patcg / patwg-charter

A repo to discuss the Private Advertising Technology Working Group's charter.
6 stars 12 forks source link

jwrosewell: "primarily non-technical" -> "do not have any technical component" #8

Closed ekr closed 2 years ago

ekr commented 2 years ago

Note: I am transcribing comments from the gdoc to issues.

@jwrosewell suggests changing the statement that "primarily non-technical" mechanisms are out of scope to those which "do not have any technical component"

ekr commented 2 years ago

On the other side, see Alex Cone's "Features designed primarily for privacy-related transparency and control should be developed elsewhere..."

lukwlodarczyk commented 2 years ago

changing the statement that "primarily non-technical" mechanisms are out of scope to those which "do not have any technical component"

I am afraid that the output of this particular change will make it hard for any participant to differentiate the scope of work between PATCG and PATWG. I am against this change.

martinthomson commented 2 years ago

I don't know whether @lukwlodarczyk is objecting on the basis that the charters remain consistent or whether it is about the specific change here. The former is a technicality (we surely could handle with a change to both charters), the latter is substantial.

I am also opposed, but for the substantial reason. The choice of phrasing here is quite deliberate. I don't not want to spend my time on proposals that provide no technical guarantees. That is, the "primarily" piece is important here.

bedfordsean commented 2 years ago

The original idea for the creation of this group was to only focus on the technical details for advertising use cases, with an aim to actually make progress.

There are many things that technology can support in other areas that are primarily non-technical (e.g. helping to guarantee a legal constraint or a societal norm), but if we broaden the scope of this group to "anything with a technical component", I worry it will fragment our focus too much.

jwrosewell commented 2 years ago

Why would the explicit exclusion of supporting professions and components of solutions they develop do anything other than improve the chances of the group producing solutions that provide the best outcome for the 5 billion users of the web?

There is plenty of precedent for such considerations including First Party Sets that requires an Independent Enforcement Entity (IEE) to be viable. The W3C itself is pre-occupied with issues of ethics and values with selective consideration of unintended consequences.

@martinthomson

I don't not want to spend my time on proposals that provide no technical guarantees.

Why would providing legal guarantees support by technical guarantees not be a good proposal to improve privacy in advertising using technology?

I'm interested in finding the best proposals and not constraining innovation by restricting proposals.

@alexcone

Features designed primarily for privacy-related transparency and control should be developed elsewhere..

Why would the W3C not want to include such approaches to Private Advertising Technology (PATs) in its work?

@lukwlodarczyk

I am afraid that the output of this particular change will make it hard for any participant to differentiate the scope of work between PATCG and PATWG.

The only difference is incubation (CG) versus standards setting (WG).

@bedfordsean

The original idea for the creation of this group was to only focus on the technical details for advertising use cases, with an aim to actually make progress.

Now that the group has met a few times and more people joined I'm advocating to broaden that and ensure that solutions other than those that restrict data sharing are bought forward in the standards setting arena. There are already enough groups that require W3C member attention!

AramZS commented 2 years ago

This and the CG represent Private Advertising Technology development interests. Emphasis here on Technology. Where proposals do not have either Advertising or Technology as a primary focus they are out of scope. I would consider both the IEE and the First Party Sets proposals for instance to be out of scope of both PAT CG and WG since the first is not primarily a technology project and the second is a broad technology not focused on just advertising. PAT CG & the proposed WG are singularly focused on this specific combination of privacy, advertising and technology. Anything that does not rise to this standard is out of scope by design.

Features designed primarily for privacy-related transparency and control should be developed elsewhere..

Why would the W3C not want to include such approaches to Private Advertising Technology (PATs) in its work?

See above. There are venues appropriate to such measures already in existence as per their technical specifics.

I don't not want to spend my time on proposals that provide no technical guarantees.

Why would providing legal guarantees support by technical guarantees not be a good proposal to improve privacy in advertising using technology?

I'm interested in finding the best proposals and not constraining innovation by restricting proposals.

Without constraints all discussions will grow infinitely. The scope of this WG and the PAT CG are intentionally narrow.

The original idea for the creation of this group was to only focus on the technical details for advertising use cases, with an aim to actually make progress.

Now that the group has met a few times and more people joined I'm advocating to broaden that and ensure that solutions other than those that restrict data sharing are bought forward in the standards setting arena. There are already enough groups that require W3C member attention!

I have not seen any indication in our meetings or discussions that there is an interest for such an increase in scope of the CG. I have not seen any of the proposed changes to the CG charter provide language that would intend to increase scope in that way. The CG can, of course, coordinate and alert membership to proposals relevant to our interests and discussions, but that does not make it the appropriate location for such discussions.

I am also opposed to such a change.

dmarti commented 2 years ago

@AramZS I agree with your points and am also opposed to this change. There are other venues for non-technical or primarily non-technical proposals.

ekr commented 2 years ago

I also do not think that we should make this change. The focus of this group should be technical mechanisms

AramZS commented 2 years ago

@jwrosewell I am seeing fairly broad opposition against your suggested change. With the added context on scope of this WG in mind, would you be willing to drop this objection before the meeting so we can focus on other concerns?

jwrosewell commented 2 years ago

@AramZS If the group is intending to develop a specific proposal like IPA as a technical standard then I can understand why the change I propose would be resisted by engineers. IPA does not consider the roles of laws or economics. Some of the contributors have explicitly dismissed the role of laws and economics in solutions.

I consider IPA (and Topics, and the like) to be similar to the work which occurred in the Payments group. The people involved could have developed a general solution that would enable sensitive information to be shared among different parties within the web browser and which supported many use cases including payments. Instead they solved the problem specifically for the payments use case and in doing so inserted the web browser into the payments handling process when it would not otherwise needed to have been. Had I been a member of the W3C at the time the group was chartered I would have Formally Objected to the charter for this reason.

This group should work on solving the problem of privacy in advertising exploring solutions that enable the widest group of web participants to innovate not the narrowest. That will involve some element of technology, but that might be a small element in the grand solution. Therefore the group should focus on the outcomes for users of the web and participants on the web not the means with which that outcome is delivered.

ekr commented 2 years ago

If the group is intending to develop a specific proposal like IPA as a technical standard then I can understand why the change I propose would be resisted by engineers.

From my perspective, yes, this is what we are intending to do (though of course, maybe not IPA and probably multiple proposals). Fundamentally, what W3C groups are good at is publishing technical specifications. These have to of course be informed by market and legal realities, but in my experience straying too far out of specifying technical behavior does not work out well (see, for instance, DNT).

jaylett-annalect commented 2 years ago

Working on technologies that can be added to the web platform neither precludes other organisations, likely better suited to the task, from looking at systems and solutions that have significant non-technical components; nor stops both legal and economic factors from determining the ultimate adoption and use of any output of the WG.

I generally favour narrowly-targeted technologies, both because they're easier to specify (and perhaps implement) than ones trying to provide more general solutions, and because it simplifies impact analysis (including but not limited to security & privacy review). If something roughly the shape of IPA emerges to the standards track then it doesn't preclude other approaches being developed or used alongside it, including ones where PATWG would have had zero input. (I don't have a formal position from our measurement teams, but the sense I get is that the sorts of proposals we've seen around conversion attribution to date could be usefully combined with econometric work with aggregate data, for instance.)

jwrosewell commented 2 years ago

There is an assumption in the response to this issue that the adoption of the standards created by the working group will be optional for all participants of the web. The reality is that this is not the intention of the proposers. The intention of the proposers is to restrict the choices that the majority of web participants will have. For example; a web site operator and their suppliers who do not want to use IPA will not have access to the raw input data to IPA to be able to implement something else. It is optional only for web browser implementors who represent the least significant minority but have the most influence.

As such @jaylett-annalect statement (emphasis added)...

If something roughly the shape of IPA emerges to the standards track then it doesn't preclude other approaches being developed or used alongside it

... is not true in practice because it is the intention of participants in the group to preclude other approaches. It is for this reason that this issue is so important to resolve now.

An alternative method of dealing with the concern is to modify the charter so that the "primarily non-technical" solutions developed by the group MUST make the input data available to all and do nothing to restrict lawful access to data.

alextcone commented 2 years ago

I am mentioned above multiple times so I feel I should speak up.

@jwrosewell, my read of your argumentation here and elsewhere is it is contradictory or intended to halt progress. Here's how I've come to this conclusion:

I remain very much in the camp that it is best for the PATWG charter to be scoped to technical approaches and those reasons have already been well summarized by @ekr, @martinthomson, @lukwlodarczyk, @bedfordsean, @AramZS and @jaylett-annalect. I will not attempt to add further nuance at this time. I don't think it's necessary.

jwrosewell commented 2 years ago

Responding to @alextcone in numeric order with a summary of the bullet point to introduce.

1a. Laws - We should pick a subset of laws (just like policy people do in global corporates) and work to them. Google and the CMA agree, and have picked GDPR.

1b. Forms of democracy I agree with - Absolutely not. The W3C membership would need to pick the laws that we aligned to, not me. We must not create quasi-laws as others have proposed.

  1. PATWG solutions - We should include disciplines other than engineering.

  2. Unwieldy non-governmental actor you often pejoratively describe - That is a risk, but one that can be mitigated in the charter via a focus on a specific scope and success criteria rather than types of solution. (However; see my last point).

  3. Therefore I conclude you seek to halt work on standards discussion that would have any disruptive effects on any current market dynamics. - You assume the market dynamics are functioning. They aren't, which is why the CMA are investigating the Mobile Eco-System currently. However; if the discussion of a standard, or the potential standard itself will distort competition, then that has to be avoided under the W3C rules. I do not think appropriate advice has been received by the W3C in relation to the impact of standards setting on competition. I have previously mentioned I favour the W3C Director setting up a Legal Advisory group to enable qualified lawyers to inform W3C participants on these matters. Rushing ahead with a charter that has not been considered from this perspective should be avoided. If that means the pace of innovation is impaired to ensure the widest possible participants can innovate then that is a good thing. However maybe you are asserting I'm trying to insert bureaucracy into the PAT WG to delay it making process. That is not my intention and you have misunderstood me.

  4. SWAN.community - SWAN will reduce the power of internet gatekeepers. So yes, there is a market impact because it broadens the scope for innovation and competition as directed by the CMA 2020 report. SWAN aligns to the remedies in the CMA report of 2020. Features like its audit log and approach to consent are being better understood and evolving. However this takes time and must be sufficiently advanced before further engineering effort is expended on a competition enabling form of PET. Solutions that restrict access to data, like IPA and Topics, do not align to the CMA agreement with Google. I sincerely hope the CMA will become more visible at W3C, or Google will speak to them and publish their opinion on specific proposals to reduce the "distraction taxes" on the industry.

  5. Whatever we do or don't do has impacts - Yes. So lets put in the effort to make sure we don't create even more "distraction taxes" by progressing something that is not aligned to laws or the prevailing view of regulators. For the avoidance of doubt my preference is for the W3C to focus on general web features and not to work on Payments or Advertising specifically. By enabling general data sharing that aligns to laws many problems are solved rather than specific ones. Web browsers do not insert themselves into a process that would not otherwise need them. i.e. decisions over payments or advertising. That would mean rethinking the privacy boundary for the web. I would rather @martinthomson, @ekr, @dmarti, @AramZS and the other talented people focused their skills and energies on this. However as that is not to be, at the moment at least.

alextcone commented 2 years ago

@jwrosewell, it appears we're talking past one another as we have made a habit of doing. The only thing I want to add for posterity at this time on this Issue is if it's your read that the current direction of data protection and privacy law is to continue the wide spray of cross-site/app personal identifiers (pseudonymous or otherwise) I think we're reading very different analysis, talking to very different people, and drawing very different conclusions on the direction of law.

jwrosewell commented 2 years ago

@alextcone Privacy and competition are intrinsically related. I spent much of today at a conference related to competition where we heard many views from different regulators, and experts in the field. I heard nothing to dissuade me from my position.

Focusing our collective talents on creating methods to enable personal data of all types to be shared in the digital world with appropriate safe guards based on risks and choice is not the same thing as "spraying". Please stop implying that I'm arguing for the status quo and "spraying"; I'm not.

Creating solutions that restrict access to information is no longer something that Google can do. The CMA are clear on this in their equivalency requirements. Therefore if we do not wish to splinter the web as the draft charter proposes then IPA and the like will not work in practice unless the CMA can be convinced they preserve competition.

I sincerely hope regulation will come to Apple and that the web standards setting process will mature in due course. This might create an environment where a rationale discussion can occur in relation to proposals that enable the safe and lawful sharing of data. This involves rethinking privacy boundaries and I'm publishing thoughts on how to do that. I recall a Google representative at the last PATCG meeting showed the spectrum of possibilities in a handy slide. We might wish to return to that on 5th April as we're really debating the policy for the group in this issue.

If I only listened to some web browser vendors, a narrow view from DPAs, and privacy absolutists then I would not conclude the above. I might reach the conclusion you do. Whilst I can understand those people's positions I can't understand why the representative of IAB TL would not be looking out for the majority of the IAB TL's member interests. Most members of IAB TL would find an upgrade to existing data sharing models preferable to rearchitecting the whole thing. Such an upgrade might also improve people's privacy in practice in a way that forced sign in, email address surrender, and wide spread sharing of so called first party data does not.

darobin commented 2 years ago

To get this definitively out of the way: a system like IPA makes it very significantly easier to comply with all privacy legal regimes that I am familiar with. It is a huge improvement in data protection, guarantees purpose limitation, ensures single controllership, guarantees no sell-or-share, etc. From a risk assessment perspective, it's all the value of attribution with almost none of the risk. With my compliance hat on, if a product team came to me and used cookies when IPA is available, they'd have to have a very good reason. From an econ perspective, IPA prevents externalities that arise from unpredictable inferences, eliminates the historical unfair advantage given to third parties (who can see all) over first parties, and prevents lateral market capture with its enforcement of purpose limitation. These properties will be shared by many other technical solution - that's the point.

Additionally, can the group agree to a ban on making frivolous claims on behalf of regulators? It keeps coming up in random issues and I have seen no evidence that they are helpful or represent anything other than wishful interpretations.

alextcone commented 2 years ago

Additionally, can the group agree to a ban on making frivolous claims on behalf of regulators? It keeps coming up in random issues and I have seen no evidence that they are helpful or represent anything other than wishful interpretations.

I'm in favor of that @darobin, however if an outright ban is too large a pill for some to swallow perhaps we could at a minimum agree that any legal references, written or live in meetings, be prepended by "It is my understanding of law xyz that..." or "My interpretation of regulatory proceeding 123 is..." In this way readers or listeners can be reminded that the speaker is sharing their personal interpretation or understanding of a law or related proceedings.

AramZS commented 2 years ago

Additionally, can the group agree to a ban on making frivolous claims on behalf of regulators? It keeps coming up in random issues and I have seen no evidence that they are helpful or represent anything other than wishful interpretations.

I'm in favor of that @darobin, however if an outright ban is too large a pill for some to swallow perhaps we could at a minimum agree that any legal references, written or live in meetings, be prepended by "It is my understanding of law xyz that..." or "My interpretation of regulatory proceeding 123 is..." In this way readers or listeners can be reminded that the speaker is sharing their personal interpretation or understanding of a law or related proceedings.

I agree, I think the main thing is that since no participants thus far are regulators it is pointless to say 'regulators will', 'regulators would', 'with regulatory intervention this would happen', etc... and I think generally slows down conversation and--in fact--undercuts any point the speaker is trying to make. It is an argument from authority fallacy and doesn't even fully meet that argument because in this case it relies on assumptions that the authority would say a thing in this particular situation that it hasn't even said. Unless there is a clear citation that is directly applicable to this topic or, as @alextcone notes, a statement of interpretation, there isn't much that mentioning the CMA or any other regulator's theoretical actions adds to the conversation. I've said this before and I'll restate it here: do not speak on behalf of regulators who you do not have authority to speak on behalf of. Not only because it is not productive to the argument, but because it undercuts any argument you are even trying to make. The regulatory groups out there are fully capable of speaking for themselves.

Additionally, I really really really want to discourage making statements on behalf of what Google can or can't do under regulators. Google's statements are extant. Their conversation and attestation to the CMA is on record and they have participants in this group. If Google wants to say something about their CMA commitments they can and will. Until they do we have to operate under the assumption that they are interacting in this group in good faith and under their existing restrictions correctly. We are not empowered to do otherwise. If you @jwrosewell believe they need to say something that they haven't, the right place to take that up is with the CMA and Google--not here. In this context, not only is going down this road not productive, but it will be actively misleading to readers who may not be familiar with individual participants in this thread or their affiliations. I have to emphasize this: since you are not an agent of the CMA or of Google you are fundamentally not able to talk about what Google is required to do or what the CMA is going to do. To the extent you wish to accomplish anything in regards to the CMA and Google and what these two entities are doing, trying to force us to shadow-box their positions here is actively undercutting it.

Please stop.

jwrosewell commented 2 years ago

As @alexcone recognises there are public documents that state the position and I will reference those when referring to regulation in the future. As far as these documents are concerned anyone is free to reference them and remind the community of the requirements they place on participants.

Perhaps @AramZS and @seanturner would like to invite the CMA to present to the group at a forthcoming meeting so that their position can be obtained first hand. The CMA are a key stakeholder in the work of PAT CG and a possible future WG.

In relation to Google. There is a significant "distraction tax" for the rest of the industry continuing to debate and engage with Google proposals, or other proposals that would require Google to implement them if the web is not to splinter, unless those proposals have been approved in principle by the CMA. As someone who is not the CMA or Google I'm encouraging the parties to communicate clearly to avoid wasting our valuable time. I take exception to being reprimanded for stating a fact and requesting clarification.

We have now moved a long way from the issue title and change. I suggest we start another issue thread titled "How to engage with regulators" if the discussion is to continue.

ekr commented 2 years ago

I think it would be best here to adopt the general practice of not trying to draw CG conclusions about the meaning of various legal requirements, or to spend a lot of discussion time on those. Participants, of course, should be guided by the legal analysis of their own teams, but that's different from having it be a CG topic. Specifically, it is for Google to determine whether whatever they propose or support is consistent with their engagement with the CMA or other regulators.

I do think it would be worthwhile for CMA to be involved in the CG and state their views, just like any other stakeholder. I do not think, however, that we should constrain our discussions to those proposals which have been "approved in principle by the CMA". Our job is to develop technical specifications as best we can, and of course this means taking the legal environment into account in the manner I noted above, but giving any specific national regulator a veto on what we consider seems likely to ensure that no progress is made.

AramZS commented 2 years ago

We have now moved a long way from the issue title and change. I suggest we start another issue thread titled "How to engage with regulators" if the discussion is to continue.

I think that, if anything, that would make sense as a thread for our Meetings space? Since presumably this would be about inviting their involvement there first and they can then make a decision at what level they want to engage. As I hope I have made clear, I'm very interested in seeing the CG get as broad an engagement with stakeholders as possible.

@jwrosewell So you would be comfortable closing this specific issue? And also the accompanying issue on #5 which deals with a similar question?

AramZS commented 2 years ago

In relation to Google. There is a significant "distraction tax" for the rest of the industry continuing to debate and engage with Google proposals, or other proposals that would require Google to implement them if the web is not to splinter, unless those proposals have been approved in principle by the CMA. As someone who is not the CMA or Google I'm encouraging the parties to communicate clearly to avoid wasting our valuable time. I take exception to being reprimanded for stating a fact and requesting clarification.

I don't disagree that proposals raise specific requirements of attention and time. I just want to be very clear that we cannot deal with objections to those proposals stemming from taking the position that Google or CMA is going to say something about them... because we must see those actual entities speak up. If you have specific objections, they get lost in having to parse out what is your position vs what is you speaking about theoretical actions you believe will happen but have not. In terms of how we engage with these proposals as a group and spend our time, I think the right place to ask those questions is to build a clear process around incoming proposals and how we handle them, the discussion for which is happening at https://github.com/patcg/patcg.github.io/pull/7

jwrosewell commented 2 years ago

@AramZS I have raised #16 to cover the overarching set of issues of which the original title is a subset depending on the way the charter moves forward. This issue does not relate to the CMA or Google, however the discussion moved in that direction latterly.

If #16 is resolved such that only modular web features are used and the input data is not restricted then this issue becomes mute. If however that is not the case then this is very important. PAT WG charter will be testing the future direction of the W3C and the web.

AramZS commented 2 years ago

At this time only @jwrosewell has raised the idea of this significant alteration to the charters scope and it has been heard, discussed, understood and considered in this thread and elsewhere, especially in https://github.com/patcg/meetings/issues/52. I do not see a single other supporter of this specific change conceptually and I see broad vocal opposition. I am closing this thread and ending consideration of this change.