Establish out-of-browser function accessibility

[AramZS]

Intended to address: objections that were concerned that specifications that establish non-browser functionality and risk mitigation might be limited only to browser manufacturers.

See https://github.com/patcg/patwg-charter/issues/44 to help with understanding this issue.

[AramZS]

I am relaying a comment from a member who has raised formal objections. I do not intend to imply support or opposition to this statement, but just to make their objection on this available for discussion with the member's permission:

The text change continues to differentiate browser from non-browser. This is discriminatory in any established business process and is an abuse of standards setting to favour certain participants.

[michaelkleber]

The anonymous objection makes no sense in the context of web standards. The proposed direction of change, with the goal of removing the ability of a browser to exercise its judgement about entities outside itself, would preclude the use of core web infrastructure like Certificate Authorities. We should not waste our time on charter objections that boil down to "the web should not exist."

[eriktaubeneck]

For clarity, my intention both in the threat model and in the IPA proposal was to consider the use of private computation (potentially enabled by a helper party network) to provide a computation environment which is essentially an extension of the browser, but which can do such computation over inputs from many clients.

As browser vendors have the responsibility of implementing the standards we set (and, ultimately deciding to adopt such standards), my intention (and, as I understand it, the intention of my co-authors on both documents) is that browser vendors would also be responsible for exercising judgement about what entities outside itself meet the stated requirements in these proposals (and eventual standards). As far as I know, the standards process would not make judgements about specific entities meeting the requirements of a standard, just as it would not make judgements about a specific implementation meeting a specification. (This is not to say that individual members participating in the standards process may provide such feedback about implementations meeting or not-meeting the spec, but rather that it's not, in my experience, scoped in the charter of a CG or WG.)

[martinthomson]

I agree with @eriktaubeneck on the procedural technicality aspects. I do think that as part of the work here we need to assure ourselves (collectively) of the feasibility of any such system.

The nature of the constraints on the private computation component probably will dictate our collective involvement at some level, if only because the system as a whole depends on those constraints. For instance, if a browser were to decide that it would make private information accessible to without restrictions to certain parties, then we might need to conclude that the practical realization of the system doesn't achieve our privacy goals, even if it were otherwise robust.

[benjaminsavage]

If I were to "Steel-man" the complaint, here's how I'd interpret it:

• None of us want to wind up in a situation where the browser ONLY approves one set of helper parties who can charge exorbitantly high prices.
• None of us want to wind up in a situation where the browser vendor demands some kind of favors / preferential-treatment from the helper party in exchange for approval to operate a helper node.

But those aren't the only concerns. There are also legitimate privacy concerns:

• None of us want to wind up in a situation where untrustworthy or incompetent parties are able to operate helper nodes. This could lead to two bad-quality helper nodes colluding, and user-privacy being compromised.

So what we need is a set of fair and objective requirements on helper parties. These requirements should ideally lead to a good number of qualified parties - such that there is healthy competition that brings down prices for advertisers and publishers. But it should be a rigorous enough bar, that the browser vendors can confidently tell the people who use their products "We have confidence in these helper parties - and your privacy will be preserved."

[npdoty]

Is it just that the specification shouldn't hard-code the parties? (That certainly seems true of every W3C specification!)

I don't know how a spec could permit or prohibit some party from implementing some functionality, or force interaction with that implementer.