W3C group weighs: What is Google’s browser role in privacy? | Three-quarters of Americans want federal privacy law

Privacy Beat

Your weekly privacy news update.


Diagram in Google draft report showing proposed browser (“user agent”) role

Alternate views of privacy control emerge in W3C federated-identity discussion — what is Google browser role? 

A preliminary draft report from a key Google Inc. engineer, made public this week, shows the company sees its Chrome web browser as playing a central role in managing user identity and privacy on the web — as a “user agent.” 

The purpose of the 38-page proposal, “Identity Federation Management API”, as described by author Sam Goto, a staff software engineer on the Chrome browser, is to be “clear on what we are going to do and what we have been implementing.”  (See QUOTE OF THE WEEK, below)

However, in a virtual meeting on Friday of the World Wide Web Consortium’s (W3C) Federated Identity Community Group, a British-based ad-tech executive offered a different view.  (View minutes of the Sept. 17 Zoom meeting.) The ID group’s chair is Heather Flanagan, who openly acknowledges that Google hired her as a consultant to organize the group.

James Rosewell, touted the SWAN Community open-source proposal championed by his company, 51Degrees.com, which would rely on independent governance and multiple identity service providers (IdP’s) rather than the browser. He said SWAN “doesn’t require people to provide personal information in order to have their preferences shared by multiple websites.” SWAN would temporarily store user data in a web browser cookie file, the SWAN faq says. 

In his paper, Goto talks about privacy-compromising “threat models” in which an IdP and a “relying party” — a website that seeks user data for advertising of other purposes, “collude” to exchange personal data without permission of the end user.  In the Google model, the browser would stand in the middle to interrupt such “unsanctioned” use, considered harmful.

But what if the company which makes the browser — say, Google? — is also the web’s largest manager of advertising networks, the largest displayer of ads and  the largest manager of user identities? Should its browser be the enforcer? 

“My definition of threat would be very different from the definition that Sam has just provided,” said W3C meeting participant Kris Chapman, an engineer at Salesforce.com. When both the IdP and the relying party are the same company, she said, “collusion can occur without one knowing that is going on.” 

Goto emphasized his intent with the draft document was to help seek consensus on defining key terms such as “unsanctioned” and identify early and simple points of agreement before tackling the complexity of a large-system solution for web identity. “All feedback is good feedback,” he said. “We’ll dance with the song; we’ll get along as we go along.” 


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

Ryan says Irish privacy regulators create “paralysis” in probing of  Big Tech complaints | Bretton Woods II needed?

Irish-based data-privacy crusader Johnny Ryan leveled a new allegation at his country’s Data Protection Commission, accusing it of inaction in dealing with dozens of complaints about Google, Facebook and other tech companies.  He said it has received far more complaints than any other European Union member-country regulator, and acted on far fewer.   The Irish Times picked up his complaint, issued through the Irish Council for Civil Liberties, where Ryan works. 

Meanwhile, the outgoing top data-privacy regulator for the United Kingdom gave an interview to the Wall Street Journal in which she called for a “Bretton Woods”-style global privacy cofab. 

““I think there’s urgency in us having this kind of convention, for this kind of coming together,” Elizabeth Denham told the WSJ. “The risk is that more and more laws are being passed which have the perverse outcome of data localization rather than actually promoting innovation and promoting meaningful data protection.”




Three-quarters of Americans want a federal privacy policy — and 80% of them share their email address for deals

Two important data points from new polling data:

  • Nearly three-quarters of Americans say they support establishing national standards for how companies can collect, process and share personal data, according to an Associated Press story about a poll it commissioned.  “What is surprising to me is that there is a great deal of support for more government action to protect data privacy,” Jennifer Benz, deputy director of the AP-NORC Center, was quoted by The AP as saying, adding: “And it’s bipartisan support.” AP-NORC polled 1,004 adults June 24-28.The margin of error for the sample is 4.3 percentage points.
  • Eighty percent of 1,000 Americans in a second unrelated survey said they have willingly provided their email address to a marketer in exchange for a discount or coupon, compared with 59% giving their full name and 51% their phone number. The sampling was done recently by a SMS-text marketing firm, Simpletexting.com. 






Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

WASHINGTON BEAT — Democrats lining up to fund FTC on privacy rather than new agency 




Google’s evolving, draft, tentative view on browser software’s role in controlling privacy and identity abuses 

  • The following is excerpted from the introduction to an unofficial draft policy paper on web user tracking authored by Google’s Sam Goto, a Google Chrome software engineer, and posted publicly Sept. 16 as advisory to the World Wide Web Consortium’s (W3C) Federation Authentication Community Group.  Goto advised that he was working on a formal proposal describing how Google, in its platform and Chrome browser, will attempt to define and limit “unsanctioned web tracking.” The introduction is part of a 38-page public document

“Over the last decade, identity federation has unquestionably played a central role in raising the bar for authentication on the web, in terms of ease-of-use (e.g. passwordless single sign-on), security (e.g. improved resistance to phishing and credential stuffing attacks) and trustworthiness compared to its preceding pattern: per-site usernames and passwords.

“The standards that define how identity federation works today on the Web were built independently of the Web Platform (namely, SAML, OpenID and OAuth), and their designers had to (rightfully so) work around its limitations rather than extend them.

“Because of that, existing user authentication flows were designed on top of general-purpose web platform capabilities such as top-level navigations/redirects with parameters, window popups, iframes and cookies.

“However, because these general purpose primitives can be used for an open ended number of use cases (again, notably, by design), browsers have to apply policies that capture the lowest common denominator of abuse, at best applying cumbersome permissions (e.g. popup blockers) and at worst entirely blocking them (e.g. blocking third party cookies).

“Over the years, as these low-level APIs get abused, browsers intervene and federation adjusts itself. For example, popup blockers became common and federation had to adjust itself to work in a world where popups blockers were widely deployed.

“The challenge is that some of these low level primitives are getting increasingly abused to allow users on the web to be tracked. So, as a result, browsers are applying stricter and stricter policies around them.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp