PRIVACY BEAT: interest grows in W3C discussions around browser and web privacy

Privacy Beat

Your weekly privacy news update.


Apple’s Wilander details Safari’s jump past Google Chrome in blocking third-party cookies; interest grows in W3C discussions around browser and web privacy

A key technical discussion seeking to incubate privacy-focused web features gained new members and took up a new initiative during an open webinar meeting this week.

The World Wide Web Consortium’s (W3C) “privacy community group” swelled to at least 117 participants and two representatives of Facebook joined, leaving Google as the only major web platform not yet visibly involved in efforts to curb the activity “tracking” of web users without their permission.

The focus of the Wednesday video call-in was an announcement the day before by Apple Computer’s John Wilander, in a blog post entitled “Full Third-Party Blocking and More.” He said the latest release of Apple’s Safari browser now blocks so-called “third-party cookies” — a key feature enabling the current digital-advertising ecosystem. Google has said its Chrome browser will do the same, but it may take up to two years to do so.

Wilander was on Wednesday’s call to answer questions about Apple’s latest privacy move, which he characterized as an effort to “defend the web platform” rather than proprietary networks. Wilander expressed some caution about revealing additional planned moves by Apple, saying that could tip off developers who work for “tracking” companies to advance workarounds. He said such developers were “working against the goals of privacy on the web or [against] tracking protection.”

Google’s third-party cookie phase out is nuanced. “As you know, we’ve committed to only phasing out support for third-party cookies once the needs of users and sites (including publishers and advertisers) are addressed,” Google’s Marshall Vale, a product manager for the Chrome browser, writes in a W3C list post on March 26, also reported by AdExchanger.

The new initiative was advanced by three engineers at Brave Inc., a three-year-old web browser maker started by an ex-Mozilla engineer. They propose a method to give trusted agents a way to store information about a user in a web browser and make certain it can’t be accessed for a rogue purpose by someone else. It’s called “JS Isolation via Origin Labels and Membranes.”

Browser makers Mozilla (Firefox) and Microsoft (Edge) co-created the privacy interest group but they have been joined by other tech companies, including Apple (Safari) and Brave. Also joining the calls have been Salesforce, Amazon, Verizon Media and, this week, two Facebook representatives. Media organizations are trickling in — now including Axel Springer, The Washington Post and the New York Times. Participating, but not on Wednesday’s call, are the Interactive Advertising Bureau and the Local Media Consortium.

Separately, Google has been shepherding discussion about third party cookies on the independent Chromium blog and via a separate W3C “Improving Web Advertising Business Group.”  DigiDay’s Lara O’Reilly wrote about the ad group on Jan. 29.


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


A likely near future for web ads and quality publishers? An updating of “Single Sign On” is suggested

Tech blogger Don Marti, most recently with Mozilla and now heading up his own Aloodo Project, has been following closely the effects of advertising technology on quality news publishers. On his blog this week, he explains why a mature technology called “Single Sign On” may hold some promise.

Until decisions by Apple, and eventually Google, (see related item above) to cut off the third-party cookie system of advertising targeting, SSO was used for things like allowing academics to log in when visiting some other university than their home base. And a version of it makes it possible for you to use your cable account to watch streaming video entertainment on the web.

But Marti says in his blog that new versions of SSO may be used to create trusted networks sharing user information, and those networks could also be the basis for a new kind of ad targeting. The result, he proposes, is an increase in market power for publishers as compared to the third-party cookie-driven system in place now. The blog post contains related links.

FULL DISCLOSURE: Marti has also been serving as a technical advisor to ITEGA, which produces “Privacy Beat” each week.

Vidakovic asks: Will ad tech solutions for replacing third-party cookie break things, including privacy?

Toronto-based consultant Ratko Vidakovic frequently analyzes the ad tech scene in a widely circulated weekly email newsletter, AdProfs, that he doesn’t put on the web. His March 24 edition comments on reporter Sarah Sluis’ March 6 AdExchanger story, “Publishers Are Wary of New Tech That Wants to Use Their First-Party Cookies.”

Here’s what Vidakovic writes: 

“Ad tech companies are increasingly pitching publishers on solutions that mitigate dependency on third-party cookies. These solutions are framed as a way for publishers to retain their programmatic revenues. However, these solutions often require some technical integration, whether by adding code to sites or making DNS changes, like adding CNAME entries for the ad tech vendor.

“This raises a number of questions and concerns from publishers: (1) Is the “solution” just a temporary workaround, or is it something sustainable? Is there a risk that browsers could break the solution? (2) Will the proposed solution have any negative impact on site speed, user experience, or security? (3) Is the solution privacy compliant? What are the legal risks of implementing the solution? (4) Does it make sense from a long-term strategic perspective? Does it contribute to the publisher’s overall strategy or detract from it?”


CCPA WEEK 13    

Wesleyan professor exploring whether browser software sending “do not sell” signal must be honored by websites 

A Wesleyan University computer scientist and his students are researching software implementations of the California Consumer Privacy Act (CCPA). In a web posting, Prof. Sebastian Zimmeck says they are particularly interested in how web browsers convey a user’s desire not to have their personal information “sold.”

A provision of the CCPA requires that if a web site is told by a user “do not sell my information” they must respect that request. There is debate over what the word “sell” implies, and discussion about how the site receives the user’s intent.  Zimmeck is seeking discussion about what would happen if web browser software standardized transmission of a “Do Not Sell” order from the user and whether the CCPA would compel websites to respect that request.

You can read Zimmeck’s query to the W3C’s Privacy Community Group. One response suggested Zimmeck look at the work being done by a working group of the Interactive Advertising Bureau’s Tech Lab on signal specifications. Another is from an engineer affiliated with The Washington Post.











Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Predicting a post-cookie future for web advertising

“One possible future for post-cookie web advertising is going to work something like this: if you’re signed in to a site, you’re going to get something pretty close to adtech as usual, except limited to the group of sites where you’re willing to sign in. So if two publishers can both use a registration wall to get your email (or SSO that maps to your email, which is basically the same thing) then the same ads will “follow” you across both those sites, and you’ll see ads targeted based on loyalty programs you opt into…This means an increase in market power for publishers from the conventional third-party cookie, because crappy and fraudulent sites will have a hard time getting your email or SSO. For advertisers, the game of tag, trying to get ads in front of specific people, continues, except that the boundaries for the game are brought in to include only sites that can get people past the reg wall…On sites where you’re not signed in, you’re going to get ads for miracle fungus cures, predatory finance schemes, and other bottom-feeder stuff—unless you’re running a browser with built-in targeting/atribution (the stuff being discussed at W3C’s advertising business group) and leave it turned on.”

– Excerpted from “A Likely Near Future for Web Ads,” posted March 25 at the blog by Don Marti (see item above).


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp