Two W3C discussions ponder how to control user data and personal identifiers: Technology, governance or both?
Two World Wide Web Consortium (W3C) discussion groups continued to struggle with how to control the use of personal identifiers on the web, minutes of meetings Oct. 14-15 show.
One approach discussed by both the W3C Privacy Community Group and the W3C Federated Identity Community Group is to have web browser software limit the data that can be stored in the browser and used across multiple sites.
Another approach is to consider looser technical restrictions, but impose legal or governance requirements on data use or sharing, rather than blocking the data itself. Is there a “web-wide-scale way to enforce policy,” as one participant observed?
“We (Apple) prefer technical restrictions,” Apple engineer John Wilander told privacy-group colleagues, according to public minutes (also found HERE) of the 16-participant, Oct. 14 privacy-group meeting. “It should not be possible to track users — we don’t think it’s manageable to handle public statements or policies on a web-wide global scale. We haven’t seen anyone be able to enforce a policy globally.” Wilander’s view is that the browser software should perform as a “user agent” but cannot be responsible for server-side tracking.
“If it’s information about a person, it needs to be restricted in some way,” added Baycloud’s Michael O’Neill, the minutes report. “Hard for a piece of software to determine whether something is used for personal data. It’s an insoluble problem.”
Facebook’s Eric Taubeneck said he agreed generally with O’Neill and wondered how technology would be able to distinguish between strings of data added to a transmitted URL (a “query string” or “link decoration”) represented an encoded personal identifier, or just information about data or objects on a website — such as shopping-cart information.
“If a browser were to intervene against things that appeared to be personally identifiable, how good is that?” asked the Washington Post’s Aram Zucker-Scharff, according to the minutes.
” I think it’s very difficult to solve problem technically without putting significant damage to things that are entirely appropriate and necessary uses of the web, distillery’s Brian May said, according to the minutes. ” Maybe we need to make a well-lit path for how to do things in ways that are private, encourage people to do those.”
Salesforce’s Kris Chapman suggested group focus should be on how to obtain consent from the end user for the use or sharing of personal data. “I would personally prefer education than trying to block things in the (browser) client,” the minutes report her saying.
Another participant, Google Chrome’s Jeffrey Yaskin said one approach would be to block transmission of data that is not explicitly being sent for a purpose within the user’s explicit consent.
Although its charter is somewhat different, participants in the federated-identity W3C group, meeting Oct. 15, are also grappling with how technology should be used to address privacy and identity, minutes show. (also found HERE).
“The urgent issue is making sure that use cases that are working continue to work while trying to improve the experience for those users who would like to protect their privacy,” observed Vittorio Bertocci, of Auth0|Okta, the identity-service provider. An online poll of of the group’s participants, found them almost evenly split 50:44 over whether current cross-site “federated identity” protocols are OK or whether some aspects should be intentionally blocked, or technically “broken.”
“Privacy is not just technical, the federated ID group’s minutes note GEANT’s Christos Kanellopoulos saying. “Looking at solving privacy with just technical means is not sufficient. There is also a legal aspect.’
The federated identity group is beginning to share examples of “use cases” for cross-site user-data sharing. For example, Achim Schlosser has shared the start of a description of European Net ID Federation’s service established as a collaboration among German publishers. Schlosser is its CTO and a board member.
SECTION 230 AND ALGORITHMS