Address diversity of privacy definitions and add missing threats

[TheMaskMaker]

As advised by Sam, rather than updating the existing threats doc, I am making a new doc.

I have included many threats missing from the original, including many tracking methods and profiling strategies, and the 2 core definitions of privacy. We might need a third to represent Google's perspective if it is not covered by the prevent all tracking definition, as well as potentially others.

[jwrosewell]

Thank you, @TheMaskMaker, for initiating this change. As someone who works in a small business new to the W3C without the time or mandate to take on additional work or engage with all the W3C debates I appreciate how much effort this draft amendment required.

It is extremely important this document receives considerably wider input from a diverse set of web stakeholders if it is to be useful in supporting debates and resolving important issues.

This pull request starts to broaden the considerations concerning privacy and takes this document in a direction that starts to align with the advice of Benjamin R. Dryden and Shanker (Sean) Iyer in their paper Privacy Fixing and Predatory Privacy: The intersection of big data, privacy policies and antitrust. The conclusion provides a summary for PR reviewers.

Third, because it is relatively uncommon for companies to adopt privacy policies in direct collaboration with their competitors, the most likely target for a privacy fixing or predatory privacy claim might well be a standards-setting organization or trade association that tries to adopt a best privacy practice or a rule of ethics for an entire industry. Therefore, when such organizations wade into discussing privacy topics, they should recognize the competitive concerns and potential antitrust risks. Whenever possible, such standards-setting organizations and trade associations should make sure to apply procedures and safeguards to prevent their decisions from becoming hijacked by private interests. For instance, such organizations might consider requiring supermajority votes before any policies are adopted, basing decisions on outside expert judgments rather than industry interests, and describing any best practices as “recommendations” rather than as strict requirements.

Currently the W3C lacks a membership agreed definition of “privacy”. The W3C needs one if debates are to be resolved. I’ve found The Promise and Shortcomings of Privacy Multistakeholder Policymaking: A Case Study analysing the DNT debate at W3C helpful in understanding the groundwork needed to foster effective debate and how far we still need to come.

The priority of constituents is broadly agreed in order as 1) people, 2) authors (website operators), 3) browsers and 4) specification writers. Commentators often seek to speak on behalf of people to further their position and proposal as a lower order constituent. But who can really speak on behalf of people? In democracies elected governments who set laws. Their laws must be referenced and considered in any document that seeks to effectively discuss privacy. Such a change might lead us to define "privacy" as "unlawful privacy practices". Such a change might focus proposers on identification and sanction remedies for harm rather than more restrictive remedies that have wider consequences for the open web.

Some web browsers have privacy policies. At the W3C these are only relevant if all stakeholders’ policies are equally considered. After all web browser vendors are the third constituent. In addition to referencing laws, and the groups already considered, we also need to involve other groups such as the Internet Advertising Bureau (IAB), Partnership for Responsible Addressable Media (PRAM), Prebid, European Publishers Council (EPC) and Association of Online Publishers (AOP) to name a few.

@samuelweiler is assigned to this group for 1.5 days per week. Could Sam take the action to communicate with these wider groups and assemble their privacy positions and objectives as informative references for either this pull request or a parallel pull request? Could Sam invite these groups to present to the PING and TAG their positions? Could Sam summarize each groups position for the document?

Until the W3C have a settled single position on privacy I fear we will diverge from our mission of leading the web to its full potential.

[TheMaskMaker]

@jwrosewell I would love to see groups more clearly define each one's take on what a private web should look like in clearly defined language. This would prevent a great deal of miscommunication, confusion, and vulnerability to unintentionally falling into the fallacy of equivocation.

In fact, I have a demo next week for the business group that may address the need to further communicate privacy definitions and take a bird's eye view of the situation! You might be interested in it.

I just want to be clear that this document is not meant to solve the question of what is privacy, but examine the varying viewpoints that exist in the W3 (and as you mention outside might be good to document as well) and the threats and major considerations of each one.

[jwrosewell]

@TheMaskMaker Understood about the scope of the document. I do believe an agreed W3C definition of privacy should exist in PING and TAG. This document should reference that.

@pes10k @samuelweiler as PING chair and W3C representative respectively could progressing the steps to such a definition be scheduled for a future PING meeting?

[TheMaskMaker]

@jyasskin Are you satisfied or have anything else on the remaining comments? Can this be merged?

[TheMaskMaker]

I'm not comfortable just merging this unilaterally: we should ask the PING chairs to add it to next week's agenda, so more people can weigh in.

Meeting sounds good