[wg/privacy] Privacy Working Group

[plehegar]

New charter proposal, reviewers please take note.

Charter Review

Charter:

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• New
  • [x] New WG

The Privacy Interest Group is morphing into a Working Group.

Horizontal Reviews: apply the Github label "Horizontal review requested" to request reviews for accessibility (a11y), internationalization (i18n), privacy, and security. Also add a "card" for this issue to the Strategy Funnel.

Communities suggested for outreach:

Privacy-related Community Groups.

Known or potential areas of concern:

None (so far)

Where would charter proponents like to see issues raised? (this strategy funnel issue, a different github repo, email, ...)

https://github.com/w3cping/administrivia/issues

Anything else we should think about as we review?

[plehegar]

Not ready for horizontal review quite yet (list of deliverables still under discussion).

I'd like to send an advance notice to the AC regarding this charter, so agenda+

[plehegar]

cc @pes10k @npdoty @sandandsnow

[svgeesus]

Clearly the charter is not yet ready but also, Advance Notice doesn't even require a charter to be available so this would be fine to send with an Advance Notice.

It does look odd that Motivation and Background is entirely empty, although Mission kind of covers that. So it would be fine to say here that the review part was already being done by an IG but as there is a desire to develop standards-track documents too, a WG is proposed to replace it.

(The choice of Document license is odd too, but that isn't a blocker)

[michael-n-cooper]

I'm ok to send advance notice, though I think it would be more useful if the motivation and scope were completed, as that's actually the most important part to know in an early draft.

[sandandsnow]

@michael-n-cooper and @svgeesus, noted that we need to add the text for motivation and scope asap.

[plehegar]

(The choice of Document license is odd too, but that isn't a blocker)

my mistake. I'll change it to the software license.

[plehegar]

One more thing we need to add: work on horizontal reviews (similarly to the I18n WG charter)

[plehegar]

I opened a batch of issues based on the comments above.

Waiting on https://github.com/w3cping/administrivia/issues/30 for the advance notice.

[npdoty]

Thanks for the review, feedback and issues. 🙏🏻

Just context: I didn't fill in motivation/background section initially as I wanted to make the mission section crisp and we didn't have background sections for the PING charter in the past.

[jyasskin]

I'm not really familiar with what we need for advance notice, but horizontal review seems like a very important part of this charter, so maybe https://github.com/w3cping/administrivia/issues/31 should be at least sketched before it's sent out too.

[plehegar]

We now have a background/motivation section, as well as an horizontal review section. I'll get the advance notice out and request a 3 months charter extension. Next step is to close the loop with PING, then ask for horizontal review of this charter.

[npdoty]

Also, apologies to our initial reviewers that the horizontal review section in particular wasn't present from the beginning. The drafts got a little bit out of sync and I went on leave just as that was being circulated and so didn't catch it at the time.

[AramZS]

I'd like to note my support for moving this forward with alacrity. The three projects listed do indeed need to advance to working groups and this charter presents the best place for them. Beyond that it is clear that there will only be more privacy standards arriving in the coming months and years that will need a clear place to advance to where privacy is the focus and a WG that can build expertise and retain knowledge on privacy subjects that will span more than one of these proposals..

Edited with update.

[SebastianZimmeck]

So many of the features of the Web and its usage involve information about people and their communications that privacy must be considered consistently across the design of the platform.

Indeed, privacy should be reflected in the structure of the web. Privacy is a systems property and should be implemented as such. Privacy standards can provide the crucial link between privacy rights and the technical implementations that make them operational. Regulators can point to standards to identify which implementations satisfy the privacy laws they enforce. Thus, the goal of this working group to bring privacy rights to life via the standards process is of great importance. In this spirit, I hope that we can move Global Privacy Control forward in this forum with all stakeholders involved.

[plehegar]

Update: As of July 6, we don't have agreements within the IG yet on moving this charter forward: [[ Nick: We have some differences. We should discuss on Slack and Github. It seemed like more work to do lots of 1-off WGs, but I’m not completely committed to a Privacy WG. ]] https://www.w3.org/Privacy/IG/summaries/PING-minutes-20230706

[plehegar]

Update: PING should finalize this charter at TPAC 2023.

See https://www.w3.org/Privacy/IG/summaries/PING-minutes-20230907

[plehegar]

Advance notice (sent in July): https://lists.w3.org/Archives/Member/w3c-ac-members/2023JulSep/0000.html

[plehegar]

Finalized in https://www.w3.org/Privacy/IG/summaries/PING-minutes-20231005

[himorin]

• history table contains garbage??
• out of scope says Policy statements and guidance are out of scope for this Working Group. and mentions about CG for policy-focused outputs. TAG has privacy principles for the Web, so could mention about TAG along with external CG here?
• quite minor, but in other deliverables, 'Self-Review Questionnaire: Security and Privacy' is listed and seems to be joint b/w TAG and Privacy WG, but listed as maintained by TAG

[ruoxiran]

APA is OK with this charter.

[npdoty]

• history table contains garbage??

??

Currently the history section is empty, because this would be the initial charter for a new Working Group. But as noted in the "about this charter" section, the group would replace the Privacy Interest Group, a long-running group with a variety of charter changes. I'm not clear if the expectation is to copy over the history of the to-be-subsumed group's charter. Should we just remove this section for the initial charter, and add it back when there's a change of any kind?

[npdoty]

• out of scope says Policy statements and guidance are out of scope for this Working Group. and mentions about CG for policy-focused outputs. TAG has privacy principles for the Web, so could mention about TAG along with external CG here?

I'm not sure the TAG would call the Privacy Principles a policy output, though. Comments on legislation or government rulemakings, for example, would be out of scope for the PrivacyWG, but probably also out of scope for the TAG (though we'd have to confirm that with the TAG).

• quite minor, but in other deliverables, 'Self-Review Questionnaire: Security and Privacy' is listed and seems to be joint b/w TAG and Privacy WG, but listed as maintained by TAG

Is that wrong? How should we indicate that a deliverable is joint, but note that it's actively maintained by one of the joint groups?

[svgeesus]

history table contains garbage??

It does. Delete the Note, comment out the charter extension and rechartered rows. Leave the initial charter row.

[svgeesus]

[pick a duration within:] one week to 10 working days,

That needs to be tidied up.

Sections 5.1 and 5.2 are unfinished.

Delete "Consider adopting a healthy testing policy, such as: "

Timeline is unfinished; add some fanciful guesses or delete it.

Is "(0.05 FTE)" still to-do?

[npdoty]

Thanks @svgeesus and @himorin, I've opened issues for each of the not-completed parts of the charter draft. I hope the substance of the charter is still worth reviewing for horizontal review, but will work with the chairs and Privacy Interest Group to resolve those open issues shortly.

[plehegar]

Privacy IG was extended in the meantime: https://lists.w3.org/Archives/Member/w3c-ac-members/2023OctDec/0031.html

[plehegar]

Dependencies to be added:

• PAT WG and CG
• Privacy CG
• WebAuthn
• WebAppSec
• WHATWG (DOM)
• IETF: HTTP

[himorin]

no comment or request from i18n. though, i18n are also interested in features marked as fingerprinting but also required for enabling key i18n functions.

I've dropped from my todo list on adding this to the issue, sorry.

[plehegar]

No objection from PING to start the AC review. Now in the hands of the Team to approve and start AC Review.

[svgeesus]

All the issues I noted earlier have been resolved to my satisfaction. Thank you.

[svgeesus]

I notice:

Individuals not employed by a W3C Member who wish to contribute to both privacy reviews and standardization of privacy mechanisms may join the group as Invited Experts;

It might be wiser to say "may apply to join the group as Invited Experts" or "may apply to be considered as Invited Experts". Unless the charter intends to promise that literally anyone will be given IE status.

[himorin]

Scope section contains some mentions to other CG/WG/IGs, and I suppose we might be better to have link (to w3.org/groups/?g/*) there for ones exist (but not to strategy issue or anything else...).

[plehegar]

It might be wiser to say "may apply to join the group as Invited Experts" or "may apply to be considered as Invited Experts". Unless the charter intends to promise that literally anyone will be given IE status.

https://github.com/w3cping/administrivia/pull/44/commits/dda6e9ffc62734ac317f335c69c44cfc477fd6ca

[plehegar]

Scope section contains some mentions to other CG/WG/IGs, and I suppose we might be better to have link (to w3.org/groups/?g/*) there for ones exist (but not to strategy issue or anything else...).

https://github.com/w3cping/administrivia/pull/44/commits/e429a4c9a2713f9580b2b3e7607f68134ef1b9c4

[siusin]

It seems to me the link of Draft state: Adopted from Privacy CG should point to https://privacycg.github.io/gpc-spec/.

[ylafon]

What happens to horizontal reviews, especially the ones in progress, if the WG drop to less than 6 participants? Should it be clarified in the Charter?

[plehegar]

It seems to me the link of Draft state: Adopted from Privacy CG should point to https://privacycg.github.io/gpc-spec/.

https://github.com/w3cping/administrivia/pull/44/commits/3c469c9b0b63d4304203d1319dfe9846ef48cc01

[plehegar]

What happens to horizontal reviews, especially the ones in progress, if the WG drop to less than 6 participants? Should it be clarified in the Charter?

I don't think we have and would want to have a contingency plan. If we can't have 6 participants, we'll have a bigger problem (similar to security)

[npdoty]

I don't think the charter can protect against non-participation, but it should be a signal to the membership, for privacy and other horizontal review groups, that if they can't maintain participation, then comprehensive horizontal review simply won't happen.

[plehegar]

https://github.com/w3cping/administrivia/issues/45

[plehegar]

From AC Review: [[ I also want to express concerns about Global Privacy Control. This is a mechanism being designed to support legal frameworks such as CCPA and those emerging in other US states. As such it has very limited applicability in other jurisdictions, notably the UK and EU. To the extent that "global" in the name implies "geographically global", a different name should be used. I recommend that the Working Group gives greater consideration to applicability of a browser signal under GDPR (and potentially legal frameworks elsewhere, although I'm not familiar with those), so we end up with a standard that has wider global relevance than the US. ]]

[plehegar]

From AC Review: [[ Please add the VCWG and DIDWG as liaisons to work that might affect them as well. I would hope that part of the PWGs work will be to help guide the work that VCWG and DIDWG are doing. ]]

[plehegar]

From AC Review: [[ The "Global Privacy Control" deliverable sounds like it's aimed at being the only privacy control that browsers will need to send to websites, but it's actually scoped to just the "do not sell or share" preference. This could lead to user confusion about whether GPC can solve cookie banners, which it's not scoped to do. We'd prefer that it be named something more specific (e.g. "Do Not Sell or Share Preference") given its narrow scope.

The Bounce Tracking Mitigation deliverable is likely to land in WHATWG specifications and not likely to need a W3C WG to adopt it. However, it seems harmless to include a potential deliverable that won't actually be used. ]]

[SebastianZimmeck]

I recommend that the Working Group gives greater consideration to applicability of a browser signal under GDPR (and potentially legal frameworks elsewhere, although I'm not familiar with those), so we end up with a standard that has wider global relevance than the US.

Global Privacy Control is not limited to the US. Notably, @darobin has put some thought into how GPC can work under the GDPR. For example, a legislator or regulator in a GDPR (or UK GDPR) jurisdiction can interpret a GPC signal to mean the withdrawal of consent under Article 7(3) and objection to processing by data controllers other than the first party under Article 21(1-3, 5).

We'd prefer that it be named something more specific (e.g. "Do Not Sell or Share Preference") given its narrow scope.

The name is one thing, but it is also possible to simply describe in the UI what GPC does. For example, Firefox describes GPC with "Tell websites not to sell or share my data."

[plehegar]

From the Web Application Security AC Review (#426): [[ The new "Off-The-Record Response Header Field" (OTR) deliverable focuses on addressing Privacy use-cases and as such it should instead be added as an OPTIONAL deliverable for the Privacy Working Group charter to take up ]]

[plehegar]

Regarding the formal objection at https://lists.w3.org/Archives/Public/public-review-comments/2024Jan/0012.html , W3C updated its Antitrust and competition policy.

[plehegar]

The Team announced convening a Council on March 3rd.