Two W3C discussions ponder how to control user data and personal identifiers: Technology, governance or both?

Two World Wide Web Consortium (W3C) discussion groups continued to struggle with how to control the use of personal identifiers on the web, minutes of meetings Oct. 14-15 show.

One approach discussed by both the W3C Privacy Community Group and the W3C Federated Identity Community Group is to have web browser software  limit the data that can be stored in the browser and used across multiple sites.

Another approach is to consider looser technical restrictions, but impose legal or governance requirements on data use or sharing, rather than blocking the data itself.  Is there a “web-wide-scale way to enforce policy,” as one participant observed?

“We (Apple) prefer technical restrictions,” Apple engineer John Wilander told privacy-group colleagues, according to public minutes (also found HERE)  of the 16-participant, Oct. 14 privacy-group meeting. “It should not be possible to track users — we don’t think it’s manageable to handle public statements or policies on a web-wide global scale.  We haven’t seen anyone be able to enforce a policy globally.” Wilander’s view is that the browser software should perform as a “user agent” but cannot be responsible for server-side tracking.

“If it’s information about a person, it needs to be restricted in some way,” added Baycloud’s Michael O’Neill, the minutes report. “Hard for a piece of software to determine whether something is used for personal data.  It’s an insoluble problem.”

Facebook’s Eric Taubeneck said he agreed generally with O’Neill and wondered how technology would be able to distinguish between strings of data added to a transmitted URL (a “query string” or “link decoration”) represented an encoded personal identifier, or just information about data or objects on a website — such as shopping-cart information.

“If a browser were to intervene against things that appeared to be personally identifiable, how good is that?” asked the Washington Post’s Aram Zucker-Scharff, according to the minutes.

” I think it’s very difficult to solve problem technically without putting significant damage to things that are entirely appropriate and necessary uses of the web, distillery’s Brian May said, according to the minutes. ” Maybe we need to make a well-lit path for how to do things in ways that are private, encourage people to do those.”

Salesforce’s Kris Chapman suggested group focus should be on how to obtain consent from the end user for the use or sharing of personal data. “I would personally prefer education than trying to block things in the (browser) client,” the minutes report her saying.

Another participant, Google Chrome’s Jeffrey Yaskin said one approach would be to block transmission of data that is not explicitly being sent for a purpose within the user’s explicit consent.

Although its charter is somewhat different, participants in the federated-identity W3C group, meeting Oct. 15, are also grappling with how technology should be used to address privacy and identity, minutes show. (also found HERE).

“The urgent issue is making sure that use cases that are working continue to work while trying to improve the experience for those users who would like to protect their privacy,” observed Vittorio Bertocci, of Auth0|Okta, the identity-service provider.  An online poll of of the group’s participants, found them almost evenly split 50:44 over whether current cross-site “federated identity” protocols are OK or whether some aspects should be intentionally blocked, or technically “broken.”

“Privacy is not just technical, the federated ID group’s minutes note GEANT’s Christos Kanellopoulos saying. “Looking at solving privacy with just technical means is not sufficient. There is also a legal aspect.’

The federated identity group is beginning to share examples of “use cases” for cross-site user-data sharing. For example, Achim Schlosser has shared the start of a description of European Net ID Federation’s service established  as a collaboration among German publishers. Schlosser is its CTO and a board member.

WASHINGTON WATCH

• Senate hearing opens the door to individual lawsuits in privacy legislation | Cameron F. Kerry, Brookings Institution | (ALSO SEE QUOTE OF THE WEEK, BELOW)
• Senators Introduce Bipartisan Legislation to Rein in Big Tech | Benton Institute summary
• KLOBUCHAR STATEMENT
• Lawmakers See Path to Rein In Tech, but It Isn’t Smooth | Cecilia Kang, NYTimes.com
• Senate Antitrust Bill Would Prohibit ‘Dominant Platforms’ From Hindering Competitors | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Senators aim to block tech giants from prioritizing their own products over rivals’ | Cat Zakrzewski, WashingtonPost.com
• OPINION: US must catch up with rest of the world on data privacy | Mike Davis, RollCall.com
• FTC to review privacy policies of six major ISPs during Oct. 21 meeting | FTC Announcement
• White House proposes tech ‘bill of rights’ to limit AI harms | Matt O’Brien, The Associated Press

ANTITRUST

• Reuters: Amazon copied products and rigged search results to promote its own brands | Aditya Kalra & Steve Stecklow, Reuters PLC

SECTION 230 AND ALGORITHMS

• Democrats Seek To Regulate algorithms in recommendation engines | Wendy Davis, DigitalNewsDaily/MediaPost.com | BILL TEXT
• Lawmakers Want to Hold Social Networks Responsible for ‘Malicious Algorithms’ | Rob Pegoraro, PCMag.com
• House Commerce Committee Democrats Announce Legislation to Reform Section 230 | Benton Institute summary | NEWS RELEASE | RELATED STORY

EU AND UK PRIVACY

• AUDIO: Europe’s top ‘tech cop’ is ready to take on Big Tech with America | Ryan Heath et al., Politico.com
• Amazon appeals record €746m fine for EU data law breach | Millie Turner, CityAm.com
• Norway DPA asks for supervisory power over cookies | IAPP Daily Dashboard
• UK Judge Says Ring Doorbell ‘Violated’ Woman’s Privacy: Report | Autumn Johnson, Newsbusters.org
• The UK’s GDPR Overhaul: 5 Things to Be Aware Of  | Peter Wallace, AdWeek.com | RELATED STORY

FACEBOOK AND IRISH PRIVACY REGULATION

• Facebook Should Clarify Service Terms, Irish Privacy Regulator Says | Catherine Stupp, Wall Street Journal
• Looks Like Facebook Found a Way to Bypass Europe’s Privacy Rules | David Gilbert, Vice.com
• Schrems: Draft Irish decision proposes goes easy on Facebook over privacy | Natasha Lomas, TechCrunch.com
• Facebook allowed by Irish watchdog to flout GDPR’s consent requirements, Schrems asserts | Matthew Newman & Jakub Krupka, mlex/Lexis-Nexis

WORLD PRIVACY

• How Companies Can Adapt to Global Data Privacy Regulations | Joe Gaska, DataVersity.net
• Russia is rolling out a facial recognition payment system for Moscow metro riders | Tyler Sonnemaker, BusinessInsider.com | RELATED STORY

ACLU back Massachusetts Information Privacy Act; retailers oppose at hearing because of private suit right

Retailers came forward at a hearing to oppose a bill in the Massachusetts Legislature that would impose significant notice and consent requirements around collection of some times of consumer data.  The American Civil Liberties Union of Massachusetts supports and testified in favor of the bill at a hearing on Oct. 14. The bill remains in committee awaiting action.

• ACLU backs Massachusetts data-privacy bill; retailers don’t like it | Statehouse News Service | BILL TEXT | ACLU FACT SHEET
• Ohio could become the third US state to enact a new consumer privacy law in 2021 | David Oberly, The Daily Swig/Portswigger.net
• EARLIER: Hartzog: Massachusetts “revolutionary” privacy proposal | Private Beat (second item)
• Oct. 18 at noon EDT is first meeting of California privacy agency with Soltani as ED | Alan Friel & Amber Mulcari, Squire Patton Boggs law firm | RULEMAKING PROCESS OVERVIEW | MEETING AGENDA

FACEBOOK AND PRIVACY

• Human-rights groups launch HowToStopFacebook.org | Sarah Jackson, BusinessInsider.com
• RELATED STORY | RELATED STORY
• Facebook legal risk increased by “whistleblower” testimony, lawyers say | Rachel Popa & Chandler Ford, National Law Review
• A second Facebook whistleblower says she’s willing to testify before Congress | Isobel Asher Hamilton, BusinessInsider.com
• Spain, Austria researchers show Facebook’s ad tools can target a single user | Natasha Lomas, TechCrunch.com
• Facebook is researching AI systems that see, hear, and remember everything you do | James Vincent, TheVerge.com
• Facebook Glasses: A law expert explains why they blur the lines around right to privacy | Bart van der Sloot, ScienceFocus.com
• Facebook Still ‘Secretly’ Tracks Your iPhone—This Is How To Stop It |  Zack Doffman, Forbes.com
• Facebook is developing new algorithms that can track everything you do | Chris Smith, BGR.com | RELATED STORY