(Privacy Beat will be on vacation Friday, July 9)

Who can share users across domains? And when? Apple, Google discussions playing out in W3C group; SSO at stake? 

When a user logs in on one website, how and when should that log in be carried forward to other websites? The answer to that question could affect most organizations that operate multiple domains and websites, and could have a significant impact on users, too.  Answering that question is not simple, it appears from discussions in a public interest group maintained by the World Wide Web Consortium (W3C). Not surprisingly, the two most important players — Google and Apple — are not yet in agreement. 

The discussion — quite technical and difficult to follow — continued last week (June 24) during an online web meeting of the W3C Privacy Community Group, with 45-50 participants. The discussion (see minutes) was opened by Google Chrome Privacy Sandbox lead engineering manager Kaustubha Govind, who was updating the group on Chrome’s First Party Sets proposal. A key respondent was John Wilander, Apple WebKit security and privacy engineer, who works on the Safari browser.  Both are working on a variety of privacy initiatives to tighten the way browsers handle “cookies” and exchange of user data. 

In the June 24 session, a key question was who should decide when two different domains in common corporate ownership — say google.com and youtube.com — should be permitted to share information through a user’s browser? Or, say, comcast.com and nbc.com. Or aol.com, yahoo.com and techcrunch.com. Or what if a trade collaboration such localmediaconsortium.com wants to run a federated single-sign on (SSO) service for hundreds of member news sites and share common user data? 

“How do you actually prevent this from bad-faith actors making — claims that they’re the same first party when they’re not,” asked Govind.  She said Google was thinking of a policy-based process to work where the technology might not. Browser software makers Google and Apple are debating the possibility of having a independent third party provide a “white list” of domain names that are considered to be in common ownership or affiliation — rather than have a single browser vendor do so.  The browser software could query the third party to determine whether a particular domain could ‘share identity’ with another one. 

“I”m very encouraged by the prospect of having something that can be automatically checked in order to avoid a lot of potential future policy debates,” observed Don Marti, of CafeMedia.com, which manages advertising for hundreds of publishers. 

Facebook Connect and Google Accounts provide login across multiple websites. It’s not clear how they would be affected by the W3C discussions, or how federated Single Sign On (SSO) services would be cleared to share logins. 

FTC, FACEBOOK, AND FINING POWER 

• FTC Vote Could Pave Way for New Privacy Rules | David Uberti, WSJ.com
• FOLLOWUP: Did the US Supreme Court Just Gut Privacy Law Enforcement? | Theodore F. Claypoole, Womble Bond Dickson (US) LLP law firm
• State attorneys general seek confirmation of FTC’s ability to fine | IAPP Privacy Blog
• Federal Judge Throws Out 2 Antitrust Cases Against Facebook | Cecilia Kang, NYTimes.com
• RELATED STORY | DECISION TEXT
• Did Judge Boasberg provide the FTC an antitrust case road map? | Gilad Edelman, Wired.com
• Ex-FCC chief: Court’s Facebook decision shows why we need digital regulatory agency | Tom Wheeler, Brookings Institute 

WASHINGTON WATCH 

• Time to Boost Privacy Protection Around Cloud Data: US Lawmakerstell hearing | Reuters PLC 
• REPORT: Vaccine passports underscore the necessity of U.S. privacy legislation |  Nicol Turner Lee, Samantha Lai and Emily Skahill, Brookings Institute
• Privacy Watchdog Board’s Secret Report on N.S.A. System Fell Short, Member Says | Charlie Savage, NYTimes.com
• Watchdog says: NSA surveillance program still raises privacy concerns years after exposure | Ellen Nakashima, WashingtonPost.com | RELATED STORY (TheGuardian)
• Microsoft exec: Targeting of Americans’ records is ‘routine’ | Eric Tucker & Matt O’Brien, Associated Press
• Sen. Wyden preps bill to restrict ad-tech data flows to foreign “adversaries” | Kate Kaye, DigiDay.com
• Matt Stoler provides deep and clear analysis of the antitrust bills |  Matt Stoller via Substack.com | WHO IS MATT STOLLER? 
• Appeals court denies challenge to differential privacy use in 2020 census | Hansi Lo Wong, NPR.org via IAPP News Blog

ANTITRUST

• BACKGROUNDER: Why small newspapers have filed antitrust suits against Google | Andrew Conte, NextPittsburgh.com 
• Spain antitrust watchdog probing Amazon and Apple for antitrust violations | Brandy Betz, SeekingAlpha.com
• PROFILE: Lina Khan, the 32-year-old tapped to police Big Tech | Katie Canales, BusinessInsider.com
• Sen. Warren Urges Investigation Into Google’s Alleged Ad Manipulation Via ‘Project Bernanke’ | Laurie Sullivan, MediaPost.com | RELATED STORY
• Warren Urges Investigation Into Potential Antitrust Practices by Google | Sharon Zhang, TruthOut.com
• Khan should not be part of antitrust probes of Amazon, company says | Brent Kendall, WSJ.com | RELATED STORY | RELATED STORY
• PERSPECTIVE: How Washington got back into trust-busting | Ron Knox, WashingtonPost.com

 Privacy Beat will be on vacation Friday, July 9

PRIVATE DATA | PUBLIC PURPOSE 

Stanford, Princeton working with Mozilla on opt-in research data use to test investigative journalism’s impact

For two decades, Internet visionaries have held out the promise that citizens who use the web should have ultimate control of information about who they are, what they like — and what they do.  But it hasn’t worked out that way.  Instead, books like Shoshana Zuboff’s “Age of Surveillance Capitalism” have popularized the idea that major tech platforms profit by collect user activity and using it to make money.

Now, Mozilla Inc., operator of the Firefox web browser, wants to find out how many web users are willing to share their personal data for research rather than profit with an initiative called “Mozilla Rally.”  It’s starting two research projects, and one of them involves study of how to help pay for journalism. Mozilla is owned by the Mozilla Foundation, a 501(c)3 nonprofit organization. 

Mozilla is working with researchers at Princeton University (on COVID-19 and the news) and Stanford University, on a study called “Beyond the Paywall,” a reference to how many news organizations control access and payment to web information. A GitHub description of the paywall project is designed “to measure both the accountability impact of, and consumers’ willingness to pay for, investigative journalism by local outlets . . . . “ At Stanford, Gregory Martin is the project director (gjmartin@stanford.edu | 650-498-3321).

“Your data is valuable,” the pitch page for the initiative begins. “But for too long, online services have pilfered, swapped and exploited your data without your awareness. Privacy violations and filter bubbles are all consequences of a surveillance data economy. But what if, instead of companies taking your data without giving you a way, you could select who gets access to your data and put it to work for public good?” 

At the moment, Rally is meant to appeal to a kind of civic instinct in internet users, DigiDay reporter Max Willens wrote in his account. He says Mozilla and its collaborators hope eventually to share information back with users “as a kind of value exchange and also as a way of understanding the picture that some of the largest digital companies can and do draw from their consumers.”

PERSONAL PRIVACY 

• Are we seeing an end to ‘surveillance capitalism’ on the internet? | Matthew Sparkes, TheNewScientIst.com
• Is notice and choice enough, or is consent required? | Robert Gellman, IAPP Privacy Blog
• Why Our Brains Struggle With The Threat Of Data Privacy | Gord Hotchkiss, MediaInsider/MediaPost.com
• The five most essential privacy tools of 2021 | Jack Morse, Mashable.com

PUBLISHERS, PLATFORMS, PRIVACY 

• Australian regulator may authorise media group talks with Google, Facebook | Sameer Manekar, Reuter’s PLC
• Exclusive: Google deal with French publishers on hold pending antitrust decision | Mathieu Rosemain, Reuters PLC
• Facebook set to finance regional Australia newspaper fund | Reuters PLC
• Denmark’s Publishers Seek New Ways For Tech Giants To Pay For Content | Rob Williams, PublishingInsider/MediaPost.com
• Facebook unveils ‘Bulletin,’ a newsletter subscription service | Mike Isaac, NYTimes.com | RELATED STORY | RELATED STORY
• Why Los Angeles Times wants to be a ‘media platform,’ not just a newspaper | Brian Stelter, CNN.com

FACIAL RECOGNITION / BIOMETRICS

• New NYC biometric law forbids sale/sharing of data | Brian Pete et al., Lewis, Brisbois law firm
• Federal agencies need stricter limits on facial recognition to protect privacy, says government watchdog |  Gerrit De Vynck WashingtonPost.com
• GAO surveys federal agencies’ use of facial recognition tech | IAPP News Blog
• Maine passes statewide facial recognition ban | Jennifer Bryant, IAPP Staff
• EU Privacy Watchdogs Seek AI Biometrics and Facial Recognition Ban in Public Spaces | Scott Ikeda, CPOMagazine.com
• Canada’s Liberal Party scrutinized for facial recognition use | Marieke Walsh, Toronto Globe and Mail
• The Growing Biometric Privacy Liability | Jonathan Meer, Wilson Elsner law firm
• WHITE PAPER: Biometric login: The new face of identity management and cybersecurity | Matra Softech via BiometricUpdate.com

COVID 19 AND PRIVACY

• Google update will allow digital COVID-19 vaccination cards and test results to be stored on Android devices | Sarah Perez, TechCrunch.com
• The EU’s COVID-19 ‘digital certificates’ are up and running | Natasha Lomas, TechCrunch.com

California data reporting kicks in 

• Data privacy metrics reporting took effect July 1 in California | David Klein, Klein, Moynihan & Turco LLP | RELATED STORY

Knight-UMass research vision of “platform” future: Smaller communities focused neighborliness and citizenship

A new vision of social-media platforms running at the scale of real communities — rather than hundreds of millions of users — and focused on how to support better neighbors and better citizens, should be the focus of efforts to replace YouTube, Facebook and Amazon in their current forms, academic researchers have heard. 

The vision was laid out in pieces during a week-long virtual symposium in May organized by Columbia University’s Knight First Amendment Institute and the University of Massachusetts-Amherst’s public-policy school.  The “Reimagine the Internet” sessions were viewed by at least 1,400 people according to organizers, including Ethan Zuckerman, a visiting scholar at the Knight institute who is now a professor at UMass.  

Zuckerman said a big problem with prominent internet communities is that they are too big to be communities.

“It’s not too late to fix things,” Zuckerman was quoted in a summary report of the proceedings, as saying. “But the key is that we have to stop fixing what exists right now and start imaging something else is possible. It’s not about fixing Facebook, It’s not about fixing YouTube. It’s not about fixing Google. It’s about imaging and building alternatives to what exists now.” 

In research leading up to the symposium, Zuckerman looked at some nascent alternatives, including WikiPedia, and Front Porch Forum.  It would help if multiple community networks operated in such a way as to make it easy for people to move their data from one to the other or use more than one in the same fashion.  This was termed, variously, “adversarial interoperability” or “competitive compatibility,” according to the summary report by A. Adam Glenn. 

“The internet and the relationships that we have with each other on it are just too important to leave up to to the market,” Glenn quoted Zuckerman as saying. “It’s not just about what becomes the most popular, what becomes the most successful. We actually need tools that are designed specifically to help us to be better citizens and to be better neighbors.”

STATE HOUSE BEAT 

• WHITE PAPER: Managing compliance with growing patchwork of state laws | Bullard Spahr LLP law firm
• Ten key differences between the 2023 California, Virginia, and Colorado privacy laws | Mark Brennan & Ryan Woo, Hogans Lovell law firm
• California’s new top enforcer sees social dimension to antitrust, privacy enforcement | Mike Swift, Alex/LexisNexis
• PODCAST: The Colorado Privacy Act dissected | Brownstein Hyatt Farber Schreck, LLP law firm
• Changes In Connecticut’s Data Privacy Laws – But Not As Drastic As It Could Have Been | Cynthia J. Larose, Mintz law firm
• Minnesota lawmaker interviewed on privacy-bill strategies | David Stauss, Husch Blackwell law firm | RELATE STORY (NYTimes)
• SCOTUS: California attorney general can’t demand identity or donors | Wendy Davis, DigitalNewsDaily/MediaPost.com

EU PRIVACY 

• Outgoing Privacy Commissioner Calls GDPR “Broken,” Says That Basic Model “Can’t Work” | Scott Ikeda, CPOMagazine.com | RELATED STORY 
• An assessment: GDPR – Three Years In | Richard Hancock, CPOMagazine.com
• EU digital agenda to foster trust in digital technologies, Vestager says | Luca Bertuzzi, Euractiv.com
• ANALYSIS: The CJEU did not rescind the one-stop shop. Quite the opposite | Lokke Moerel & Ronan Tigner, IAPP Contributors
• Hoff: EU, US ‘not at the beginning’ of Privacy Shield negotiations | Ryan Chiavetta, IAPP Staff
• European Commission adopts UK adequacy decisions | Ryan Chiavetta, IAPP StafF
• EU Approves UK Data Rules, Avoiding Online Advertising Chaos | Karlene Lukovitz, MediaPost.com
• Big Tech May Face Blizzard of Probes in EU as CJEU  Clears Path for Data Protection Authorities | Scott Ikeda, CPOMagazine.com

WORLD PRIVACY 

• Former diplomat sees ‘voices of concern’ in China over the buildup of a surveillance state | CNBC.com
• Renowned cryptographer  signs Norwegian groups letter seeking end of surveillance advertising | Bruce Schneier’s blog
• China’s city of Shenzhen considers law to regulate surveillance camera installation | Yujie Xue, South China Morning Post
• Regional Australian police testing facial-recognition system | Joseph Taylor, TheGuardian.com
• WhatsApp sues Indian government over new privacy rules – sources | Joseph Jenn, Reuters PLC
• Big Tech gearing up for massive fight with Modi’s India | Saritha Rai & Vlad Saviv, Bloomberg.com
• India’s digital database for farmers stirs fears about privacy, exclusion | Rina Chandran, Reuters PLC
• Dawn of a new era for data privacy in South Africa | Admire Moyo, ITWeb.co.za