W3C federated-identity talks ponder who should “sanctioning” tracking; Google meets secretly with big publishers on privacy/identity

Privacy Beat

Your weekly privacy news update.



New W3C federated-identity discussion ponders who should govern  “sanctioning” of user tracking  — user, or an independent third party?

Launching into its first substantive meeting, participants in a web-standards discussion group pondered this week whether it is technically possible to “preserve identity” for business purposes without enabling privacy-threatening online tracking of consumers.  One solution offered in public meeting notes — add a layer of legal policy governance on top of the tech.

“If we take away the [cross-site] tracking capabilities we make the user experience worse,” observed George Fletcher, an engineer with Verizon Media, which currently tracks hundreds of millions of its own users on sites like AOL, Yahoo and TechCrunch. “If the goal is preserving identity without enabling tracking, are those two goals incompatible?” he asked during the Aug. 20 Zoom virtual meeting of the World Wide Web Consortium’s (W3C) new Federated Identity Community Group.

The federated-identity group is preparing to accept proposals for ways to balance web privacy against perceived business needs to “track” users for advertising — and other purposes.

Friday’s discussion agenda focused on reviewing the initial purpose statement of the federated identity group, drafted by Flanagan after the group’s Aug. 2 founding meeting. A key phrase currently reads the group is a forum “focused on combating web features that will both support federated identity and prevent untransparent, uncontrolled tracking of users across the web.”

However, after discussion, 72% of the 27 signed-in meeting participants who cast a polling vote favored changing the language to read: “”prevent unsanctioned tracking of users across the web while continuing to support sanctioned identity flows.”  Left undecided, however, was who would be the “sanctioning” authority — whether the individual consumer through some system of privacy preference signaling — or some other entity. (Disclosure: ITEGA, the publisher of this newsletter, has proposed a role for itself as providing rules and governance over sharing of user identities on the web. ITEGA is a nonprofit 501(c)3, California-chartered public benefit corporation.)

In a May 25 session preceding the new group’s formation, Brian Campbell, CEO of Epyon, said it was hard for developers to code to different assumptions about identity tracking made by different browser companies.

“Yes,” the public meeting notes quote Google WebID manager Sam Goto as responding. “It is conceivable that there are other options to solve the problem.”   In the Aug. 20 session, Goto described three identity challenges which Google is working on — (1) how to classify some tracking as “sanctioned” and some tracking as “unsanctioned” (2) how to prevent websites for colluding to sharing data opaquely about users and (3) Does “federated” identity (sharing user information across sites) have to mean that one so-called “identity service provider” knows all the places you visit on the web?



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Graphic courtesy of Digiday


Google reportedly holding secret meetings with a few big publishers to discuss privacy-identity technology ideas

For the better part of two years, elements of the advertising-technology industry, generally including Google, have been meeting regularly in public via the World Wide Web Consortium’s discussion and project groups — trading ideas about how to balance user privacy with the ad-targeting to individuals.  At the same time, two of the biggest U.S. publisher alliances, Digital Content Next, and the News Media Alliance, have been pilloring Google in public on antitrust grounds.

Now there’s a report, however, that Google has been quietly meeting with a few selected publishers — large ones — to talk about privacy and identity technology. That report comes from Kate Kaye, one of DigiDay’s ad-tech reporters, in a story this week.  The discussions involve proposals in in Google’s self-described “privacy sandbox” testing environment.

The News Media Alliance’s own blog reported that a Google spokesperson said they are “committed to open dialogue with publishers of all sizes.” But the NMA unsigned blog report said “most publishers were excluded from these meetings” and Google and any known participants refuse to disclose who is involved. Conversations were said by DigiDay to include Google’s evolving FloC technology, as well as timelines for implementing its new Privacy Sandbox technology.





Brookings analyst Cam Kerry suggests Biden antitrust focus may be distracting from federal privacy-law action

An experienced analyst who worked in the Obama administration, is urging Congress to get cracking on a federal data-privacy law.

 in a new Brookings Institution post Cameron F. Kerry, the brother of former Secretary of State John Kerry, now the Biden administration’s climate-negotiation czar, says Congress has held no pivotal privacy hearings in the current session. “The state of negotiations have largely frozen since the last Congress,” Kerry writes, even thought Democrat and Republican visions of a U.S. Consumer Data Privacy Act are almost identical.  And he says behind-the-scene discussions are occurring.

“Various stakeholder groups, including industry, consumer, and civil rights advocates, have been exploring proposals,” writes Kerry, adding: “These  discussions focus primarily on limiting data collection, use, and sharing; protections against discriminatory use of personal information; private rights of action; and the scope of protection or preemption of state privacy laws.”

Kerry implies the Biden administration’s focus on antitrust action may be slowing consideration of privacy measures. But he says Congress need not wait for the Biden administration to act to get a “baseline” bill under active full-committee consideration and “kickstart end-game negotiations.”




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat






Veteran privacy expert sees value in independent third party setting privacy rules — not conflicted industry players

  • Writing on the website of the International Association of Privacy Professionals, veteran privacy expert Robert Gellman, a lawyer with more than 40 years experience around Capitol Hill, explains why he thinks “notice and consent” fail at guaranteeing consumer privacy. He says an independent third-party enforcer is needed. Excerpts of his essay are below.

“After decades, we still talk about the role of notice and choice in privacy. Yet there seems to be broad recognition that notice and choice do nothing for the privacy of consumers. Some American businesses cling to notice and choice because they hate all the alternatives . . . .

“There is a new data point from Apple’s App Tracking Transparency framework. Apple requires mobile application developers to obtain opt-in consent before serving targeted advertising via Apple’s Identifier for Advertisers. Early reports suggest consumers are saying “NO” in overwhelming numbers — overwhelming as in more than 90%.

“ . . . [T]he National Do Not Call Registry run by the U.S. Federal Trade Commission. By one measure, the registry is a smashing success. It includes more than 240 million phone numbers. That means that a lot of people opted-in to the registry with an affirmative act. It was not a choice presented to them, but something that each individual had to seek out on their own by adding their number to the list. It is one measure of how much people hate spam calls.

“What do the Apple framework and the registry have in common? In both cases, a third party sets the terms and the methodology for consumer choice. In the one case, Apple set the terms. In the other case, the FTC did. This is not what happens when a website unilaterally sets the terms of consent. A one-sided approach is why consent does nothing for consumers today.

“The issue I raise is whether it is possible that consent can play a meaningful and fair role if an independent third party sets the terms of consent rather than a business desperate to have consumers agree to its terms. We have two data points that suggest a role for third parties is possible. A model from another sphere is the institutional review board that sets rules for consent in research activities . . . 

“Figuring out how to structure and present a third-party consent mechanism requires much debate. One possibility is that a neutral third party or a balanced process (with representatives of consumers and business) could establish acceptable methods for consent. One size will surely not fit all circumstances . . . . 

“I am certainly not seeking to rehabilitate notice and choice. I’m only asking if there might be a role for consent through a better process for defining and obtaining consent. Perhaps a truly neutral third party standing between the consumer and the business seeking choices involving privacy might produce a better and fairer outcome. My only goal is to add the idea of a third-party consent mechanism to current discussions.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp