Above: A “swan” depiction cached from the SWANN.community website
GOOGLE, TRACKING AND PRIVACY
British ad-tech group seeks W3C review of a “nonprofit”-governed identity solution: will it compete with Google “sandbox”?
A British-based group of ad-tech companies sought on Friday advice and input from a World Wide Web Consortium (W3C) group for a new web identity system that could reduce the need for a set of proposals advanced by Google. The request by a group called SWAN.commmunity was made by ad-tech executive James Rosewell, a persistent Google ad-tech critic.
“SWAN.community would appreciate the opportunity to explain our approach and intentions,” said Rosewell’s email to the members of the W3C’s Privacy Community Group, which has been reviewing ad-related privacy and identity proposals from Google, Apple and elsewhere. “We would also appreciate feedback from this group, particularly in relation to the use of legal remedies to protect people’s important privacy rights.”
“The group says its Secure Web Addressability Network (SWAN) offers an alternative as Google plans to phase out third-party cookies on its dominant Chrome browser,” wrote reporter Charlotte Tobbitt of the British media-analysis site PressGazette.co.uk. Tobbitt’s account said the SWAN group would be nonprofit. In its March 31 announcement, Rosewell was quoted as saying: “We are replacing third party cookies with a utility that won’t be run for excessive profit or proprietary gain.”
The idea appears to be an anonymized shared identification openingly offered to users who arrive at participating websites. The users are given the option to accept the ID or not. Participating websites have to accept take-it-or-leave-it “model terms” to participate in the cross-site identity service, which Rosewell said depends upon first-party cookies to operate.
APPLE PRIVACY CRACKDOWN
PRIVACY AND POLICY
Breaking privacy gridlock: Scholars see third-party certification among remedies
Certification bodies, self-regulatory organizations and “other gatekeepers” are among ideas providing improved consumer privacy protection for the web proposed in a paper released this week by four respected academic researchers.
“Divisions over two enforcement issues—private right of action and federal preemption—have long gridlocked the effort to enact federal consumer privacy legislation,” the scholars write, adding: “A look at regulatory systems outside the privacy field, however, reveals a complex landscape of en-forcement mechanisms and remedies, many of which have not yet received much attention in the privacy debate.”
The paper (PDF) takes a look at the current U.S. federal privacy-law stalemate and is based on a set of 2020 workshops which gathered ideas from experts in financial services, environmental law, labor law, intellectual property and other fields. Among other ideas: A focus on regulatory supervision in addition to enforcement, and the right of citizens to sue.
“Many regulatory systems also rely on private-sector enforcers, such as certification bodies, self-regualtry organizations, accountants, lawyers and other ‘gatekeepers”, regulating the conduct of their third-party service providers,” the researchers write in an blog overview of their paper, headlined: “A Broader Look and Privacy Remedies.”
Quoting the work of Boston University law professor Rory Van Loo, they say policymakers in some fields have begun to rely upon third-party enforcement by the real gatekeepers of the economy — firms controlling access to core product markets. “Policymakers may want to look for ways to further leverage the power of browsers, operating systems and other technical intermediaries.”
The paper’s four authors are Jim Dempsey, executive director of the Berkeley Center for Law & Technology at the UC Berkeley Law School, Chris Jay Hoofnagle, professor and faculty director of that center, Ira Rubinstein, a senior fellow at the Information Law Institute, and Katherine J. Strandburg, director of New York University’s Information Law Institute and an interdisciplinary privacy research group at NYU.
- FTC court pleading calls Facebook an illegal ‘personal social networking’ monopoly | Alexis Keenan, Yahoo News
- Federal Privacy Rules Must Get “Data Broker” Definitions Right | Justin Sherman, LawfareBlog.com
- Mactaggart interview: How the tech industry is sewing confusion about privacy laws | Mark Sullivan, FastCompany.com | SEE QUOTE OF THE WEEK, BELOW
- Platforms, not regulators, are driving data privacy enforcement | Jessica Davies, DigiDay.com
- Why Democracy Needs Privacy: To prevent unfair influence | Carissa Veliz, BostonReview.net
- Six ways data sharing can shape a better future | Cathy Mulligan et al., World Economic Forum
- From California to Brazil: Europe’s privacy laws have created a recipe for the world | Jonathan Keane, CNBC.com
Does your organization need customized privacy compliance solutions? ITEGA can help.
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
|Screen capture from ICCL report to Irish government panel
Ryan rebukes Irish data privacy regulators for scant action; seeks government intervention
Ireland’s oldest independent human-rights body issued on Friday a strong criticism of the nation’s Data Protection Commission (DPC), accusing it of significant apparent inaction on allegations that Google and other major U.S. tech companies are violating the privacy rights of European Union citizens.
It was the latest carefully footnoted and documented complaint from Johnny Ryan of the Irish Council for Civil Liberties (ICCL), who is particularly peeved that his claims alleging privacy violations by Google’s Real Time Bidding (RTB) advertising system have been languishing at the DPC for years with no findings or outcome.
The Irish DPC hs “delivered decisions in only 2% of the 196 EU-wide cases where it is the EU “lead” authority, Ryan write in the April 9 post. The ICCL proposes the Irish government appoint two new data-privacy commissioners and a new commission chair, and apparent challenge to the DPC’s head, Helen Dixon.
It’s a tricky situation for Ireland, which for tax-preference reasons hosts the EU headquarters of Google, Facebook, Apple and Microsoft, among others. EU law therefore makes the Irish DPC the preferred handler of any privacy regulation EU-wide. So Ryan’s argument is that lack of action by the DPC is stalling any enforcement of the General Data Protection Regulation (GDPR) throughout Europe.
“The DPC is the bottleneck of GDPR enforcement against Google, Facebook, Microsoft and Apple, everywhere in the EU,” the ICCL paper says.
FACEBOOK DATA LEAK
|GOOGLE AND PRIVACY
Berners-Lee in key W3C group declaring Google
“sandbox” piece may be harmful, detrimental to web
In a rebuke to Google’s public “Privacy Sandbox” effort to navigate privacy and ad targeting, a key unit of the respected World Wide Web Consortium (W3C) has criticized a key “sandbox” idea which Google engineers created to satisfy advertisers trying to link multiple domains. It is called “First Party Sets.
”The W3C group calls the proposal “harmful to the web in its current form” and expresses concern it “can result in detrimental effects to the greater web ecosystem.”
TAG is a special working group of the W3C chartered with stewardship of the web architecture. It has 10 participants (6 elected, 3 appointed, and 1 chair. Companies represented currently include Microsoft, Samsung, Intel and Apple. Google is not represented. A Google engineer requested the design review. Membership includes Sir Tim Berners-Lee, the inventor of the World Wide Web protocol.
In its opinion, made public this week, the W3C’s Technical Architecture Group (TAG) concludes that First Party Sets is vaguely explained and it goes on to site several concderns. It also questions whether Google’s proposal essentially replaces third-party cookies with another mechanism that has the same practical effect.
On another point, it adds: “The proposed governance model for first party sets involves browser-curated allow lists. This model puts the browser-maker at the center of how information is shared across origins, and introduces another point of variance about how the web can be expected to work across different browsers.”
“The ‘Privacy Sandbox’ initiative proposes (among other things) to restrict ‘third-party cookies’, which would align with other browsers and with general industry trends,” the TAG report says, adding. “However, this proposal seeks to redefine what it means to be a third-party cookie. In that context, the efficacy of the ‘Privacy Sandbox’ initiative is thrown into question.”
Google’s announced intention to pull third-party cookies support from its world-dominant Chrome browser — and make what it calls privacy-aware changes — endured additional criticism this week in an essay posted by the Council on Foreign Relations. In Why Celebrations of Google’s Privacy Announcement Are Misplaced, Columbia University scholar Maya Villasenor wrote:
“Google no longer needs or wants to depend on data derived from tracking users outside of its purview, and thus its announcement is better viewed as a manifestation of the extraordinary scale of the data it has already collected than as an altruistic, pro-privacy decision.”
FACIAL RECOGNITION AND PRIVACY
COVID AND PRIVACY
- ACLU warns of “privacy nightmare” if data “passports” are used for vaccine checking | DemocracyNow.org
- ACLU, a defender of digital privacy, reveals that it shares user data with Facebook | Danielle Abril, Fortune.com
- Opinion: Stop calling them ‘vaccine passports’ | Leana S. Wen, WashingtonPost.com
- Vaccine passports must be proportionate, legal, EU privacy watchdogs say | Foo Yun Chee, Reuters PLC
- Privacy concerns grow as states consider vaccine passports | CNN via KVOA-Tucson
- Governor Baker says no to vaccine passport proposals in Massachusetts | Travis Andersen, BostonGlobe.com
- The next vaccine challenge: Building a workable ‘passport’ app | David Ingram, NBCNews.com
- Facial Recognition for COVID Vaccination: What About Data Privacy? | Mehap Qureshi, TheQuint.com
- Biden White House in talks with airlines on vaccine passports; will issue guidance | David Shepardson, Reuters PLC
- White House Against Vaccine Passports Due to Privacy Concerns | Eric Mack, NewsMax.com
- Got your covid shots? You might have to prove it | Lindsay Muscato, MIT Tech Review
PROCTER & GAMBLE AND PRIVACY
Is Procter & Gamble exploring an effort to end-run Apple’s privacy moves? Wall Street Journal article raises question
The challenge facing big marketers as they navigate changes in the ad-tech landscape has apparently led Procter & Gamble, the big consumer package-goods manufacturer, to work with a Chinese advertising association on solutions. The Wall Street Journal broke the story this week, suggesting the goal of the effort is to work around Apple’s intention to start blocking a key tool that facilitates targeting advertising messages to individual consumers.
The WSJ story doesn’t make it clear whether P&G is merely doing research or might actually seek to end-run Apple’s privacy efforts. P&G doesn’t appear to have commently prominently yet. One report says it has been assembling its own database of over a billion individual consumer data points.
AD TECH — Publishers’ identity initiative
- How local publishers, through LMC, are taking on federated SSO identity | Fran Wills & Scott Cunningham, via AdExchanger.com
- IAB Internet Advertising Revenue Report | Internet Advertising Bureau
- Publisher ad alliances get a new look as cookie changes loom | Max Willens, DigiDay.com
- OVERVIEW: Privacy and ads in Google Crome about to become really complicated | Dieter Bohn, TheVerge.com
- Real Time Bidding data could pose national security risk, bipartisan senators say | Wendy Davis, MediaPost.com
- Criteo Is Ready To Test The Single Sign-On Software For Unified ID 2.0 | Allison Schiff, AdExchanger.com
- Ad Tech Jockeys For Position In The Quest For Consumer Consent | Allison Schiff, AdExchanger.com
- Publicis’ Epsilon and The Trade Desk partner to preserve targeting as cookies disappear | Alison Weissbrot, CampaignLife.co.uk
- Publicis/Epsilon Is Making Its Identity Platform Interoperable With Unified ID 2.0 | Allison Schiff, AdExchanger.com
- Why some publishers worry identity tech could slow down their sites | Kate Kaye, DigiDay.com
- VENDOR VIEW: Data Clean Rooms Will Play A Key Role In A Cookieless World | Carolina Abenante, NYIAX
- Florida privacy bills would limit data retention to one year, ad industry says | Jack Neff, AdAge.com | CONSUMER REPORTS’ PLEA TO FLORIDIANS
- Florida Privacy Legislation May Go Forward — Without Private Right of Action | Kristin Bryan, Squire Patton Boggs law firm
- BACKGROUND: How new CRPA privacy agency will affect business | Shaia Araghi, Newmeyer Dillon law firm
- Oklahoma data privacy legislation hits roadblock, bill’s co-authors seek hearing | Sasha Beling & Sasha Beling, McAfee Taft law firm
- Consumer privacy push in Florida limps forward | Bobby Caina Calvan, Associated Press
- State Data-Privacy Landscape: Is Federal Involvement Best Way Forward? | Peter Nelson & Andrew Willinger, Patterson, Belknap law firm
- Colorado, Nevada, Texas, and West Virginia All Introduce CCPA-Inspired Consumer Privacy Legislation Within Weeks | Haylee Saathoff, Fisher Phillips law firm
- Alaska consumer privacy act: CCPA copycat with unanswered questions | Nancy Libin, Davis Wright Tremaine LLP
QUOTE OF THE WEEK
Mactaggart says tech lobbies for weak state privacy laws, and federal law unlikely, so California dominates
“It’s unlikely that there is a federal law that preempts California’s privacy law. As an American I would welcome a strong national privacy law. Great. So where does that leave us? I don’t know. But when everything’s going to have to get done with 50 votes [in the Senate]–until the filibuster goes, 60 votes–it’s a hard one to imagine happening, I’ve got to tell you . . . .
“[Tech industry groups are] very overtly going around the country trying to pass weak laws. The Virginia law is a very weak compared to California. Because their strategy is to create confusion that will allow them to go to Congress and say “you guys need to fix this.
“And for all these [tech] businesses that will say “we can’t possibly plan for plan for 50 different state laws,” I say, “Well, the last time I looked, there are banks and hospitals in all 50 states–you do it in these sectors why can’t do it across the board?”
“If you look at the existing national privacy laws, whether it’s the GLBA for finance or HIPAA for health, they are both laws that set a national floor, but they let states go further. Professional licensing is done by the states, and employment and unemployment insurance and working conditions are regulated differently state by state, so I don’t buy that at all. The desire for one law is really just the desire of an industry to have a weak law . . . “I’ve talked to people who say they’ve been on calls with industry groups saying that their overall strategy is to create that confusion and then go to Congress and say “there’s such confusion.
“And yet, you know, a lot of the trains are already leaving the station. You see what Apple did with iOS 14.5 [requiring app makers to ask permission to track users], and what Google is now doing with their ending support for third party cookies. I think a lot of the big companies are reading the writing on the wall and thinking “this is coming my way.”
|ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to firstname.lastname@example.org.