New W3C discussion ponders whether tracking is necessary for good user experience; is policy governance over tech needed?  

By Bill Densmore
Posted: Aug. 20, 2021

Launching into its first substantive meeting, participants in a web-standards discussion group pondered this week whether it is technically possible to “preserve identity” for business purposes without enabling privacy-threatening online tracking of consumers.  One solution offered in public meeting notes — add a layer of legal policy governance on top of the tech. 

“If we take away the [cross-site] tracking capabilities we make the user experience worse,” observed George Fletcher, an engineer with Verizon Media, which currently tracks hundreds of millions of its own users on sites like AOL, Yahoo and TechCrunch. “If the goal is preserving identity without enabling tracking, are those two goals incompatible?” he asked during the Aug. 20 Zoom virtual meeting of the World Wide Web Consortium’s (W3C) new Federated Identity Community Group.

The federated-identity group is preparing to accept proposals for ways to balance web privacy against perceived business needs to “track” users for advertising — and other purposes. A 2019 W3C document defines tracking as “collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.”

Later in the meeting, Fletcher wondered if the group wanted to prescribe ways user data such as an email address may be used when it is shared with the user’s permission. “If we want to go down that path, and I’m not sure we want to in this group, I think we’re talking more about some data provenance kind of mechanism that goes along with the attribute values and that means a whole legal framework to fund to make it stick,” Fletcher observed. 

“Terrifying,”  the group’s chairperson, Heather Flanagan, commented immediately after Fletcher’s statement. Flanagan is an independent consultant who earlier disclosed that she has been hired by Google to set up the federated ID discussion group.  Google has been advancing proposals to manage user interests and other profile information within its Google Chrome browser. The notion of browser software controlling web identity was also discussed. 

Friday’s discussion agenda focused on reviewing the initial purpose statement of the federated identity group, drafted by Flanagan after the group’s Aug. 2 founding meeting. A key phrase currently reads the group is a forum “focused on combating web features that will both support federated identity and prevent untransparent, uncontrolled tracking of users across the web.”  

However, after discussion, 72% of the 27 signed-in meeting participants who cast a polling vote favored changing the language to read: “”prevent unsanctioned tracking of users across the web while continuing to support sanctioned identity flows.”  Left undecided, however, was who would be the “sanctioning” authority — whether the individual consumer through some system of privacy preference signaling — or some other entity. (Disclosure: ITEGA, the publisher of this newsletter, has proposed a role for itself as providing rules and governance over sharing of user identities on the web. ITEGA is a nonprofit 501(c)3, California-chartered public benefit corporation.)

There are browser and other identity-sharing experiments underway that are “at odds with the pieces that are used to facilitate SSO (single sign-on) federation type flows, we’re running into a conflict,” said Brian Campbell, CEO of Epyon Technologies Inc.  “It’s a very difficult problem.  But my understanding is this group, we are here to develop proposals to allow for sanctioned, legitimate — I don’t know the right word — but what would be viewed as legitimate SSO cross-domain communication in a way that is legitimate, informed, consented to, but that works within the constructs of these impending changes from the browsers.”  

Among companies represented on the Aug. 20 session were tech companies Microsoft, Salesforce, Verizon Media, AuthO, Ping Identity, Adobe, Google, Neustar, plus publisher John Wiley & Sons and the nonprofit Online Computer Library Center.  Neither Apple nor Facebook appeared to be represented.  Both were part of a May 25-26 workshop that led to creation of the new working group.  During that meeting, Brad Hill, the head of Facebook Login, the sign-on service the social network controls, appealed for a multi-stakeholder approach to identity and a service not controlled within web-browser software (such as Google’s Chrome). Facebook doesn’t have its own web browser. 

“Blocking passive tracking is a good goal,” Facebook’s Hill wrote in prepared remarks made a part of public notes of the May 25 meeting. “But when we turn to active user choices, it is likely overreach to say that the only acceptable interactions between consenting parties on the web can be those which  browser can constrain and verify technically an deterministically, rather than providing a general platform on which contracts, regulation and trust provide a nuanced and flexible overlay to help balance difference interests.”  

In the May 25 session, Campbell, of Epyon, said it was hard for developers to code to different assumptions about identity tracking made by different browser companies.“Yes,” the notes quote Google WebID manager Sam Goto as responding. “It is conceivable that there are other options to solve the problem.”  

In the Aug. 20 session, Goto described three identity challenges which Google is working on — (1) how to classify some tracking as “sanctioned” and some tracking as “unsanctioned” (2) how to prevent websites for colluding to sharing data opaquely about users and (3) Does “federated” identity (sharing user information across sites) have to mean that one so-called “identity service provider” knows all the places you visit on the web?