Privacy Principles for Web Advertising Features - Editorial Group

[AramZS]

Writing the Privacy Principles for Web Advertising Features

Our Charter specifies we author a document that lays out our contexts and the principles we would want to set as our baseline expectations and shared understandings for privacy proposals. I expect that this work will start out of the minutes of the discussion we have in our meeting over the next two days and in some respects record and formalize some of the discussion there. Editors will be responsible for the first product: an outline of this document that we will then review before moving on to the next step.

Established -

Lead Editor: @darobin

[darobin]

I can take this on, it's a natural extension of the TAG's privacy work — though it's probably best if I don't do it alone. I also wonder if we want to limit it to just privacy or if we should generally document the principles that we feel are important as we build these things. We'll have to document them either way.

[alextcone]

I'll work with you, @darobin.

[gjlondon]

I'd also be interested in collaborating on this.

[bmayd]

I'm also interested.

[jaylett-annalect]

I'd be interested also.

[appascoe]

I'd like to participate.

[lknik]

I might be in. But I think it would be nice to define the rationale/goals/aims. For example, what is the aim of the document? How is it to be used? Should it be 'prescriptive'? Important questions for structuring it.

[jdelhommeau]

I would also be interested, pending the point raised above by @lknik

[darobin]

@lknik & @jdelhommeau: when groups work on multiple distinct but related pieces of technology, they often stumble into more general principles. It's useful to document these so that people don't have to constantly revisit decided questions over the years. Groups haven't always been good at doing this, but the HTML Design Principles is one example. We already know that we will have to make establish privacy rules, hence the idea that this document will have to exist.

That's all I can usefully tell you at this time — it will be built organically. There's no need to commit to anything right now, the important thing for the group is that there are enough people who are interested and willing to participate. As soon as we have a principle to put in it, we can get the ball rolling.

[anderagakura]

I'm also interested

[AramZS]

Noting at the top of this thread that our previous meeting established the lead editor for this document to be @darobin

[lknik]

@lknik & @jdelhommeau: when groups work on multiple distinct but related pieces of technology, they often stumble into more general principles. It's useful to document these so that people don't have to constantly revisit decided questions over the years. Groups haven't always been good at doing this, but the HTML Design Principles is one example. We already know that we will have to make establish privacy rules, hence the idea that this document will have to exist.

That's all I can usefully tell you at this time — it will be built organically. There's no need to commit to anything right now, the important thing for the group is that there are enough people who are interested and willing to participate. As soon as we have a principle to put in it, we can get the ball rolling.

@darobin - as you know, I contributed to the security/privacy self-check, there's really no need to educate me about the usefulness of such documents. But my point is: how specific to this group/charter/deliverables do we want this to be? If anything can do, we can just as well copy-paste something older done somewhere else. But I think the goal is to have something specific. Principles are mentioned in the Charter of this group and this highlights the importance of such a document. So my point is that it would be nice to know the rationale/aims/etc. Most importantly: how such a document is to be used. Is it supposed to be some kind of a sieve or litmus test for future proposals? IF so, then the document is absolutely critical, and what goes in, too, is important.

[darobin]

@lknik I know you know these things, but this is a new group with a lot of people who are new to W3C and as you know it can be quite daunting. So I want to make sure things feel clear to others in the conversation too.

The document is definitely meant to be specific to this group. The impetus behind the document is this: whatever systems we design here will necessarily involve some data sharing. We're not operating under older "privacy as secrecy" assumptions, so it's fine for some data to flow. However, in order to support privacy these information flows need to follow rules and those rules need to be principled, in line with the Web's ethical principles. I don't think that it is meant to be a preemptive sieve, however if we've adopted a given principle (say, "For attribution purposes, all data needs to be pink.") and someone later proposes an attribution method with green data, they would have to make a succesful case about updating the principle before being considered.

Does this help?

[lknik]

It does. Thanks. Are there any other specific PATCG considerations that we may take into account? I also realise that such principles should not be "general", but specific to the task.

[darobin]

I think we should be open to it!

[jdelhommeau]

thank you @darobin for the additional context. I am definitely one of those new people to W3C, so thank you for taking the time. The HTML design principles is a great example to illustrate what we want to achieve with such doc. As mentioned before, I am happy to participate and contribute however I can. I do believe that privacy principles for the web are a very important piece of the puzzle here, and the initial PPfW that Google came up with before announcing third party deprecation (and therefore, before giving the industry a chance to challenge it) has had a a very important influence on proposition that came out since. Having the ability to redefine those principles with a larger consensus will be key for the success of the PATCG.

[lknik]

Besides, the very mentioning of this work in the Charter suggests that the Principles are somewhat important, if not critical.

[jdelhommeau]

@darobin , do we already have any defined next steps on this, or are we just waiting a bit more see if more people are interested in joining the group to build the Privacy Principles?

[darobin]

@jdelhommeau I think that the next step is to do it! But we're still waiting on a repo. Dear chairs @AramZS @seanturner, may we have a repo for the principles doc? The charter mentions it as a given so I reckon it's decided, please let me know if that's incorrect. Once we have a repo, I can make a basic doc and people can start throwing PRs at it.

[AramZS]

We do now have a fully set up repo for this and you should have everything set up to manage your write privs for it @darobin

Let me know if there are any issues, also if you'd like to put discussing this on the upcoming agenda.

[AramZS]

I think this will be a running topic to check in on until the document is completed.

[anderagakura]

@darobin Maybe I missed something but I read the Privacy Principles released on May 12th and I would like to know if it is the doc we wanted to write here?

[AramZS]

I think we at the very least want to review the draft of the TAG Privacy Principles and set aside time in the upcoming meeting.

[anderagakura]

Thanks @AramZS for adding this topic in the agenda. Unfortunately, I could not join the call but I'm sure the audience will address it. I will follow it through the notes.

[jwrosewell]

I'm unable to join the call today. The following are my initial observations concerning the draft W3C Privacy Principles. @AramZS @seanturner please could you draw the groups attention to this comment during the agenda item.

The W3C Privacy Principles document as drafted is not fit to be included in the work of the PATCG or the contemplated Working Group for at least the following reasons.

Consumers make decisions based on factors including brand recognition, their understanding of the agreement, laws and rules, and the risk of harm. This document proposes restricting consumer sovereignty, interfering in trust choices between service providers and consumers, and perpetuates misinformation related to first and third parties [1].

It would be a matter of concern for policy makers if consumer sovereignty were undermined or usurped by corporate interests.

The W3C Privacy Principles need to assist consumers, not perpetuate the goals of highly recognizable brands.

A more detailed analysis of the W3C Privacy Principles will be provided in due course to this group, W3C members, and TAG.

W3C Director establishing a Legal Advisory Group would provide horizontal review of W3C Privacy Principles document concerning competition and privacy matters.

[1] See their joint statement from ICO (privacy) and CMA (competition) May 2021. Extract follows.

Data is sometimes categorised according to the relationship between the party collecting and processing it and the individual or circumstance it relates to:

• First-party data: data that is collected by a business through direct interaction with an individual providing or generating the data. For example, data collected by an online retailer regarding purchases made by consumers on its site.

• Third-party data: data collected by a business not in direct interaction with the individual providing or generating the data, for example, through business partners. Digital firms that do not have a direct relationship with users frequently rely on third-party data.

The boundaries between first and third-party data according to the above definition are not always clear, particularly when large companies own a variety of businesses, some of which have a relationship with the user and some of which do not. Both first-party and third-party data as defined above can include personal and non personal data. Whether information is personal data depends on whether it relates to an identified or identifiable individual. There is no explicit reference to the distinction between first-party and third-party data in data protection law.

The descriptions of ‘first party’ and ‘third party’ are also used (though with a different meaning) in the context of cookies and similar technologies,10 which collectively form the key means by which information (including personal data) is collected and disseminated in online advertising. A cookie is generally identified as being first-party if the domain of the cookie matches the domain of the page visited and as being third-party in instances where the domain of the cookie does not match the domain of the website. This is not a rigid distinction. Some functions typically delivered through third party cookies can be done via first party cookies, even if a third party’s code and associated service is still involved.

The rules on the use of cookies and similar technologies are specified in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (as amended) (‘PECR’), and oversight of these rules is one of the ICO’s regulatory functions. PECR provides more specific rules than the UK GDPR in a number of areas such as cookie use. It is also important to note that PECR’s provisions in this area apply whether or not personal data is processed.

[seanturner]

@jwrosewell we have ensured that all issue and PR entries are copied to the CG's mailing list. When we discuss this point, I will draw attention to this comment.

[seanturner]

@darobin Please link the slides here so I can upload them to the meeting repo. Thanks!

[seanturner]

A more detailed analysis of the W3C Privacy Principals will be provided in due course to this group, W3C members, and TAG.

As discussed at the 17 & 19 May meeting, comments on the W3C Privacy Principals are best directed at the TAG, as they have sponsored the work. The GH repo for the Draft Note is located ->here<-.

It was also noted during our session that the W3C Privacy Principals will inform our document, the Privacy Principles for Web Advertising Features, so CG members should review the W3C Privacy Principals.

[lknik]

So to add a few cents from myself, on top of @jwrosewell… While I agree that the W3C/TAG Privacy Principles are specific to TAG’s work and the web, I wouldn't judge that these principles are unfit for the work of this group. I fact, I believe that we can refer to this work without any special problems. Perhaps these may simply be adapted for the realm of the specific uses foreseen by PATCG.

In this case we would have an initial list to start with, possibly amend slightly, or explain the applicability. I reckon that’s an important aspect of such a document, to have a workable list and explain how things should be working…

[lknik]

Please note that a stub is already set up https://patcg.github.io/docs-and-reports/principles/ Stuff to be proposed here. Thanks @darobin for this.

Please comment on pulls and/or issue your own. I believe that we may finish this work in few weeks?

I believe this is a critical document — without it it’s impossible to really review/assess any proposal filled for this group.

[npdoty]

We discussed this briefly in the February meeting, and I gathered the folks who had expressed interest during that call. From that, we've started a sources document, and an issue thread of topics to cover/scoping.