W3C group asked to review non-profit identity governance bid; scholars support third-party governance

Privacy Beat

Your weekly privacy news update.



Above: A “swan” depiction cached from the SWANN.community website


British ad-tech group seeks W3C review of a “nonprofit”-governed identity solution: will it compete with Google “sandbox”?

A British-based group of ad-tech companies sought on Friday advice and input from a World Wide Web Consortium (W3C) group for a new web identity system that could reduce the need for a set of proposals advanced by Google. The request by a group called SWAN.commmunity was made by ad-tech executive James Rosewell, a persistent Google ad-tech critic. 

SWAN.community would appreciate the opportunity to explain our approach and intentions,” said Rosewell’s email to the members of the W3C’s Privacy Community Group, which has been reviewing ad-related privacy and identity proposals from Google, Apple and elsewhere. “We would also appreciate feedback from this group, particularly in relation to the use of legal remedies to protect people’s important privacy rights.”

“The group says its Secure Web Addressability Network (SWAN) offers an alternative as Google plans to phase out third-party cookies on its dominant Chrome browser,” wrote reporter Charlotte Tobbitt of the British media-analysis site PressGazette.co.uk.  Tobbitt’s account said the SWAN group would be nonprofit. In its March 31 announcement, Rosewell was quoted as saying: “We are replacing third party cookies with a utility that won’t be run for excessive profit or proprietary gain.”

The idea appears to be an anonymized shared identification openingly offered to users who arrive at participating websites. The users are given the option to accept the ID or not. Participating websites have to accept take-it-or-leave-it  “model terms” to participate in the cross-site identity service, which Rosewell said depends upon first-party cookies to operate.









Breaking privacy gridlock: Scholars see third-party certification among remedies 

Certification bodies, self-regulatory organizations and “other gatekeepers” are among ideas providing improved consumer privacy protection for the web proposed in a paper released this week by four respected academic researchers.

“Divisions over two enforcement issues—private right of action and federal preemption—have long gridlocked the effort to enact federal consumer privacy legislation,” the scholars write, adding: “A look at regulatory systems outside the privacy field, however, reveals a complex landscape of en-forcement mechanisms and remedies, many of which have not yet received much attention in the privacy debate.”

The paper (PDF) takes a look at the current U.S. federal privacy-law stalemate and is based on a set of 2020 workshops which gathered ideas from experts in financial services, environmental law, labor law, intellectual property and other fields. Among other ideas: A focus on regulatory supervision in addition to enforcement, and the right of citizens to sue.

“Many regulatory systems also rely on private-sector enforcers, such as certification bodies, self-regualtry organizations, accountants, lawyers and other ‘gatekeepers”, regulating the conduct of their third-party service providers,” the researchers write in an blog overview of their paper, headlined: “A Broader Look and Privacy Remedies.”

Quoting the work of Boston University law professor Rory Van Loo, they say policymakers in some fields have begun to rely upon third-party enforcement by the real gatekeepers of the economy — firms controlling access to core product markets. “Policymakers may want to look for ways to further leverage the power of browsers, operating systems and other technical intermediaries.”

  The paper’s four authors are Jim Dempsey, executive director of the Berkeley Center for Law & Technology at the UC Berkeley Law School, Chris Jay Hoofnagle, professor and faculty director of that center, Ira Rubinstein, a senior fellow at the Information Law Institute, and Katherine J. Strandburg, director of New York University’s Information Law Institute and an interdisciplinary privacy research group at NYU.


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Screen capture from ICCL report to Irish government panel


Ryan rebukes Irish data privacy regulators for scant action; seeks government intervention

Ireland’s oldest independent human-rights body issued on Friday a strong criticism of the nation’s Data Protection Commission (DPC),  accusing it of significant apparent inaction on allegations that Google and other major U.S. tech companies are violating the privacy rights of European Union citizens.

It was the latest carefully footnoted and documented complaint from Johnny Ryan of the Irish Council for Civil Liberties (ICCL), who is particularly peeved that his claims alleging privacy violations by Google’s Real Time Bidding (RTB) advertising system have been languishing at the DPC for years with no findings or outcome.

The Irish DPC hs “delivered decisions in only 2% of the 196 EU-wide cases where it is the EU “lead” authority, Ryan write in the April 9 post. The ICCL proposes the Irish government appoint two new data-privacy commissioners and a new commission chair, and apparent challenge to the DPC’s head, Helen Dixon.

It’s a tricky situation for Ireland, which for tax-preference reasons hosts the EU headquarters of Google, Facebook, Apple and Microsoft, among others. EU law therefore makes the Irish DPC the preferred handler of any privacy regulation EU-wide.  So Ryan’s argument is that lack of action by the DPC is stalling any enforcement of the General Data Protection Regulation (GDPR) throughout Europe.

“The DPC is the bottleneck of GDPR enforcement against Google, Facebook, Microsoft and Apple, everywhere in the EU,” the ICCL paper says.





Berners-Lee in key W3C group declaring Google
“sandbox” piece may be harmful, detrimental to web

In a rebuke to Google’s public “Privacy Sandbox” effort to navigate privacy and ad targeting, a key unit of the respected World Wide Web Consortium (W3C) has criticized a key “sandbox” idea which Google engineers created to satisfy advertisers trying to link multiple domains. It is called “First Party Sets.

”The W3C group calls the proposal “harmful to the web in its current form” and expresses concern it “can result in detrimental effects to the greater web ecosystem.”

TAG is a special working group of the W3C chartered with stewardship of the web architecture. It has 10 participants (6 elected, 3 appointed, and 1 chair. Companies represented currently include Microsoft, Samsung, Intel and Apple. Google is not represented. A Google engineer requested the design review. Membership includes Sir Tim Berners-Lee, the inventor of the World Wide Web protocol.

In its opinion, made public this week, the W3C’s Technical Architecture Group (TAG) concludes that First Party Sets is vaguely explained and it goes on to site several concderns.  It also questions whether Google’s proposal essentially replaces third-party cookies with another mechanism that has the same practical effect.

On another point, it adds: “The proposed governance model for first party sets involves browser-curated allow lists. This model puts the browser-maker at the center of how information is shared across origins, and introduces another point of variance about how the web can be expected to work across different browsers.”

“The ‘Privacy Sandbox’ initiative proposes (among other things) to restrict ‘third-party cookies’, which would align with other browsers and with general industry trends,” the TAG report says, adding. “However, this proposal seeks to redefine what it means to be a third-party cookie. In that context, the efficacy of the ‘Privacy Sandbox’ initiative is thrown into question.”

Google’s announced intention to pull third-party cookies support from its world-dominant Chrome browser — and make what it calls privacy-aware changes — endured additional criticism this week in an essay posted by the Council on Foreign Relations. In Why Celebrations of Google’s Privacy Announcement Are Misplaced, Columbia University scholar Maya Villasenor wrote:

“Google no longer needs or wants to depend on data derived from tracking users outside of its purview, and thus its announcement is better viewed as a manifestation of the extraordinary scale of the data it has already collected than as an altruistic, pro-privacy decision.”





Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Is Procter & Gamble exploring an effort to end-run Apple’s privacy moves? Wall Street Journal article raises question

The challenge facing big marketers as they navigate changes in the ad-tech landscape has apparently led Procter & Gamble, the big consumer package-goods manufacturer, to work with a Chinese advertising association on solutions.  The Wall Street Journal broke the story this week, suggesting the goal of the effort is to work around Apple’s intention to start blocking a key tool that facilitates targeting advertising messages to individual consumers.

The WSJ story doesn’t make it clear whether P&G is merely doing research or might actually seek to end-run Apple’s privacy efforts. P&G doesn’t appear to have commently prominently yet. One report says it has been assembling its own database of over a billion individual consumer data points.


AD TECH — Publishers’ identity initiative




Mactaggart says tech lobbies for weak state privacy laws, and federal law unlikely, so California dominates 

“It’s unlikely that there is a federal law that preempts California’s privacy law. As an American I would welcome a strong national privacy law. Great. So where does that leave us? I don’t know. But when everything’s going to have to get done with 50 votes [in the Senate]–until the filibuster goes, 60 votes–it’s a hard one to imagine happening, I’ve got to tell you . . . .

“[Tech industry groups are] very overtly going around the country trying to pass weak laws. The Virginia law is a very weak compared to California. Because their strategy is to create confusion that will allow them to go to Congress and say “you guys need to fix this.

“And for all these [tech] businesses that will say “we can’t possibly plan for plan for 50 different state laws,” I say, “Well, the last time I looked, there are banks and hospitals in all 50 states–you do it in these sectors why can’t do it across the board?”

“If you look at the existing national privacy laws, whether it’s the GLBA for finance or HIPAA for health, they are both laws that set a national floor, but they let states go further. Professional licensing is done by the states, and employment and unemployment insurance and working conditions are regulated differently state by state, so I don’t buy that at all. The desire for one law is really just the desire of an industry to have a weak law . . . “I’ve talked to people who say they’ve been on calls with industry groups saying that their overall strategy is to create that confusion and then go to Congress and say “there’s such confusion.

“And yet, you know, a lot of the trains are already leaving the station. You see what Apple did with iOS 14.5 [requiring app makers to ask permission to track users], and what Google is now doing with their ending support for third party cookies. I think a lot of the big companies are reading the writing on the wall and thinking “this is coming my way.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp