Google aids effort that’s starting “federated identity” W3C interest group; minutes show Facebook’s, other concerns 

Google’s identity idea

By Bill Densmore, ITEGA

In nearly six hours of web-based discussion over two days involving more than 80 technologists and corporate strategists, a Google-supported discussion has moved to form a “federated identity” community group within the World Wide Web Consortium (W3C). The group will be focused on challenges to web privacy and identity resulting from the deprecation of third-party cookies. 

For now, it won’t consider so-called “decentralized identity” or “self-sovereign identity” initiatives, but may become a subset of a larger, broader identity interest group later, organizers decided.

This week’s Zoom-in “workshop” (May 25-26) around federated identity was organized and facilitated by Heather Flanagan, an academic librarian, university IT manager and expert at multistakeholder process for ICANN and others.  Flanagan told Privacy Beat that out of frustration about the confusion over Internet identity management she reached out to friends within Google, who agreed to pay her as a consultant to organize the two-day workshop.  A ground rule said laid down was that Google would not influence the design or outcome of the discussions. 

“Google funded me to spend time on this,” she said. “That was the only thing Google put into it and they knew I would be acting as a facilitator and moderator, not to argue Google’s point of view.”  She obtained permission to hold the meetings under auspices of the W3C’s Web Platform Incubator Community Group (WICG). “The next step is getting the Federated Identity Community Group together,” she added. 

Participants speaking up during the two-day discussion appeared universally concerned about a public perception that privacy is threatened by current systems. “It’s bad,” said Peter Saint-Andre, of Mozilla Corp., a browser maker. “It’s taken us 20 years to get to this point of screwing up the internet this badly that this is what w’re putting out. We’re dependent on pervasive surveillance to make things go and it’ll take us a while to fix that.

Minutes of both the first day and second day, (May 25-26) of the discussion are posted publicly.

Google’s principal representative during the two days, Sam Goto (see Google’s slides), was at times apologetic about confusion created by some of the company’s testing of alternate identity solutions, but he also was clear that the testing needed to continue. He also said Google didn’t want to end up imposing new browser standards if they weren’t supported by competing browsers. “Doing this only in Chrome doesn’t make any sense,” he said. “And so we don’t think we can and we don’t think we want a web where Chrome is the only one exposing these APIs.”  

Facebook took a low profile on Day 2, but on the first day, its tech spokesman Brad Hill offered a lengthy written statement observed that browsers may be the user’s agent, “but they are developed by other companies that have business and competitive interests.”  He cautioned against browser makers “using identity and authentication technology to lock users in to the identity provider’s browser, device or operating system, or to privilege adjacent products like payments” — clear references to Google and Apple.

Among general concerns during the two days:

  • At least two of the makers of dominant web browser technology — Apple, and Google — are moving to become “mediators” of web identity rather than neutral transmitters of “permissions”  at a time when they and Microsoft each have growing advertising businesses that could appear to pose a conflict of interest in keeping web identity services open to all competitors. See: “Identity in the Browser.”
  • Google’s declaration in Jan. 2020 that its dominant Chrome browser would within two years start blocking the exchange of data from third-party cookies has created deadline pressure which some competitors see as troubling because of the lack of a specific end date or milestones along the way. The result, they say, is that things “will get broken” before “theoretical” technical fixes are ready, including aspects of (1) session management (2) logging out across sites and (3) social widgets.

Third-party cookies have been used to track individuals across the web for targeting advertising, and has resulted in risk and some actual loss of trust in entities that operate on the open web. “I think that the use of identity for this purpose, cross site tracking, in the context of advertising technology, would in my mind create that risk that you’re trying to prevent,” said Aram Zucker-Scharff, of The Washington Post.