Are Mozilla, Apple, Google opposing user control over identity ? | Billionaire kicks off effort to challenge social networks with “distributed” identity

Privacy Beat

Your weekly privacy news update.



Drawing from DID specification 

Are browser makers Mozilla, Google, Apple seeking to derail a W3C move toward greater control of data and privacy by consumers?

A key vote in a years-long effort to rethink the way digital identity — and hence privacy control — works on the World Wide Web is said to be underway at the World Wide Web Consortium (w3C). The outcome is a secret — so far — under the rules of the nonprofit standards body.

The vote is on whether to recommend a specification for so-called “Decentralized Identifiers” (DIDs). So far, the only thing in public is opposition and a set of critical comments from Tantek Celik, who represents browser maker Mozilla’s foundation in the W3C’s “Decentralized Identifier Working Group.”   Celik’s comments also refer to comments from Microsoft and Google as well. Both Apple and Google are understood to be opposing the DID recommendation, Privacy Beat learned Sept. 25.

Over its 30 years in operation, the task of identifying users on the World Wide Web has fallen to businesses which run websites or make browser software or other applications.  DIDs would put control of identity in the hands of individuals, known as the “DID subject.”  The subject consumer might choose to proxy control of their user data to a “DID controller.”  But the architecture, (see drawing for the specification, above)  if widely adopted, would tend to dis-enfranchise browser makers such as Mozilla, Google and Microsoft.

Mozilla’s Sept. 1 comments criticize the DID specification for having “no practical operability” which “encourages divergence rather than convergence”  and could in some cases promote data centralization.  Mozilla also argues that DIDs support for distributed-ledger technologies such as “blockchain” could lead to energy-intensive processing contributing to global climate change.

“For these reasons, we believe the DID specification may not be fixable (MUST NOT become a recommendation),” Mozilla’s Celik writes. “We suggest returning the specification to Working Draft status.”

The DID debate comes at a time when the European Commission is proposing a trusted and secure digital identity for all Europeans. The EU’s approach would be similar to the proposed DID standard, allowing Europeans to have a “digital wallet” to control how data about them is shared. And Canada’s Ontario province is preparing the rollout of “self-sovereign” digital ID.



Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


McCourt’s Project Liberty effort to disrupt social networking holds first F2F gatherings in New York City — with masks

A billionaire’s effort to seed new thinking and technology around user identity and privacy kicked off this week with its first face-to-face gatherings — complete with pre-convening rapid-COVID testing, mandatory masks and proof-of-vaccination.

Real-estate and sports mogul Frank McCourt addressed some 60 participants in a circle-round “unconference” at a Manhattan meeting venue as part of the Project Liberty initiative to which he’s pledged $100 million. Then he co-hosted — with partners the Ford Foundation, Ashoka Foundation, Aspen Institute and Georgetown University — a much larger, two-day conference organized by McCourt-backed Unfinished Labs called “Unfinished Live.” 

McCourt’s premise, first revealed earlier this year, and formally announced in June, iis that fundamental aspects of the web are broken and need to be re-engineering, including social media. Thus they are “unfinished.” A key effort he’s backing is a Decentralized Social Networking Protocol (DSNP).

Participants in the un-conference agreed not to comment on what anyone said under the “Chatham House Rule” but photography was permitted. Photos of Post-It notes show the subjects participants recommended for discussions. (Photo 1 | Photo 2)

McCourt makes it clear that he wants the technologists and other experts he’s backing to be ready to hear constructive criticism about their work, including the DSNP.  One comment posted by Patrick McKenna argues the use of blockchain is inconsistent with an identity system controlled by the user, because once data is written to a blockchain it can’t be removed by the controlling consumer.




Digiday published a great graphic last week entitled “what’s in and what’s out in the privacy conversation this year” (shown above) It’s an astute set of observations about the way publishers, ad-tech companies and publishers are pivoted based on changes in the privacy tech environment.  Credit Seb Joseph for putting it together.

Katsur, in DigiDay interview, implies IAB Tech Lab will “govern” UID 2.0 identity protocol as open source; does that mean policing and kicking out violators?

The new CEO of the Interactive Advertising Bureau Tech Lab (IAB Tech Lab) is promising to “ship more code” and focus more on taking action on consumer privacy, identity, addressability or ad fraud — rather than finding perfect consensus. Anthony Katsur was interviewed last week by Seb Joseph, a reporter. ““The feedback I’ve had so far is that the Tech Lab has been too consensus-driven and hasn’t taken a position on the important issues. We’re going to change that.”

“I intend for the Tech Lab to get back to its roots as a lab that produces these technology standards for the industry to then innovate on,” Katsur says in the interview describing his “listening tour” of the TechLabs diverse membership, which includes publishers, ad-tech companies, advertisers as well as Google. “. “I see the Tech Lab taking a much more visible role in launching technology frameworks in partnership with constituents across the industry,” Katsur told DigiDay.

In a key excerpt from the DigiDay report, Katsur says IAB Tech Lab will seek to “govern” the Open ID 2.0, email-based shared identity technology developed by The Trade Desk and announced as “open source.”  It was the first indication that IAB Tech Lab is prepared to control who gets access encryption/decryption keys to move data across OPen ID 2.0 and, thus, taking on the responsibility to decide when governance violators lose access to the keys and related user data.

“It’s the perfect open-source opportunity that could be shepherded by the Tech Lab,” Katsur told DigiDay. “If we’re going to launch certain technology frameworks or ship more baseline code to the industry that doesn’t mean the Tech Lab owns it — the industry does. We’ll moderate and govern it like any other open-source initiative.”



California nears naming data-privacy chief enforcer; sets Nov. 8 to receive initial public comments on rulemaking

Data-privacy regulation in California ramped up this week as governing board of the state’s Privacy Protection Agency met to name its first executive director and unveiled at least seven broad topic areas within which it seeks public comments before starting any formal rulemaking. The comment period ends Nov. 8.

The California Consumer Privacy Act and the follow-on California Privacy Rights Act are far more comprehensive than laws in other states and are de facto guidances for data privacy in the United States in the absence of federal law, so the rulemaking and leadership of the new state agency is a billion-dollar issue for the advertising and technology industries.

The topic areas, outlined in a detailed invitation for comments, deal with decided when data processing is a “significant risk” to privacy, the use of automated decisionmaking, how the agency should conduct audits, when and how consumers can ask to see and correct information about them, defining the way consumers an “opt-out” of having their information sold or shared, when they can limit use and disclosure of sensitive personal information and what a company must provide consumers about information they have on a consumer.



National Trust for Local News is trying to build a $300 million fund to help save local news | Rick Edmonds,


George Washington University Law School Prof. Daniel J. Solove, famous for his privacy-practice seminars is also an expert at doing simplified line-drawings about privacy.  His latest is a summary of the EU’s 200-page General Data Protection Regulation (GDPR), in one sheet suitable as a poster.  A low-resolution version is above and personal use is free. For business use you have to ask his permission.




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Competitor Criteo engineer reviews Google’s in-browser “cohort” targetting system; finds it “opaque”

  • Antoine Rouzaud, a data scientist at the French-based ad-tech firm Criteo, a competitor of Google’s advertising services, has been co-writing a series of blog posts analyzing Google’s proposed “FLoC” approach to ad targeting — grouping users into cohorts within the Chrome browser.  His analyses are chart-laden and highly technical. But here are a few plain-English excerpts. RELATED: Google presentation.

“On July 13, 2021, Google ended the first Origin Trial of its FLoC proposal, a key proposal of Chrome’s Privacy Sandbox initiative. The Privacy Sandbox aims at creating a viable framework for advertising across the open web that both respects the users’ privacy while enabling marketers to continue to provide ad-funded access to digital properties. Google hopes FLoC could solve the marketers’ need for audience-based advertising by providing an alternative to marketer-defined audiences. During this Origin Trial, Criteo leveraged its unique assets to understand what these FLoC audience cohorts mean in practice and evaluate how well they work for the AdTech industry to support performance-based advertising campaigns . . . .

“FLoC stands for Federated Learning of Cohorts and is one of the cohort-based advertising mechanisms proposed in Google’s Privacy Sandbox, among others like FLEDGE. Google hopes FLoC could solve the marketers’ need for audience-based advertising by providing an alternative to marketer-defined audiences . . . .

“The Origin Trial was supposed to be an opportunity for the industry to familiarize themselves with the real feature in a real-world environment. While we were able to technically collect FLoC IDs, the test was vastly different from what we can expect as a final product. Indeed, being only available in dev versions of Chrome, FLoC’s volume remained extremely low and not representative of the general population, to the point that drawing any meaningful conclusion is a challenge . . . .

  • FLoC cohorts are recomputed quite frequently, once every 7 days on average.

  • FLoC cohorts are unstable in terms of users composition: only 12% of Chrome users are still in the same cohort after 7 days.

  • We did not observe a ‘closeness’ pattern between FLoC IDs, thus we could not confirm that FLoC was able to capture an user’s behaviour.

“We can conclude that the similarity between users proposed by FLoC cohorts shows promising results only when considering the biggest cohorts; but this statement cannot be generalized to the whole pool of floc_ids created during the OT, because of the low volume observed.

“If the Adtech industry is to use FLoC to build audiences to target, it becomes essential for marketers to understand what’s behind the opaque cohort ID assigned to each group of users. We showcased one method to so, that proved successful for some of the biggest cohorts. However, the low volume was once again a blocker to validate that it worked for a majority of cohorts. Besides, the granularity provided by such understanding calls into question the utility of this approach for real world marketer needs, that would rather use more granular product-based interest profiles to build relevant audiences. The performances brought by these interest-based audiences compared to third-party cookies remain highly debatable . . . . “


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp