All Working Group members agree to licence input data for specifications on FRAND terms

[jwrosewell]

Breaking out the discussion from issue #52 and PR #18 related to licensing input data. Include wording to guarantee availability of data needed to implement any work of the group summarised as follows.

From @jwrosewell - “@timcowen has raised an innovative suggestion concerning FRAND terms for the data needed to implement a standard. There is nothing that would prevent such a clause being part of the charter therefore providing all web participants the certainty that should they wish to implement independently the standards of the group those that worked on them have already agreed to not only licence the intellectual property related to patents but also access to the necessary input data from their products. As a concrete example I would know that if Google and Mozilla joined the Working Group that they would licence me the data needed to implement the standard outside of a web browser and there would be no need to negotiate such an agreement with them in the future. However Apple if they did not join the group would be under no such obligation. This concept is identical to intellectual property associated with patents and seems very important where functionality is desirable to implement outside the web browser to avoid the web browser becoming a chokepoint.” - https://github.com/patcg/meetings/issues/52#issuecomment-1167805503

@timcowen responds - “The FRAND issue is one that arises for those that have market power ( Browsers from Apple and Google – see CMA Mobile Ecosystem Market Study 2022). So, the idea I advanced is that to help W3C (and members) comply with competition law, the Charter should make it clear that FRAND should apply to necessary input data and that discrimination by dominant browsers is not supported or endorsed by W3C. FRAND is a preventative mechanism to help W3C comply and address the economic and market power problem that may arise in developing standards. So, the way it works with relation to Patents (and other IPR) is that when a member of a standards organisation joins that organisation, the organisation requires, in its membership contract, that the IPR owners agree to licence IPRs on FRAND terms. If the implementer of a standard then in its implementation uses and reads on the patent or other IPR, that IPR is licensed on FRAND terms to those that use it. In doing so the standards body avoids the problem that has come up in the past of being complicit in a situation where an IPR holder then seeks to extract a rent from those implementing the standard (this famously happened between Google and Microsoft with relation to IPRs used in X Box). So, to be clear, the point is not about end users licensing anything. It is about ensuring that those that join the group under a Charter and the Charter needs to make it clear that FRAND applies to any essential input data used by browsers. (which may not be clear in the current W3C documents). It was also observed that W3C standards are voluntary. That is not correct as a matter of competition law since they are in effect mandatory being endorsed by dominant browser owners (see further below).” - https://github.com/patcg/meetings/issues/52#issuecomment-1169927141

“Compliance Finally, and hopefully to avoid any residual confusion, as a matter of compliance for all, I have observed that the Charter could be improved if it included an express reference to licencing necessary input data on FRAND terms. That would be the basis on which agreement to the work of the groups would operate. While it has been observed that W3C makes voluntary standards, they are in effect mandatory since they will be endorsed by the dominant browser organisations and become the basis on which all others in their ecosystems then trade. ( see for further information on competition law, FRAND and standards Section 7 in the following: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52011XC0114(04)” - https://github.com/patcg/meetings/issues/52#issuecomment-1169927141

[jwrosewell]

Responding to @dmarti on this thread.

@jwrosewell The user agent does not always have the ability to negotiate FRAND terms on which to share its user's personal information. In many places, the user must consent, or has the right to opt out. The user agent can't commit to FRAND terms, or any specific terms.

The user agent can only control its own actions. A workable FRAND requirement might be something like, "If the user agent does not have consent to share some piece of user data on FRAND terms, the user agent will not use that data for on-device ad placement or reporting"?

The clarification consolidated into this issue is designed to separate the license of the input data for any specification under FRAND terms via the organization with control providing the licence when they join the group, and the individual users consenting to the sharing of the data just as they will need to consent to the use of personal data [for any purpose where legitimate interest does not apply (under GDPR)].

I think your suggestion is more about consent rather than FRAND. Does the consolidation here and additional information help?

[ekr]

I still find this proposal confusing.

Consider a hypothetical "interest-based targeting" system which worked as follows:

1. There is a machine learning model M shared by all users of a given client which is centrally trained based on some data set D which the vendor collects. This data presumably is partly drawn from user browsing history.
2. The client feeds user i's browsing history (e.g., the visited URLs) H_i into M and M provides a list of interests I_i that it believes the user has.
3. I_i is made available via some browser API as in FLoC

In this scenario, which data do you believe would be required to be accessible under FRAND terms? D, M, H_i?

[AramZS]

I'll also note that among the proposals there are both Federated learning proposals (in which the data might never leave the device to be recorded and made available under such terms) and device-level data storage proposals (where the data is never to leave the device and only be used using conditions met by the device without any access to central storage by a user agent's maintainer). This goes back to my original objection, since not all proposals may have the data you are concerned with available, even if participants thought making that data available via FRAND was appropriate it would not apply. Therefore adding FRAND to the charter would create issues where it would not apply to a proposal that would then somehow be bound by it. As a lawyer I believe that @timcowen would agree that applying irrelevant binding principles to a document is not good practice?

[npdoty]

Sorry to repeat myself again, but it seems like the issue is repeated and the questions and concerns expressed by me and others have not been considered or addressed.

Mandatory sale or sharing of browsing history would be deeply concerning to user advocates, and I expect to many people in a group working on private advertising technology. I object to adding a condition to a proposed WG charter that would mandate selling or sharing user data.

This proposal seems confused about what it means to implement a standard. Do you mean instead: provide similar functionality in a different way from any proposed interoperable interface? While we still have not heard a direct example of what "input data" is meant to mean, if it means user browsing activity, that's not necessary to implement a standard, it's just what's used in the actual operation of software. Mandating that data from the operation of other software be shared does not change who can implement the standard, but it would create new privacy harms.

To the extent that "input data" means browsing activity, this also seems confused about who has the right to sell data from a user's device or software.

This would not be identical to royalty-free licensing of intellectual property in the design of a standard; it would instead be a novel mandate for organizations that participate in a standard-setting process to proactively sell or share data about users of their products.

It also seems extremely unlikely that adding mandatory sale of user data to a charter would be generally acceptable to W3C membership.

[AramZS]

Briefly addressing @timcowen's comment:

It was also observed that W3C standards are voluntary. That is not correct as a matter of competition law since they are in effect mandatory being endorsed by dominant browser owners (see further below).” - https://github.com/patcg/meetings/issues/52#issuecomment-1169927141

This does not reflect reality and reflects a comprehensive failure to understand how W3C and browser vendors are interlinked. Let's go through some examples:

• The relatively recent history of Internet Explorer.
• The Color module (Safari adopts, others have not yet done so) - https://www.w3.org/TR/css-color-4/
• The history of slow to sometimes nonexistent adoption of specific features by Safari, detailed in length here - https://infrequently.org/2021/04/progress-delayed/
• And the interop dashboard shows significant drift between stable browser releases - https://wpt.fyi/interop-2022?stable

None of this is intended by me to be critical of participants, but to demonstrate that major browser vendors adoption of standards is neither guaranteed nor specified by their participation in the W3C. If FLoC had reached a standard level, for example, it is almost certain browsers other than Chrome wouldn't implement it ( see ).

Any attempt to use this group's charter or the W3C to bind user agents to particular legal terms is incompatible with how their membership in the W3C works. This includes FRAND. The only way one could attempt to integrate something like FRAND into user agent behaviors is to make it part of a standard so that when a user agent adopts it they would have to adopt FRAND to be considered compliant with the standard.

This is my concern with comments in regard to FRAND at this point, they reflect a fundamental misunderstanding of:

1. How the charter would work
2. How chartering in the W3C works
3. How the W3C works
4. How the standards process within the W3C works

Thanks to @jwrosewell and @timcowen I do believe we have heard this objection, and--thanks to their excellent and detailed work explaining it--I believe we have understood it sufficiently in this regard and recognized it.

@seanturner at this point I believe we should not further engage on the concept of adding FRAND into the charter. I do not see broad support and believe this to be a question of how W3C as a larger organization might choose to handle antitrust concerns, or of specific standards to which it might be relevant in the future. Do you agree?

[timcowen]

Aram,

I am aware of the issues you refer to. References to Safari’s inadequacies and the fact that it lags developments in Chromium is not a new issue and also not one germane to my point. There appears to be a misunderstanding here. Floc and Fledge did not become standards and failed to comply with GDPR so the point I made did not arise. (The proposal for First Party Sets was a close-run thing though and is part of the reason for the UK’s CMA’s decision about Google’s Privacy Sandbox ). Thankfully, the First Party Sets proposal ended when the TAG recognised that it reinforced the position of a small number of major corporates. The issue of standards reinforcing dominance was therefore avoided. However, the issue still exists. Not only that but so does Section 7 of the EU Horizontal Guidelines that are applicable to standards making and standards making bodies wherever they are situated. I recommend them to you and provided a link in my previous email.

I your reference to things that I may or may not understand to be an “ad hominem” comment – don’t you? I am not sue that ad hominem comments are helpful- do you?

You then state: “Any attempt to use this group's charter or the W3C to bind user agents to particular legal terms is incompatible with how their membership in the W3C works. This includes FRAND. The only way one could attempt to integrate something like FRAND into user agent behaviors is to make it part of a standard so that when a user agent adopts it they would have to adopt FRAND to be considered compliant with the standard.”

This needs to be broken down to avoid misunderstanding.

Firstly, I have not advanced the idea of using a group charter to “bind” user agents to particular legal terms. I advanced a mechanism for W3C compliance in the development of standards when people are in a group discussing them. In common with other standards making bodies, W3C already includes FRAND in relation to IPR in the W3C membership agreement. I was merely pointing out that FRAND is there to prevent non-compliance with competition law in the event that a SEP is engaged. Extending that approach to other issues where non-compliance could arise is a sensible compliance approach to avoid a likely risk.

Secondly, since I did not make either the above or subsequent points that you asserted, the points that follow concerning how the charter would work etc do not need to be addressed. (They are your points not mine and I don’t follow what you are saying there).

I am happy to be complimented on “excellent work” in explaining my point. But I have to apologise as I am afraid that I have clearly failed on this occasion to explain things clearly enough! Your note did not address or appreciate the points that I am making and continue to make.

How compliance with the law is achieved is a matter for W3C and its members: it is for you. I was merely drawing your attention to law which applies to you and W3C and its members. I was also making an observation that I thought might be helpful in the spirit of trying to enable the W3C to move forward. However, leaving the issue hanging without being resolved might be problematic. Operating openly as a standards body means operating reasonably with relation to reasonable inputs and observations. I hope mine have been so and can be addressed as outlined. Your suggestion that you might to close-down the debate on using FRAND as a preventative mechanism to secure increased compliance for W3C and its members might be interpreted as an attempt to avoid addressing an issue of compliance for W3C and its members might it not?

Ultimately that is, of course, a matter for you and W3C members. I am trying to help you navigate your obligations and offering to support your deliberations.

I would be happy to discuss alternative ways forward with you and others.

Given the fact that the spotlight of antitrust is on browsers both in the UK, EU and USA, I would have thought that now might be a good time for increased vigilance and compliance. You make reference to the antitrust guidelines of the W3C. They are something that ought to be reviewed at the present time and that might be something to be picked up with appropriate support. I would of course be happy to help in that endeavour.

With kind regards

Tim.

From: Aram Zucker-Scharff @.> Sent: 29 June 2022 16:57 To: patcg/patwg-charter @.> Cc: Timothy Cowen | Preiskel & Co @.>; Mention @.> Subject: Re: [patcg/patwg-charter] All Working Group members agree to licence input data for specifications on FRAND terms (Issue #30)

Briefly addressing @timcowenhttps://github.com/timcowen's comment:

It was also observed that W3C standards are voluntary. That is not correct as a matter of competition law since they are in effect mandatory being endorsed by dominant browser owners (see further below).” - patcg/meetings#52 (comment)https://github.com/patcg/meetings/issues/52#issuecomment-1169927141

This does not reflect reality and reflects a comprehensive failure to understand how W3C and browser vendors are interlinked. Let's go through some examples:

• The relatively recent history of Internet Explorer.
• The Color module (Safari adopts, others have not yet done so) - https://www.w3.org/TR/css-color-4/
• The history of slow to sometimes nonexistent adoption of specific features by Safari, detailed in length here - https://infrequently.org/2021/04/progress-delayed/
• And the interop dashboard shows significant drift between stable browser releases - https://wpt.fyi/interop-2022?stable

None of this is intended by me to be critical of participants, but to demonstrate that major browser vendors adoption of standards is neither guaranteed nor specified by their participation in the W3C. If FLoC had reached a standard level, for example, it is almost certain browsers other than Chrome wouldn't implement it ( seehttps://www.theverge.com/2021/4/16/22387492/google-floc-ad-tech-privacy-browsers-brave-vivaldi-edge-mozilla-chrome-safari ).

Any attempt to use this group's charter or the W3C to bind user agents to particular legal terms is incompatible with how their membership in the W3C works. This includes FRAND. The only way one could attempt to integrate something like FRAND into user agent behaviors is to make it part of a standard so that when a user agent adopts it they would have to adopt FRAND to be considered compliant with the standard.

This is my concern with comments in regard to FRAND at this point, they reflect a fundamental misunderstanding of:

1. How the charter would work
2. How chartering in the W3C works
3. How the W3C works
4. How the standards process within the W3C works

Thanks to @jwrosewellhttps://github.com/jwrosewell and @timcowenhttps://github.com/timcowen I do believe we have heard this objection, and--thanks to their excellent and detailed work explaining it--I believe we have understood it sufficiently in this regard and recognized it.

@seanturnerhttps://github.com/seanturner at this point I believe we should not further engage on the concept of adding FRAND into the charter. I do not see broad support and believe this to be a question of how W3C as a larger organization might choose to handle antitrust concerns, or of specific standards to which it might be relevant in the future. Do you agree?

— Reply to this email directly, view it on GitHubhttps://github.com/patcg/patwg-charter/issues/30#issuecomment-1170165010, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AZYERR7TMSSRJU5AXAFTV6LVRRW4BANCNFSM52GCAG3A. You are receiving this because you were mentioned.Message ID: @.**@.>>

[jwrosewell]

Note: If W3C AB and W3C counsel had addressed the issue related to antitrust over 18 months ago when it was raised we would have a better process and framework to address this issue from. For those W3C members that can access the link provided you might want to consider the debate there when assessing this issue.

[AramZS]

@timcowen sorry, a point of clarification request here: are you saying FRAND terms are already included in W3C IPR rules to a degree that you find satisfying?

[AramZS]

@jwrosewell:

Note: If W3C AB and W3C counsel had addressed https://github.com/w3c/AB-memberonly/issues/88 over 18 months ago when it was raised we would have a better process and framework to address this issue from. For those W3C members that can access the link provided you might want to consider the debate there when assessing this issue.

I have to note again we cannot anticipate the AB's or W3C council's decision in these types of discussions and must act as if things are operating assuming no changes. If the AB or council decides to address your issues there then that may necessitate changes in more charters than just our own.

[jwrosewell]

@npdoty

we still have not heard a direct example of what "input data" is

The "input data" is the data needed to implement proposals that the Working Group create.

If the proposal needs the user's favourite colour as input data, and web browsers capture favourite colour from users, then the Working Group charter would result in the members of the group that are web browsers having licenced favourite colour data they capture on FRAND terms to any party that wishes to implement the proposals that require favourite colour as input data.

Therefore the answer depends on each proposals. The wider community can the satisfied that there will be no proposal or eventual standard generated by the group that would prevent them from implementing it.

[AramZS]

@jwrosewell:

The "input data" is the data needed to implement proposals that the Working Group create. [...] Therefore the answer depends on each proposals.

This seems to me to be a strong argument towards the consideration of FRAND on a proposal by proposal basis. Trying to create a FRAND guarantee in the charter when it must be applied differently to different proposals on the basis of their design and when our understanding of its application shifts on the basis of proposals' functionality seems to be bad process. It may not even apply to some proposals.

@timcowen

You make reference to the antitrust guidelines of the W3C. They are something that ought to be reviewed at the present time and that might be something to be picked up with appropriate support. I would of course be happy to help in that endeavour.

I would repeat my earlier question while also noting that not only are we automatically bound by the W3C guidelines and reference them explicitly at the top of CG meetings, we also have, in response to @jwroswell's input, explicitly added and noted we are bound by them in the charter. Is there some additional picking up you would like us to do in regards to the antitrust guidelines that we have not yet done? I would be happy to accept your help in making the application of W3C rules in the charter as clear as possible.

[jwrosewell]

@AramZS

This seems to me to be a strong argument towards the consideration of FRAND on a proposal by proposal basis.

We don't address IP licensing on a proposal by proposal basis. Why would we do so for the input data?

By dealing with the matter at the charter level W3C Members can be assured they will be able to implement any proposal the group develops by the participants of that group. That's an important guarantee.

Unlike IP licensing, which has adequately been addressed by W3C Process, input data has not. Therefore it does need to be dealt with at the charter level.

[ekr]

@jwrosewell I don't understand what you are asking for. Can you please address the hypo I provided in https://github.com/patcg/patwg-charter/issues/30#issuecomment-1170107470

[timcowen]

Aram,

I think the anti trust guidelines that you reference are out of date and don’t reflect the renewed interest of DOJ into standards bodies.

I was offering to help up date them with whoever else is interested in doing that - but accept that your group operating under out of date antitrust guidance is not reassuring for you.

With kind regards,

Tim

Tim Cowen | Chair Antitrust Practice ddl +44 20 7332 5645<tel:+44%2020%207332%205645> m +44 78 0224 1629<tel:+44%2078%200224%201629> @.*** Preiskel & Co LLP, 4 King's Bench Walk, Temple, London EC4Y 7DL t +44 20 7332 5640<tel:+44%2020%207332%205640> f +44 20 7332 5641<tel:+44%2020%207332%205641> www.preiskel.comhttp://www.preiskel.com/ personal profilehttp://www.preiskel.com/people/tim-cowen/

Chambers & Partners Competition, IT & Telecoms Leading Firm 2018 Legal 500 Technology, Media and Telecoms Leading Firm 2017 WhosWhoLegal Telecoms Media & Tech Leading Lawyers 2017 Global Law Experts Communications Law Firm of the Year 2016

Preiskel & Co LLP is a law firm authorised and regulated by the Solicitors Regulation Authority and is incorporated in England & Wales with partnership number OC306371 and Registered Office at 4 King's Bench Walk, Temple, London EC4Y 7DL. A list of members is available for inspection at the office. The SRA rules can be found at http://www.sra.org.uk/solicitors/handbook/code/content.page.

Preiskel & Co LLP takes the privacy and security of personal data and confidential information seriously. The content of this e-mail, including any attachments, is intended only for the recipient(s) named above, and may be confidential, privileged or otherwise legally protected against disclosure. If you have received this e-mail in error please notify us @.**@.> and delete it from your system.

On 30 Jun 2022, at 16:05, Aram Zucker-Scharff @.***> wrote:



@jwrosewellhttps://github.com/jwrosewell:

The "input data" is the data needed to implement proposals that the Working Group create. [...] Therefore the answer depends on each proposals.

This seems to me to be a strong argument towards the consideration of FRAND on a proposal by proposal basis. Trying to create a FRAND guarantee in the charter when it must be applied differently to different proposals on the basis of their design and when our understanding of its application shifts on the basis of proposals' functionality seems to be bad process. It may not even apply to some proposals.

@timcowenhttps://github.com/timcowen

You make reference to the antitrust guidelines of the W3C. They are something that ought to be reviewed at the present time and that might be something to be picked up with appropriate support. I would of course be happy to help in that endeavour.

I would repeat my earlier question while also noting that not only are we automatically bound by the W3C guidelines and reference them explicitly at the top of CG meetings, we also have, in response to @jwroswell's input, explicitly added and noted we are bound by them in the charter. Is there some additional picking up you would like us to do in regards to the antitrust guidelines that we have not yet done. I would be happy to accept your help in making the application of W3C rules in the charter as clear as possible.

— Reply to this email directly, view it on GitHubhttps://github.com/patcg/patwg-charter/issues/30#issuecomment-1171335829, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AZYERR6SMLBLKWTIQP24WJTVRWZS7ANCNFSM52GCAG3A. You are receiving this because you were mentioned.Message ID: @.***>

[AramZS]

@timcowen so are you saying that you believe that applying FRAND principles would explicitly exceed the W3C's current antitrust rules?

[AramZS]

@jwrosewell

We don't address IP licensing on a proposal by proposal basis. Why would we do so for the input data?

Because IP licensing broadly applies to all proposals in a consistent way and is used universally as every proposal involves IP in the form of code and process descriptions. FRAND neither applies universally or consistently, even within the context of this group, according to your description of how it works.

As a side note, I would also like to see your response to @ekr's question.

[seanturner]

After having reviewed this and other threads (again) about FRAND+input data, I agree with Aram and we are not going to allow this to block progression of the charter.

[jwrosewell]

@ekr

@jwrosewell I don't understand what you are asking for. Can you please address the hypo I provided in https://github.com/patcg/patwg-charter/issues/30#issuecomment-1170107470

The Scope of the charter might read as follows.

_"Scope

The Working Group will consider designs that allow all participants to collaborate in providing advertising features. The purpose of these features is to support web advertising that complies with the current GDPR [list other current laws if necessary].

All participants of the group agree to licence to any party any “Data” they collect that is needed to implement designs considered by the group under Fair Reasonable and Non-Discriminatory Terms. Where the Data is classified as personal data under law use of the data by any party must be lawful. Where consent is needed to comply with laws any party – including the web browser – must obtain explicit consent from the user for use of the data. For the avoidance of doubt web browsers can not rely on consent captured at the time of browser installation.

Out of Scope

Advertising features that can only be implemented in part or in full by web browsers."_

Therefore, if the browsing history of a user were needed to implement a design considered by the group, and Mozilla were a member of the group having accepted the charter terms, Mozilla would have agreed to licence to any other party the Data collected by their products needed to implement designs.

If the Data were personal data, then laws will apply equally to any party using the Data which might include obtaining consent for the specific purpose of advertising, or any relevant purpose associated with the design in question.

This is neither controversial or unprecedented. Is the explanation now clear?

@AramZS @seanturner It is extremely important to recognise that there is no requirement for a Working Group of the W3C to involve a web browser implementation. The Decentralized IDentifiers (DID) Working Group obtained Recommendation status on 30th June 2022 for their work which does not involve any browser component despite objections from two browser vendors. There is much we can learn from DID.

Note: I have focused specifically on the Scope section of the charter draft in this response. There are other issues I have with the document, such as the reference to Ethical Web Principles, that remain. However modifying the Scope section will likely point to a direction of change for the rest of the document. Importantly these modifications do not prevent those that wish to progress their proposals and ideas from doing so. They do address the substantive competition issues that the charter as drafted attracts and that the W3C does not currently have adequate guidance and process in place to address.

[npdoty]

I don't think browsing data (or favorite color data) would be necessary to implement the proposed or hypothesized standards here. It could be that such data would be used in the operation of implementations of these standards related to more private advertising. A potential analogy: the contents of my email messages are used in the operation of my email client, which implements the SMTP standard.

To repeat, I don't believe that browser vendors have the right to sell user data collected by browser software running on a user's device. I don't think users should be required to share their data with every company that wishes to buy it just because they're running software developed by a company that also participated in this proposed working group. It would indeed be controversial and unprecedented to mandate sale of user data as a condition to participate in a W3C Working Group.

To repeat, again, it also seems extremely unlikely that adding mandatory sale of user data to a charter would be generally acceptable to W3C membership.

I agree that we don't have to have browser vendors involved in every W3C standard or working group. If there is interest in other groups for discussion or standardization of technology related to advertising that doesn't involve web browsers, I would also be interested in those discussions. My understanding of this group's interests, and the interest from participants in setting up a Working Group, is that there was definite interest in client-side functionality and APIs that might be implemented by browsers. But W3C has flexibility, especially in Community Groups, in setting up additional groups to discuss different kinds of proposals.

[jwrosewell]

@npdoty Where did the concept of selling user data come from? In monopoly situations access remedies are applied. Consider airports, railways, telecoms, or water. The fact that the W3C are unfamiliar with such standard practices is a reason to educate.