W3C gathering shows challenge of balancing process and points of view between advertising and privacy

A collegial debate has surfaced as the major browser software makers struggle with how to respond to growing consumer sentiment for more control over the collection of data about their browsing activity and preferences. The debate was in evidence this week over two days of presentations and discussion at a “virtual” World Wide Web Consortium (W3C) gathering. 

The question:  Where should ideas for changes in the way personal data is handled be hashed out — in the semi-private discussions of an “improving web advertising business group” in which Google is an active participant — or in an all-open browser “privacy community group” joined by at least four other browser makers and co-chaired by Microsoft, Apple and Mozilla? And should the two groups coordinate discussions? 

The W3C’s Wendy Seltzer chairs the ad group, and was the inspiration to set it up. She posted that she asked herself, “Could there be a win-win solution [of] privacy-preserving methods for advertising that serves the users who want access to web services, the publishers that want to monetize their web services and content, and advertisers who want those to be platforms for reaching users?” 

But what if the advertising business group comes up with ideas that conflict with the goals of the privacy group, one of this week’s participants asked during an open discussion?  Right now, both groups seem to agree that web browsers and technology should limit cross-site user tracking — what if that changes, the participant asked? 

“We understand there are different organizations with different viewpoints on how the web will turn out,” observed participant Wendell Baker, of Verizon Media, who praised the tone and interaction over the two-day meeting. “We are trying to figure out how to live within the new world as users . . . we’re trying to learn how to produce another business model that can produce value for everyone on the open web.” 

The two groups are among more than 300 managed by the W3C, a Cambridge, Mass., based nonprofit that is one of most important places where consensus technical standards for the Internet are introduced, debated, modified and — sometimes — approved as official.  As of this week, the advertising group has 174 paying members — it costs to join — and the privacy group has 170. 

To get a feel for what was discussed this week, take a look at the agenda, which included presentations by the major browser makers, at the detailed notes of those presentations on Wednesday, and the rest of the meeting on Thursday.
 

AD TECH

• Google is auditioning candidates to succeed the third-party cookie | Lara O’Reilly, Digiday

• Some are Concerned that Google’s Privacy Sandbox Could Limit Innovation and Stifle Competition | Tim Cross, Video Ad News

• Achieving programmatic transparency: a £3 billion task | Nick Manning, Mediatel News

• Criteo’s SPARROW Proposal Marks Ad Tech’s Venture Into Privacy Sandboxes And W3C | James Hercher, AdExchanger

• How marketers can balance privacy and personalization | Matt Spiegel, Ad Age

• Deep Dive into the DPC’s Cookie Sweep- Podcast | Data Protection Commission

• Google Chrome will block resource-heavy ads starting August | Sergiu Gatlan, Bleeping Computer

• Why marketers need to talk about identity resolution right now |  Projjol Banerjea, Ad Age

• How Comscore and LiveRamp are building the next generation of television and video advertising measurement | Com Score

Ex-Googler turned Mozilla scholar explores approaches to better mediation of digital user data and privacy

A former Google executive and current Mozilla Foundation fellow says it’s time to create a new type of entity to arbitrate privacy and user data on the web. Richard S. Whitt calls the entity a “digital trustmediary” and he’s written a law-journal article about his idea.

Entitled, “Old School Goes Online: Exploring Fiduciary Obligations of Loyalty and Care in the Digital Platforms Era,” the 56-page essay is rich with citations to precedents involving lawyers, doctors, accountants and other relationships where privacy and trust are enshrined in law. A similar relationship should exist between individuals and digital services which use personal data, Whitt says. The idea is also embodied in Whitt’s 501(c)3  Glia Foundation and GliaNet project.

The general idea of an “information fiduciary” was not originated by Whitt and it has also been explored in 2016 by Yale Law School Prof. Jack Balkin and assessed by legal scholar Lina Khan, among others. But Whitt’s idea can be distinguished from Balkin’s, he explained this week in a phone conversation with Privacy Beat. Balkin’s analysis worries about regulations challenging First Amendment protection afforded platforms, Whitt suggests, and Kahn favors a more antitrust-oriented approach to platform and privacy control.

In his article, Whitt says Khan argues that companies incorporated in Delaware can’t operate to protect the privacy and identity of their users if that would make them disloyal to a higher obligation to take care of the economic interests of their stockholders. (The shareholder-primary view is disputed by at least one legal scholar.)

“We can regulate the dominant online platforms as information fiduciaries or we can target their market dominance and business models, but very likely we will not do both,” Khan and co-author David Pozen write in one paper segment quoted by Whitt. The paper is entitled:  “A Skeptical View of Information Fiduciaries.”

The problem for Google and Facebook, Whitt says, is that the ways in which they use personal data is not consensual with the consumer user, but rather imposed in a relational  “take-it-or-leave it” data-privacy regime where platform use of data conflicts with duties of care and loyalty to the user’s data-privacy interests.

One answer, suggests Whitt, is the emergence of infomediaries who manage privacy for the consumer and who’s duties of care, loyalty and disclosure are first to the consumer. Besides Whitt’s, a similar approach advocated by Prof. Sandy Pentland at MIT is called the “data co-operative.” discussed in a May 2019 co-written article.

Another person thinking about data and privacy is Jaron Lanier, a scholar at Microsoft Research and serial tech entrepreneur who was chief scientist for the academic collaborative, Internet2.  He  proposed creation of MIDS — “mediators of individual data” — as co-author of 2018 a Harvard Business Review article, “A Blueprint for a Better Digital Society.”  The paper is explained HERE, and was the basis of a privacy series at the New York Times.  Lanier says the web needs solutions that  “operationalize” paying for the public’s attention and data and for digital content.  He cites the same mal-distribution of power between public and platforms that Whitt dwells on. 

GOOGLE EU TRACKING

• Google’s Android ad ID targeted in strategic GDPR tracking complaint | Natasha Lomas, TechCrunch

• Max Schrem’s noyb.eu files complain against Google device tracking Android ID  | noyb.eu | (COMPLAINT PDF) 

• Google Faces Privacy Complaint for Tracking Users in EU | Stephanie Bodoni, Bloomberg Law

• Google faces fresh GDPR challenge over advertising tracking | Joseph Brookes, WHICH-50

PLATFORM PRIVACY

• Facebook has appointed the ‘privacy committee’ on its board designed to prevent another Cambridge Analytica scandal | Rob Price, Business Insider

• Facebook’s new oversight board: Supreme Court or fig leaf? | Mathew Ingram, Columbia Journalism Review

PERSONAL PRIVACY

• RESEARCH: More Internet Users Want to Remove Personal Information Online, Research Finds | Tiziana Celine, Tech Times

• CDT, Global Partners Digital, ISOC, 30 groups join to defend encryption | GlobalEncryption.org 

• Congress May Hand Bill Barr the Keys to Your Online Life | Melissa Gira Grant, New Republic

• Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant | Janus Rose, Vice

• Here’s Who Just Voted to Let the FBI Seize Your Online Search History Without a Warrant | Dell Cameron, Gizmodo

• Senate narrowly rejects plan to require a warrant for Americans’ browsing data | TechCrunch

• Our digital privacy is at stake in the Senate | Robert Goodlatte, The Hill

• TikTok Violates Children’s Privacy Law, Advocates Say | Allen St. John, Consumer Reports

• Google’s Privacy Policy Can’t Save it From Smartphone Spying Claim: California Privacy Laws Tested in Suit Alleging Big Tech is Letting Subcontractors Listen in on Your Conversations | Lexology

• It Is Becoming Much Harder to Access Mental Health Support Anonymously | Piers Gooding, Slate

CCPA WEEK SEVENTEEN

• Better Never Than Late? A CCPA Meditation | Ted Claypoole, Hey Data Data (see QUOTE OF THE WEEK, below) 

• CPRA Poised to Go On November 2020 Ballot | Katie Morehead and Philip Yannella, JD Supra

• CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ | Jim Halpert, Lael Bellamy and Marco Berrios, IAPP

• CPRA’s top-10 impactful provisions | Caitlin Fennessy, IAPP

• Study highlights data subject request volume, spending under CCPA | Ryan Chiavetta, IAPP

• Another California Data Privacy Law | Schneier on Security

• Coronavirus sparks new fight over California’s internet privacy law | Dustin Gardiner, San Francisco Chronicle

• California’s New Privacy Laws Reach Beyond State Lines: European Businesses Must Prepare Now, Despite COVID-19 | Mark Kahn, Computer Business Review

• What type of contractual provisions are included within service provider agreements in connection with consumer deletion requests? | Tyler Thompson, JD Supra

• CCPA 2.0 Initiative Signatures Submitted For November 2020 Ballot | Sharon Klein, Alex Nisenbaum and Karen Shin, JD Supra

• Another California Data Privacy Law | Bruce Schneier, Security Boulevard

COVID-19 AND TRACKING

• ANALYSIS: Privacy Frameworks Must Adapt in Times of Turmoil | Mark Smith, Bloomberg Law

• Public Health Versus Privacy | Allie Gottlieb, The Regulatory Review

• A New Normal for Consumer Privacy: Apple, Google and Employers Begin Contact Tracing COVID-19 | Alaina Lancaster, Law.com

• Public Health Versus Privacy | Allie Gottlieb, The Regulatory Review

• What will happen to digital privacy? | Marco Pruess, IT Portal

• Privacy questions for COVID-19 testing and health monitoring | Cathy Cosgrove, IAPP

• Contact-tracing apps may seem like the coronavirus solution. They’re not | Shubham Agarwal, Yahoo Finance

• Contact tracing apps: A new world for data privacy | Anna Gamvros and Steven Hadwin, Data Protection Report

• Privacy Litigation in the Age of Coronavirus |  Paul Karlsgodt and Justin Donoho, Data Privacy Monitor

• The NHSX tracing app source code was released but privacy fears remain | Laurie Clarke, NS Tech

• COVID-19 could set a new norm for surveillance and privacy | Alfred Ng, CNET

• Would You Let The Government Track Your Smartphone If It Meant We Could Reopen Sooner? Assessing the Google/FB idea | David Freedman, Newsweek

• Health Officials Say ‘No Thanks’ to Contact-Tracing Tech | Will Knight, Wired

• New survey shows US adults split on COVID-19 cell phone tracking and data collection | R. Dallon Adams, Tech Republic

German “SSO” identity consortium accelerates effort to privacy challenge Google and Facebook logins

A German industry-dominated, non-profit consortium made up of big publishers and Internet Service Providers, is moving ahead with an ambitious effort to challenge Google and Facebook’s dominance over first-party user data. First, it has fielded a privacy-oriented federated Single Sign On service. Now it proposes to use it to tailor advertising to individual users.

“Complementing our federated single sign-on, I think it’s safe to say that this is the first holistic user-centric identity and privacy management solution for the digital market,” Achim Schlosser, CTO of the European NetID Foundation, said in a LinkedIN post last month.

The foundation opened up its SSO service in November 2018 to millions of registered users of its partner corporations, although it acknowledges only a small fraction of them are using it so far. The major backers are German broadcasters Mediengruppe RTL Group and ProSiebenSat.1 Media SE and ISP United Internet. RTL is one of Europe’s leading entertainment providers and it is 75% owned by Bertelsmann SE & Go. KgaA, the international media conglomerate.

“With our two new consent products, we are offering our potentially 38 million netID users and our partners legally compliant consent management and the highest level of transparency,” Sven Bornemann, CEO of the foundation, said in an April 24 statement. “ This strengthens our position: On the one had as a leading open login standard and on the other hand for the digital economy as an alternative to the U.S. login providers such as Google or Facebook.”

NetID uses a user’s email address as an identity.  A user from one of the partners who seeks to access resources at another partners’ web services is redirected to an identity service provider (IdSP) — one of several in the NetID system — where the user’s email address is checked. The user’s browser or application is then redirected to their “home” provider to be “authenticated.” The IdSP doesn’t store data about the user or their activity.

So far, that’s as far as the exchange goes.  But NetID’s intention is to engineer methods for getting the user’s permission to share data points that might be useful for targeting advertising or personalized content.  The tricky part is how to do that under the requirements of consent of the General Data Protection Regulation (GDPR). The NetID Enterprise and NetID Professional enhancement noted in the April 24 announcement air aimed at doing so, part by promising compliance with IAB Europe’s Transparency and Consent Framework 2.0.

“Via the NetID Privacy Center, every user has the opportunity to release their consent for various uses, such a target group-specific content / advertising, market research or range measurement — and to revoke it at any time,” the consortium’s announcement said, adding: “Instead of increasingly blocked third-party cookies, all NetID products use the NetID identifier stored on the server to recognize users.

There is a technology race underway to address the loss of third-party cookies, which all the browser makers have already blocked or are planning to by 2021. Consumer-data aggregator and ad-tech giant LiveRamp Holdings Inc. (formerly Acxioim Corp.) is working to gain support for its IdentityLink service, promoted in Feb. 2019. And ITEGA, the publisher of this Privacy Beat  newsletter, is testing a login service similar to NetID with the prototype name “NewsSSO.”

GDPR ENFORCEMENT

• Adtech scores a pandemic pause from UK privacy oversight | Natasha Lomas, TechCrunch

• EU: GDPR Survey: Benefits Beyond Compliance | Magalie Dansac Le Clerc, Global Compliance News

• EDPB Publishes Updated Guidelines on Consent under the GDPR | Hunton Andrews Kurth’s Privacy and Cybersecurity, National Law Review

• Cookie walls invalidate consent, says EDPB | Guillaume Couneson, Tech Insights

• EU Data Protection: Updated EDPB Guidance on Consent Clarifies the Mechanism for Cookie Consent | K & L Gates, National Law Review

• EU Wants To Clamp Down On Websites Hiding Content Behind ‘Cookie Walls’ | Tyler Lee, Uber Gizmo

• PODCAST: Irish regulator’s cookie-sweep story | Irish Data Protection Agency 

NEWS AND TRUST

• Journalism Cannot Be a Covid-19 Casualty | John Nichols, The Nation

• Big Tech Has Crushed the News Business. That’s About to Change. | Ben Smith, New York Times

• YouTube plans to let news publishers sell off-platform subscriptions through their channels | Tim Peterson & Max Willens, DigiDay.com

• A Quarter of the Most Popular Covid-19 YouTube Videos Are Misleading: Study | Jordan Pearson, Vice

• How the Washington Post is preparing for the end of the third-party cookie | Digiday