose would be resisted by engineers. IPA does not consider the roles of laws or economics. Some of the contributors have explicitly dismissed the role of laws and economics in solutions. I consider IPA (and Topics, and the like) to be similar to the work which occurred in the Payments group. The people involved could have developed a general solution that would enable sensitive information to be shared among different parties within the web browser and which supported many use cases including payments. Instead they solved the problem specifically for the payments use case and in doing so inserted the web browser into the payments handling process when it would not otherwise needed to have been. Had I been a member of the W3C at the time the group was chartered I would have Formally Objected to the charter for this reason. This group should work on solving the problem of privacy in advertising exploring solutions that enable the widest group of web participants to innovate not the narrowest. That will involve some element of technology, but that might be a small element in the grand solution. Therefore the group should focus on the outcomes for users of the web and participants on the web not the means with which that outcome is delivered. |
From my perspective, yes, this is what we are intending to do (though of course, maybe not IPA and probably multiple proposals). Fundamentally, what W3C groups are good at is publishing technical specifications. These have to of course be informed by market and legal realities, but in my experience straying too far out of specifying technical behavior does not work out well (see, for instance, DNT). |
|
Working on technologies that can be added to the web platform neither precludes other organisations, likely better suited to the task, from looking at systems and solutions that have significant non-technical components; nor stops both legal and economic factors from determining the ultimate adoption and use of any output of the WG. I generally favour narrowly-targeted technologies, both because they're easier to specify (and perhaps implement) than ones trying to provide more general solutions, and because it simplifies impact analysis (including but not limited to security & privacy review). If something roughly the shape of IPA emerges to the standards track then it doesn't preclude other approaches being developed or used alongside it, including ones where PATWG would have had zero input. (I don't have a formal position from our measurement teams, but the sense I get is that the sorts of proposals we've seen around conversion attribution to date could be usefully combined with econometric work with aggregate data, for instance.) |
|
There is an assumption in the response to this issue that the adoption of the standards created by the working group will be optional for all participants of the web. The reality is that this is not the intention of the proposers. The intention of the proposers is to restrict the choices that the majority of web participants will have. For example; a web site operator and their suppliers who do not want to use IPA will not have access to the raw input data to IPA to be able to implement something else. It is optional only for web browser implementors who represent the least significant minority but have the most influence. As such @jaylett-annalect statement (emphasis added)...
... is not true in practice because it is the intention of participants in the group to preclude other approaches. It is for this reason that this issue is so important to resolve now. An alternative method of dealing with the concern is to modify the charter so that the "primarily non-technical" solutions developed by the group MUST make the input data available to all and do nothing to restrict lawful access to data. |
|
I am mentioned above multiple times so I feel I should speak up. @jwrosewell, my read of your argumentation here and elsewhere is it is contradictory or intended to halt progress. Here's how I've come to this conclusion:
I remain very much in the camp that it is best for the PATWG charter to be scoped to technical approaches and those reasons have already been well summarized by @ekr, @martinthomson, @lukwlodarczyk, @bedfordsean, @AramZS and @jaylett-annalect. I will not attempt to add further nuance at this time. I don't think it's necessary. |
|
Responding to @alextcone in numeric order with a summary of the bullet point to introduce. 1a. Laws - We should pick a subset of laws (just like policy people do in global corporates) and work to them. Google and the CMA agree, and have picked GDPR. 1b. Forms of democracy I agree with - Absolutely not. The W3C membership would need to pick the laws that we aligned to, not me. We must not create quasi-laws as others have proposed.
|
|
@jwrosewell, it appears we're talking past one another as we have made a habit of doing. The only thing I want to add for posterity at this time on this Issue is if it's your read that the current direction of data protection and privacy law is to continue the wide spray of cross-site/app personal identifiers (pseudonymous or otherwise) I think we're reading very different analysis, talking to very different people, and drawing very different conclusions on the direction of law. |
|
@alextcone Privacy and competition are intrinsically related. I spent much of today at a conference related to competition where we heard many views from different regulators, and experts in the field. I heard nothing to dissuade me from my position. Focusing our collective talents on creating methods to enable personal data of all types to be shared in the digital world with appropriate safe guards based on risks and choice is not the same thing as "spraying". Please stop implying that I'm arguing for the status quo and "spraying"; I'm not. Creating solutions that restrict access to information is no longer something that Google can do. The CMA are clear on this in their equivalency requirements. Therefore if we do not wish to splinter the web as the draft charter proposes then IPA and the like will not work in practice unless the CMA can be convinced they preserve competition. I sincerely hope regulation will come to Apple and that the web standards setting process will mature in due course. This might create an environment where a rationale discussion can occur in relation to proposals that enable the safe and lawful sharing of data. This involves rethinking privacy boundaries and I'm publishing thoughts on how to do that. I recall a Google representative at the last PATCG meeting showed the spectrum of possibilities in a handy slide. We might wish to return to that on 5th April as we're really debating the policy for the group in this issue. If I only listened to some web browser vendors, a narrow view from DPAs, and privacy absolutists then I would not conclude the above. I might reach the conclusion you do. Whilst I can understand those people's positions I can't understand why the representative of IAB TL would not be looking out for the majority of the IAB TL's member interests. Most members of IAB TL would find an upgrade to existing data sharing models preferable to rearchitecting the whole thing. Such an upgrade might also improve people's privacy in practice in a way that forced sign in, email address surrender, and wide spread sharing of so called first party data does not. |
|
To get this definitively out of the way: a system like IPA makes it very significantly easier to comply with all privacy legal regimes that I am familiar with. It is a huge improvement in data protection, guarantees purpose limitation, ensures single controllership, guarantees no sell-or-share, etc. From a risk assessment perspective, it's all the value of attribution with almost none of the risk. With my compliance hat on, if a product team came to me and used cookies when IPA is available, they'd have to have a very good reason. From an econ perspective, IPA prevents externalities that arise from unpredictable inferences, eliminates the historical unfair advantage given to third parties (who can see all) over first parties, and prevents lateral market capture with its enforcement of purpose limitation. These properties will be shared by many other technical solution - that's the point. Additionally, can the group agree to a ban on making frivolous claims on behalf of regulators? It keeps coming up in random issues and I have seen no evidence that they are helpful or represent anything other than wishful interpretations. |
I'm in favor of that @darobin, however if an outright ban is too large a pill for some to swallow perhaps we could at a minimum agree that any legal references, written or live in meetings, be prepended by "It is my understanding of law xyz that..." or "My interpretation of regulatory proceeding 123 is..." In this way readers or listeners can be reminded that the speaker is sharing their personal interpretation or understanding of a law or related proceedings. |
I agree, I think the main thing is that since no participants thus far are regulators it is pointless to say 'regulators will', 'regulators would', 'with regulatory intervention this would happen', etc... and I think generally slows down conversation and--in fact--undercuts any point the speaker is trying to make. It is an argument from authority fallacy and doesn't even fully meet that argument because in this case it relies on assumptions that the authority would say a thing in this particular situation that it hasn't even said. Unless there is a clear citation that is directly applicable to this topic or, as @alextcone notes, a statement of interpretation, there isn't much that mentioning the CMA or any other regulator's theoretical actions adds to the conversation. I've said this before and I'll restate it here: do not speak on behalf of regulators who you do not have authority to speak on behalf of. Not only because it is not productive to the argument, but because it undercuts any argument you are even trying to make. The regulatory groups out there are fully capable of speaking for themselves. Additionally, I really really really want to discourage making statements on behalf of what Google can or can't do under regulators. Google's statements are extant. Their conversation and attestation to the CMA is on record and they have participants in this group. If Google wants to say something about their CMA commitments they can and will. Until they do we have to operate under the assumption that they are interacting in this group in good faith and under their existing restrictions correctly. We are not empowered to do otherwise. If you @jwrosewell believe they need to say something that they haven't, the right place to take that up is with the CMA and Google--not here. In this context, not only is going down this road not productive, but it will be actively misleading to readers who may not be familiar with individual participants in this thread or their affiliations. I have to emphasize this: since you are not an agent of the CMA or of Google you are fundamentally not able to talk about what Google is required to do or what the CMA is going to do. To the extent you wish to accomplish anything in regards to the CMA and Google and what these two entities are doing, trying to force us to shadow-box their positions here is actively undercutting it. Please stop. |
|
As @alexcone recognises there are public documents that state the position and I will reference those when referring to regulation in the future. As far as these documents are concerned anyone is free to reference them and remind the community of the requirements they place on participants. Perhaps @AramZS and @seanturner would like to invite the CMA to present to the group at a forthcoming meeting so that their position can be obtained first hand. The CMA are a key stakeholder in the work of PAT CG and a possible future WG. In relation to Google. There is a significant "distraction tax" for the rest of the industry continuing to debate and engage with Google proposals, or other proposals that would require Google to implement them if the web is not to splinter, unless those proposals have been approved in principle by the CMA. As someone who is not the CMA or Google I'm encouraging the parties to communicate clearly to avoid wasting our valuable time. I take exception to being reprimanded for stating a fact and requesting clarification. We have now moved a long way from the issue title and change. I suggest we start another issue thread titled "How to engage with regulators" if the discussion is to continue. |
|
I think it would be best here to adopt the general practice of not trying to draw CG conclusions about the meaning of various legal requirements, or to spend a lot of discussion time on those. Participants, of course, should be guided by the legal analysis of their own teams, but that's different from having it be a CG topic. Specifically, it is for Google to determine whether whatever they propose or support is consistent with their engagement with the CMA or other regulators. I do think it would be worthwhile for CMA to be involved in the CG and state their views, just like any other stakeholder. I do not think, however, that we should constrain our discussions to those proposals which have been "approved in principle by the CMA". Our job is to develop technical specifications as best we can, and of course this means taking the legal environment into account in the manner I noted above, but giving any specific national regulator a veto on what we consider seems likely to ensure that no progress is made. |
I think that, if anything, that would make sense as a thread for our Meetings space? Since presumably this would be about inviting their involvement there first and they can then make a decision at what level they want to engage. As I hope I have made clear, I'm very interested in seeing the CG get as broad an engagement with stakeholders as possible. @jwrosewell So you would be comfortable closing this specific issue? And also the accompanying issue on #5 which deals with a similar question? |
I don't disagree that proposals raise specific requirements of attention and time. I just want to be very clear that we cannot deal with objections to those proposals stemming from taking the position that Google or CMA is going to say something about them... because we must see those actual entities speak up. If you have specific objections, they get lost in having to parse out what is your position vs what is you speaking about theoretical actions you believe will happen but have not. In terms of how we engage with these proposals as a group and spend our time, I think the right place to ask those questions is to build a clear process around incoming proposals and how we handle them, the discussion for which is happening at patcg/patcg.github.io#7 |
|
@AramZS I have raised #16 to cover the overarching set of issues of which the original title is a subset depending on the way the charter moves forward. This issue does not relate to the CMA or Google, however the discussion moved in that direction latterly. If #16 is resolved such that only modular web features are used and the input data is not restricted then this issue becomes mute. If however that is not the case then this is very important. PAT WG charter will be testing the future direction of the W3C and the web. |
…patcg#5, patcg#6, patcg#8, and patcg#16. Solutions has been used to avoid steering the group towards specific outcomes. This relates to [patcg#5]( patcg#5). Privacy needs to be defined and used consistently throughout and relates to [patcg#6]( patcg#6). The PR does not address this but capitalizes the term and suggests a section to achieve this is added. The Scope has been modified to avoid excluding solutions that address the problem the group seeks to resolve utilising a combination of different disciplines and to avoid solutions that only web browsers can implement. This relates to [patcg#8]( patcg#8). Regarding access to data. References the patent policy and applies access to input data under FRAND terms and principles. This will address the issue concerning data access and aligns with the existing precedent associated with those that have something that is needed to make the specification working making all those things available to others. See the new chapter on Data Policy following Patent Policy. This relates to [patcg#16]( patcg#16). The Success Criteria are not clear and need further work. Included several other changes in the PR to better align the document with the W3C Process which we identified during our review. For example the call out of specific sections of the W3C Process are removed as these are not needed and emphasis some elements over others. The W3C Antitrust Guidelines are now referenced as these don’t form part of the W3C Process. This PR is a start to move the charter in a better direction rather than a finished charter. My colleagues advise that reviewers from Apple, Facebook, Google, and Microsoft, might wish to contact their colleagues Per Hellstrom, Tim Lamb, Oliver Bethell, and Greg Sivinski respectively for their views on the modifications.
|
At this time only @jwrosewell has raised the idea of this significant alteration to the charters scope and it has been heard, discussed, understood and considered in this thread and elsewhere, especially in patcg/meetings#52. I do not see a single other supporter of this specific change conceptually and I see broad vocal opposition. I am closing this thread and ending consideration of this change. |
Note: I am transcribing comments from the gdoc to issues.
@jwrosewell suggests changing the statement that "primarily non-technical" mechanisms are out of scope to those which "do not have any technical component"
The text was updated successfully, but these errors were encountered: