Google proposes independent entity to verify  cross-site privacy and first-party data sharing

Weaving a path between privacy protection and effective advertising, a tech-industry discussion group is struggling to determine whether browser software makers alone or, as Google suggests, an independent entity, are better positioned to provide a trustworthy privacy/sharing balance. 

This week, the discussion got specific during a Sept. 9 virtual meeting of the World Wide Web Consortium’s (W3C) Privacy Community Group. (EARLIER STORY)

Browser makers Apple, Google and Mozilla have been working for at least a couple of years on proposals that would have their software manage or outright prohibit the use of “cookies” to track users between websites — as a privacy enhancement.  

But the problem is that publishers, advertisers and some merchants find it useful to share information across-site — about individual users.  The W3C group is struggling to find a way for browser software to block “inappropriate” tracking but still allow tracking that is desired by the consumer — such as a network subscription content. 

Should websites that have a common owner be able to share cookie data via a proposed browser approach from Google termed “First Party Sets”?  But what if privacy policies differ across their sites?  Should websites that are in some way affiliated, but not by common ownership, be allowed to participate in a federated single-sign-on service? 

And the toughest question: Who decides whether one website is legitimately affiliated with another website for purposes desired by the end user?  The First Party Sets idea has gathered an array of comments, all documented publicly. 

It was that question that underlay Thursday’s discussion, begun by Apple browser developer John Wilander around his “Private Click Measurement” proposal. Then the talk turned to First Party Sets, and a proposal from Don Marti, who works for publisher ad network CafeMedia. Others commented.  The discussion was moderated by Kaustubha Govind, Google’s engineering manager for the Chrome browser, and the co-author of Google’s “FIrst Party Sets” proposal as well as a proposed policy for “User Agents” (the browser software).

Marti described in pre-meeting documents the idea of an “Independent Enforcement Entity” (IEE)  that could have a global role of deciding and publicizing legitimate affiliations.  Marti’s implication was that Safari, Chrome, Firefox and other browsers could then choose to rely upon the IEE’s determinations and either allow or disallow cross-site tracking.  The need for an independent enforcement entity was first proposed Aug. 12 by Google during a ad-hoc meeting of the W3C privacy community group. (See the Aug. 12 proposal slide deck)

“You’re basically describing a law-enforcement agency,” said Aram Zucker-Scharff, of  The Washington Post.  “In the U.S. there are probably four different ways you could incorporate that would have radically different structures with different consequences,” Zucker-Scharff.  “Inherently enforcing this becomes very messy.” He suggested instead that decisions about data sharing could be based on a website’s status as a transparent data “controller” under European Union or other law, rather than its brand or corporate ownership. 

“I would like to be able to not have an IEEE,” said Sam Weiler, a MIT engineer who leads the W3C’s efforts to improve privacy and security on the web. He did not elaborate.

Other participants in the discussion suggested the independent enforcement entity (IEE) could be organized to require certified statements from websites about their privacy and data-handling practices; that these statements could be maintained in a searchable public database on which the public and browser makers could rely. 

Marti said he thought “if there is going to be a reasonable-sized IEEE it needs to be focused on the uses of peoples’ personal information that are something that actually has an impact on users.” He added: “I think we can come up with a set of reasonably cost-effective ways to do a significant portion of the IEE’s task.”

Google’s Govind, the moderator, said she thought “some people see the scope of the IEEE as being much more expansive” with transparent maintenance of documents, a mechanism to report problem issues and spot-checking of some operations by the IEEE. 

(DISCLOSURE: The Information Trust Exchange Governing Association (ITEGA), is a independent, nonprofit entity established to manage trust, identity and privacy on the web). 

AD TECH

• After Google’s cookie reprieve, publishers’ identity tech adoption slows to a crawl | Kate Kaye, DigiDay.com
• Contextual Advertising Is Not Replacing Behavioral Ads. It’s Enhancing Them | Joseph Zappa, StreetFightMag.com
• Goggle tells advertisers: Don’t be alarmed that consumers want more data control | Matt Brittin, Google via CampaignLive.co.uk
• Alfi’s Facial detection ad technology sparks privacy concerns | Brody Ford, Bloomberg via IAPP Daily Dashboard
• A business battle brewing between WordPress and Google Ads | Jack Lloyd, TheAmericanGenius.com
• Facebook advertisers struggle to track sales after Apple privacy changes | Garett Sloane, AdAge.com

PLATFORMS AND PRIVACY

• How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users | Peter Elkind, Jack Gillum and Craig Silverman, ProPublica.org
• Facebook Isn’t Reading Your WhatsApp Messages. The Problem Is Much Worse | Jason Aten, Inc.com
• What ProPublica’s investigation into WhatsApp left out | Casey Newton, Platformer via Substack.com
• WhatsApp “end-to-end encrypted” messages aren’t that private after all | Jim Salter, ArsTechnica
• Privacy questions: Beware the person with Facebook’s “smart glasses” cameras | Chris Velazco, WashingtonPost.com | RELATED STORY
• Apple must face Siri voice assistant privacy lawsuit, U.S. judge rules | Jonathan Stempel, Reuters PLC
• Biometric Privacy Class Action Against Google Is Stayed to Reduce Litigation Costs | Natalie A. Prescott, Mintz law firm
• Google seeks fraud claims tossed from California federal -court privacy action | Jake Holland, BloombergLaw.com
• OPINION: No net privacy? Apple’s Attempted Crackdown On Child Sexual Abuse Leads To Battle  | Dan Kennedy, WGBH.org
• ProtonMail Amends Its Policy After Giving Up an Activist’s Data | Jim Salter, ArsTechnica via Wired.com

PERSONAL PRIVACY 

• With liberty and privacy for some? Widening inequality on the digital frontier | Cillian Kieran, TechCrunch.com
• Six of the Best Internet Browsers for Protecting Your Privacy |. Khamosh Pathak, LifeHacker.com
• Digital privacy comes at a price. Here’s how to protect it | Robert Muggah, via World Economic Forum
• Diners Beware: That Meal May Cost You Your Privacy and Security | Nicole Ozer & Jay Stanley, ACLU.org
• Before you die, decide who gets access to your online accounts and digital files | Kim Komando, USAToday.com
• Eight ways to stay anonymous online with computer settings | Eric Griffith, PCMag.com

Federal judge orders Apple to allow alternate payments within app store; but says company is not a monopolist

Apple Inc. and Epic Games Inc. put different spins on the impact of a permanent injunction issued by a U.S. District Court judge on Friday in California.  In a lengthy statement, Apple attorney Katherine Adams called the decision a “resounding victory” because it did not label Apple a monopolist. Epic said it would appeal the decision even though the judge decided Apple’s rules about subscriptions off the Apple Store violated California law.

Judge Yvonne Gonzalez Rogers’ decision and injunction ran 185 pages.  Wrote The AP’s account in part: “Now Gonzalez Rogers is ordering Apple to go even further by allowing links and buttons for non-Apple payment options directly within apps, something Apple has steadfastly resisted.” Apple has 90 days to start allowing outside app payments, or appeal the judge’s decision.

Some stories described the decision as a big blow to Apple, and its stock initially dropped 2% after the decision became public. VentureBeat.com’s headline read: “Epic Games wins injunction favoring alternative payments in antitrust lawsuit against Apple.” 

Politico’s Leah Nylen described the nuance this way in her account, writing the judge “found that Apple has been violating [California’s Unfair Competition Law] by writing contracts with developers that prohibit them from telling customers that cheaper options exist online outside the App Store. She ordered the company to eliminate those provisions.

The Daily Dot’s lead paragraph captured the nuance: “A federal judge in California ruled on Friday that Epic Games failed to prove that Apple was a monopoly. However, she barred Apple from forcing developers to use its in-app payment system.”  Apple announced two weeks ago that it was reducing some commissions it charges in App Store subscriptions to 15% from 30%.

ANTITRUST 

• Apple loses the battle against Epic and must allow alternate in-app purchase methods | Mishaal Rahman, XDA-Developers.com
• Epic CEO: Judge’s Decision ‘Isn’t a Win for Developers or for Consumers,’ | Juli Clover, MacRumors.com
• Apple must ease App Store rules, U.S. judge orders, in a blow to iPhone maker | Stephen Nellis, Reuters PLC
• Epic v. Apple Antitrust Case Results in Mixed Ruling | Eriq Gardner, HollywoodReporter.com
• FTC unseals data about Facebook social-media market share | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Google, Facebook executives should face criminal US bid-rigging probe over ‘Jedi Blue’ deal, Democrats tell DOJ | Michael Acton & Mike Swift, mlex/LexisNexis | RELATED STORY | SEN. WARREN’S LETTER
• Antitrust isn’t headed to an inflection point; it’s already there | Gary Zanfagna, TheHill.com

GOVERNMENTS AND IDENTITY

• Residents of Arizona and Georgia will be the first to try out a new kind of biometric ID system | Rebecca Howell, Recode/Vox.com
• How the N.Y.P.D. Is Using Post-9/11 Tools on Everyday New Yorkers | Ali Watkins, NYTimes.com
• Los Angeles officers told to collect social media data on every civilian they stop | Sam Levin, TheGuardian.com
• Baltimore City’s Ban on Facial Recognition Now in Effect | Michael T. Borgia & Kristen N. Bertch, Davis Wright Tremaine LLP law firm
• Lawsuit Says Oakland, Calif., PD Ignores Surveillance Policy | Annie Sciacca, East Bay Times via GovTech.com

PRIVACY RESEARCH 

• POLL:  Americans warier of US government surveillance: AP-NORC poll | Eric Tucker & Hannah Fingerhut, Associated Press
• RESEARCH: National Privacy Test shows Americans 2nd-most privacy savvy, after Germans | Ben Lovejoy, 9to5Mac.com
• SURVEY: Email marketing firm SimpleText survey of 1,000 finds willingness to sell data | Chandra Steele, PCMag.com
• RESEARCH: Ipsos/Boston Consulting Group findings suggest brands can help with privacy | Chris Sutcliffe, TheDrum.com

COVID 19 AND PRIVACY 

• VIDEO: British Columbia’s vaccine card: Privacy considerations with proof of vaccination | GlobalNewsCanada
• OPINION: COVID-19 concerns do not justify the invasion of health privacy | Debra Soh, WashingtonExaminer.com

WASHINGTON WATCH 

• Activists say US GDPR-style federal privacy law ‘should replace mess of separate laws’ | Ben Lovejoy, 9to5Mac.com
• FTC bans Spyphone’s “stalker ware” app for illegally tracking people, report says | Samantha Manning, Fox23.com
• Ex-FTC privacy lawyers Jessica Rich and Laura Riposo VanDruff, join Kelley Drye firm | Christie Grymes Thompson , AdLawAccess.com
• Congress may be about to help local news. It can’t happen soon enough | Margaret Sullivan, WashingtonPost.com

STATEHOUSE BEAT

• The State of Consumer Data Privacy Laws in the US (And Why It Matters) | Thorin Klosowski, NYTimes/WireCutter
• SLIDES: A business user’s preparedness guide to following California privacy law | Squire Patton Boggs law firm
• Privacy patchwork: Looking back at the 2021 legislative session | Sarah Rippy, IAPP Privacy Advisor
• New York City Passes More City-Level Privacy Legislation | Kyle Fath, Squire Patton Boggs law firm
• Law firm analyzes Ohio’s comprehensive privacy legislation | Damon Barhorst & Wiliam Berglund, BakerHostetler law firm

EU AND UK PRIVACY 

• Website owners face cookie-banner fines in France by year’s end, French CNIL official says | Matthew Newman, mlex/Lexis-Nexis
• UK privacy watchdog Elizabeth Denham calls for simplified one-stop browser privacy tools | Ryan Morrison, DailyMail.co.uk
• OPINION: Cross Border Surveillance Treaty Must Have Ironclad Safeguards | Katitza Rodriguez, Electronic Frontier Foundation
• After chiding Apple on privacy, Germany says it uses Pegasus spyware | Staff report, AppleInsider.com

GLOBAL PRIVACY

• Business Tools for Understanding Global Privacy Obligations | Liisa Thomas & Michael Cohen, Sheppard Mullins law firm
• What China’s new data privacy law means for US tech firms | Scott Pink, TechCrunch.com
• Australian law gives authorities the power to change social media posts | James Jim Kang, Edith Cowan University via TheConversation.com