PRIVACY BEAT: New forum for web identity and security launches with involvement by Microsoft, MasterCard, Accenture, IBM

Privacy Beat

Your weekly privacy news update.


New forum for web identity and security launches with involvement by Microsoft, MasterCard, Accenture, IBM

This week the wraps came off a new initiative to promote coordinated solutions to web identity and data security. It’s called the Trust over IP Foundation (ToIP), housed inside an affiliate of the San Francisco-based Linux Foundation and the leadership is familiar to technologists who have been working for at least a decade in the field.

“The highly specialized world of digital identity is opening itself to a wider audience,” declared reporter Ian Allison, in a thorough account at A second news account of the unveiling said it was aimed at reducing fears about the use of personal data. Efforts may rely in part on a pending World Wide Web Consortium (W3C) “verifiable credentials” standard.

“Trust Over IP is a decision-making framework, not a specific governance network or a specific technology,” John Jordan, executive director of British Columbia’s digital-trust service, explained during a Thursday video webinar with 13 other co-collaborators.  “It is a place to come together to make good decisions.”

For decades, governments, businesses and individual technologists have been studying and experimenting with how to add a fundamental service to the Internet – the ability to be sure that a person is who they say they are, or that a piece of data can be trusted as authoritative. Most approaches to creating such an internet “trust layer” use a branch of mathematics called “cryptography”.  More recently, a field of inquiry known as “Self Sovereign Identity” (SSI) has emerged which relies on so-called “zero-knowledge proofs” to check credentials while preserving individual privacy.

For ToIP, the guiding intellectual concept is to use cryptography to move control of identity attributes and relationships away from account-based corporate and government data users and more toward the individuals themselves.

It is members of the SSI world who largely are behind forming of the ToIP organization, and its initial volunteer executive director is Drummond Reed, co-architect of several related web standards and a co-founder of the Sovrin Foundation. Reed works for Evernym Inc., a vendor of SSI solutions that has been involved in developing the W3C verifiable credentials standard. The BC provincial government is deploying SSI as a method of confirming online identity of individuals for government services.

Representatives of Accenture, IBM, MasterCard and Kiva were among those on Thursday’s call, and the entity running the ToIP — an affiliate of the Linux Foundation called the Joint Development Projects LLC — is part of a 501(c)6 entity who’s president is a Microsoft assistant general counsel, David Rudin.

In a phone discussion with Privacy Beat, Reed explained that ToIP will foster four “layers” around identity and security research and practice.

  • A “public utility” layer including such entities as Sovrin, and more to come

  • Companies that offer digital wallets or data-trust agency to consumers

  • Organizations that issue, hold or verify digital credentials

  • Entities which operate secure identity services within interoperable standards

“There will be many utilities, there will not just be one utility,” observed Dan Gisolfi, the IBM representative on Thursday’s video discussion.  Some will be nonprofit (like Sovrin) and some will be for-profit, Gisolfi suggested, with varying business models.

Reed said a “digital wallet” — software which contains credentials such as a driver’s license, medical records or subscription information — can be both within a consumer’s smartphone or stored on the web service of a trusted agent.

“We call them credential managers,” added Gisofi, who is CTO of the decentralized identity arm of IBM Security.  “It is not tied to a smart device but that will be the best experience.”

Founding Steering members include Accenture, BrightHive, Cloudocracy, Continuum Loop, CULedger, Dhiway, esatus, Evernym, Finicity, Futurewei Technologies, IBM Security, IdRamp, Lumedic, Mastercard, MITRE, the Province of British Columbia and SICPA. Contributing members include DIDx, GLEIF, The Human Colossus Foundation, iRespond,, Marist College, Northern Block, R3,, TNO and University of Arkansas.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Over 900,000 signatures gathered for CCPA 2.0 ballot initiative; now will 623,212 be certified by June 25?

June 25 is the next important date that will likely determine if Californians could be voting on a privacy ballot initiative in the fall.  California Consumer Privacy Act (CCPA) originator Alastair Mactaggart announced on Monday supporters had gathered at least 900,000 signatures to put a second “California Privacy Rights Act” (CPRA) on the ballot.

By state law, now all the signatures have to be reviewed by county election officials across the state to verify that at least 623,212 of the signatures are legal. And that process has to be done quickly enough so that the California Secretary of State can certify on June 25 that the threshhold has been reached.

“…[I]f the random sampling verification process indicates that the number of valid signatures is within a narrow margin of the required threshold (i.e., less than 110% of the required number), the June 25 deadline would likely pass before the verification process could be completed,” three Hogan Lovells US LLP attorneys wrote in a blog summary of the ballot-qualification process, adding:  “If that occurs, the CPRA would be left off the ballot.”

If the law is on the ballot and passes  (one poll found it was supported by 88% of the state’s voters), it with add fresh privacy guarantees to those already established by the CCPA, including a new definition of “sensitive personal information,” a right to have wrong information corrected, new safeguards for children and a new California Privacy Protection Agency to take the enforcement load off the attorney general’s office.






Google appears to amp-up interest in leading changes to advertising technology that address privacy law, concerns

Postings this week on forums of the World Wide Web Consortium (W3C) and Google Groups appear to suggest that Google Inc. is taking an active interest in championing browser standards that could change the way digital advertising works under stepped-up privacy laws and concerns.

First, on Tuesday, Google Chrome engineer  Steven Valdez posted an “Intent to Experiment” with an idea called “Trust Token API.” Then, on Wednesday, Google colleague Yao Xiao posted to the blog an “Intent to Prototype: Federated Learning of Cohorts.”  What are these proposals and why does it matter?

The Trust Token API idea was first proposed by Valdez as a method for advertisers to learn some information about individuals across websites without having really specific identity information. “Preventing fraud is a legitimate use case that the web should support,” Valdez writes. “But it shouldn’t require an API as powerful as a stable, global, per-user identifier,”

Federated Learning of Cohorts (FLoC), is named for its intent — to create “flocks” of users with similar interests or attributes that advertisers can target without having to gather personal information on specific individuals. One approach would be to let the user’s web browser software select the ad to show according to some interest or demographic information provided by the user.

FLoC has been discussed since last year on a W3C-GitHub email list for “Improving Web Advertising.” It was detailed Feb. 6 by Google’s Josh Karlin in a GitHub forum posting as a new way that browsers could enable interest-based advertising on the web, in which the companies who today observe the browsing behavior of individuals instead observe the behavior of a cohort (or “flock”) of similar people.”

Advertisers want to reach consumers likely to be interested in their message so FloC addresses that desire through a mechanism of storing within the web-browser software your attributes and then sharing them into a “flock” that is somehow anonymized. This approach is thought to be one way of complying with emerging laws such as the California Consumer Privacy Act (CCPA) and alternative to the current real-time-bidding ad-technology ecosystem which relies upon third-party cookies and a dizzying array of opaque and largely ungovernable user-data managing efforts.

“A key part of the reason we plan to prototype this approach is to measure its privacy properties, and study what Chrome can do to minimize any privacy impact,” veteran Google ad-tech engineer Michael Kleber wrote about the FLoC plans on the company blog.

But Eli Gray, a privacy engineer at Transcend Inc., was among those expressed concern in a responsive post. He wrote: “FLoC feels like a privacy anti-feature to me and I am strongly against this ever shipping without further justification. We should instead be encouraging contextual advertising solutions. Ad networks should target their ads based on the content being viewed, not on the ‘cohort’ viewing the content.”

Kleber replied by citing disputed Google research that some publisher websites would earn less revenue in a shift from user-targeted advertising to advertising placed on web pages contextually relevant to their message. “That’s why Chrome is committed to exploring new techniques that support the ads-funded ecosystem but are built with privacy guarantees from the outset.”

The Chrome web browser is controlled by Google. Thus the FLoC idea would preserve Google’s control over user data. (DISCLOSURE: ITEGA, the sponsor of Privacy Beat, has supported “UDEX”, an initiative anonymized user-data cohorts as a non-profit service.)




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


For news publishers: A unique view of where competition for ad dollars may next come from

A unique perspective on publisher competition for advertising dollars is part of a subtle promotion for ad-server tech company Adzerk Inc. of Durham, N.C.  The pitch piece by the company’s founder/CEO,  James Avery, defines two kinds of “publishers” — not what you think of as publishers in the news sense.

  • A “traditional publisher” including digital outfits like Vox or BuzzFeed, free-content producers like and WebMD — and some news publishers. Mostly their web visitors are referred by search or social media.
  • A “utility publisher” which is in the e-commerce business but because they have a lot of original visitors they have the potential to earn incremental revenue by running advertising. Examples include Amazon, Wal-Mart, Target, AirBnB, Ticketmaster, Expedia, NetFlix, Marriott, Disney, United and

What’s interesting about Avery’s analysis is this: He says the utility publishers don’t use ad tech or third-party cookies because they don’t want a lot of rogue code on their websites that could invite privacy violations or slow load times.  Instead, they build their own ad-serving systems. The traditional publishers, he infers, are bogged down in the programmatic, privacy-violating, script-running, slow-loading world.

Two points stand out:

  • There’s a lot more competition offering quality ad placements against news publishers.
  • The systems they use are not dependent on the privacy-challenged real-time-bidding (RTB) system that is now struggling with by legal and browser privacy innovation.




In addition to trading on user privacy, ad-tech leaves one-third of costs unattributable — “criminal’s paradise”?

“The study reveals the depth of the supply chain’s lack of organisation and complexity. A total of over a thousand distinct supply chains were identified; across the 15 advertisers, the PwC team of media/programmatic experts and data scientists was able to end-to-end match 290 chains (31 million impressions) all the way to the 12 publishers. PwC encountered a lack of understanding and consistency among the ad tech suppliers as to how they could legally share data and what permissions were needed; a lack of uniformity on data storage and formatting; and the fact that data captured by a DSP for an impression is not equally captured by SSPs, which hindered impression matching. These challenges and complexities do not serve the principal interests of advertisers or publishers.”

– Abi Gibbons, writing May 6, 2019, on the website of the Incorporated Society of British Advertisers, summarizing its join study of programmatic advertising

“We’ve built a programmatic ad system where it’s literally impossible to figure out where all the money goes. Advertisers often have no idea where their ads end up. Money disappears into a fog of middlemen and fraudsters. The system is broken, a criminal’s paradise.”

 – media editor Craig Silverman, writing May 6 on his own Twitter feed and commenting on the Financial Times’ report of the ISBA ad-tech study.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp