|
W3C gathering shows challenge of balancing process and points of view between advertising and privacy
A collegial debate has surfaced as the major browser software makers struggle with how to respond to growing consumer sentiment for more control over the collection of data about their browsing activity and preferences. The debate was in evidence this week over two days of presentations and discussion at a “virtual” World Wide Web Consortium (W3C) gathering.
The question: Where should ideas for changes in the way personal data is handled be hashed out — in the semi-private discussions of an “improving web advertising business group” in which Google is an active participant — or in an all-open browser “privacy community group” joined by at least four other browser makers and co-chaired by Microsoft, Apple and Mozilla? And should the two groups coordinate discussions?
The W3C’s Wendy Seltzer chairs the ad group, and was the inspiration to set it up. She posted that she asked herself, “Could there be a win-win solution [of] privacy-preserving methods for advertising that serves the users who want access to web services, the publishers that want to monetize their web services and content, and advertisers who want those to be platforms for reaching users?”
But what if the advertising business group comes up with ideas that conflict with the goals of the privacy group, one of this week’s participants asked during an open discussion? Right now, both groups seem to agree that web browsers and technology should limit cross-site user tracking — what if that changes, the participant asked?
“We understand there are different organizations with different viewpoints on how the web will turn out,” observed participant Wendell Baker, of Verizon Media, who praised the tone and interaction over the two-day meeting. “We are trying to figure out how to live within the new world as users . . . we’re trying to learn how to produce another business model that can produce value for everyone on the open web.”
The two groups are among more than 300 managed by the W3C, a Cambridge, Mass., based nonprofit that is one of most important places where consensus technical standards for the Internet are introduced, debated, modified and — sometimes — approved as official. As of this week, the advertising group has 174 paying members — it costs to join — and the privacy group has 170.
To get a feel for what was discussed this week, take a look at the agenda, which included presentations by the major browser makers, at the detailed notes of those presentations on Wednesday, and the rest of the meeting on Thursday.
AD TECH
|
|
Does your organization need customized privacy compliance solutions? ITEGA can help.
|
|
We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.
|
|
|
Ex-Googler turned Mozilla scholar explores approaches to better mediation of digital user data and privacy
A former Google executive and current Mozilla Foundation fellow says it’s time to create a new type of entity to arbitrate privacy and user data on the web. Richard S. Whitt calls the entity a “digital trustmediary” and he’s written a law-journal article about his idea.
Entitled, “Old School Goes Online: Exploring Fiduciary Obligations of Loyalty and Care in the Digital Platforms Era,” the 56-page essay is rich with citations to precedents involving lawyers, doctors, accountants and other relationships where privacy and trust are enshrined in law. A similar relationship should exist between individuals and digital services which use personal data, Whitt says. The idea is also embodied in Whitt’s 501(c)3 Glia Foundation and GliaNet project.
The general idea of an “information fiduciary” was not originated by Whitt and it has also been explored in 2016 by Yale Law School Prof. Jack Balkin and assessed by legal scholar Lina Khan, among others. But Whitt’s idea can be distinguished from Balkin’s, he explained this week in a phone conversation with Privacy Beat. Balkin’s analysis worries about regulations challenging First Amendment protection afforded platforms, Whitt suggests, and Kahn favors a more antitrust-oriented approach to platform and privacy control.
In his article, Whitt says Khan argues that companies incorporated in Delaware can’t operate to protect the privacy and identity of their users if that would make them disloyal to a higher obligation to take care of the economic interests of their stockholders. (The shareholder-primary view is disputed by at least one legal scholar.)
“We can regulate the dominant online platforms as information fiduciaries or we can target their market dominance and business models, but very likely we will not do both,” Khan and co-author David Pozen write in one paper segment quoted by Whitt. The paper is entitled: “A Skeptical View of Information Fiduciaries.”
The problem for Google and Facebook, Whitt says, is that the ways in which they use personal data is not consensual with the consumer user, but rather imposed in a relational “take-it-or-leave it” data-privacy regime where platform use of data conflicts with duties of care and loyalty to the user’s data-privacy interests.
One answer, suggests Whitt, is the emergence of infomediaries who manage privacy for the consumer and who’s duties of care, loyalty and disclosure are first to the consumer. Besides Whitt’s, a similar approach advocated by Prof. Sandy Pentland at MIT is called the “data co-operative.” discussed in a May 2019 co-written article.
Another person thinking about data and privacy is Jaron Lanier, a scholar at Microsoft Research and serial tech entrepreneur who was chief scientist for the academic collaborative, Internet2. He proposed creation of MIDS — “mediators of individual data” — as co-author of 2018 a Harvard Business Review article, “A Blueprint for a Better Digital Society.” The paper is explained HERE, and was the basis of a privacy series at the New York Times. Lanier says the web needs solutions that “operationalize” paying for the public’s attention and data and for digital content. He cites the same mal-distribution of power between public and platforms that Whitt dwells on.
GOOGLE EU TRACKING
PLATFORM PRIVACY
PERSONAL PRIVACY
-
RESEARCH: More Internet Users Want to Remove Personal Information Online, Research Finds | Tiziana Celine, Tech Times
-
CDT, Global Partners Digital, ISOC, 30 groups join to defend encryption | GlobalEncryption.org
-
Congress May Hand Bill Barr the Keys to Your Online Life | Melissa Gira Grant, New Republic
-
Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant | Janus Rose, Vice
-
Here’s Who Just Voted to Let the FBI Seize Your Online Search History Without a Warrant | Dell Cameron, Gizmodo
-
Senate narrowly rejects plan to require a warrant for Americans’ browsing data | TechCrunch
-
Our digital privacy is at stake in the Senate | Robert Goodlatte, The Hill
-
TikTok Violates Children’s Privacy Law, Advocates Say | Allen St. John, Consumer Reports
-
Google’s Privacy Policy Can’t Save it From Smartphone Spying Claim: California Privacy Laws Tested in Suit Alleging Big Tech is Letting Subcontractors Listen in on Your Conversations | Lexology
-
It Is Becoming Much Harder to Access Mental Health Support Anonymously | Piers Gooding, Slate
CCPA WEEK SEVENTEEN
-
Better Never Than Late? A CCPA Meditation | Ted Claypoole, Hey Data Data (see QUOTE OF THE WEEK, below)
-
CPRA Poised to Go On November 2020 Ballot | Katie Morehead and Philip Yannella, JD Supra
-
CPRA analysis: The ‘good’ and ‘bad’ news for CCPA-regulated ‘businesses’ | Jim Halpert, Lael Bellamy and Marco Berrios, IAPP
-
CPRA’s top-10 impactful provisions | Caitlin Fennessy, IAPP
-
Study highlights data subject request volume, spending under CCPA | Ryan Chiavetta, IAPP
-
Another California Data Privacy Law | Schneier on Security
-
Coronavirus sparks new fight over California’s internet privacy law | Dustin Gardiner, San Francisco Chronicle
-
California’s New Privacy Laws Reach Beyond State Lines: European Businesses Must Prepare Now, Despite COVID-19 | Mark Kahn, Computer Business Review
-
What type of contractual provisions are included within service provider agreements in connection with consumer deletion requests? | Tyler Thompson, JD Supra
-
CCPA 2.0 Initiative Signatures Submitted For November 2020 Ballot | Sharon Klein, Alex Nisenbaum and Karen Shin, JD Supra
-
Another California Data Privacy Law | Bruce Schneier, Security Boulevard
COVID-19 AND TRACKING
-
ANALYSIS: Privacy Frameworks Must Adapt in Times of Turmoil | Mark Smith, Bloomberg Law
-
Public Health Versus Privacy | Allie Gottlieb, The Regulatory Review
-
A New Normal for Consumer Privacy: Apple, Google and Employers Begin Contact Tracing COVID-19 | Alaina Lancaster, Law.com
-
Public Health Versus Privacy | Allie Gottlieb, The Regulatory Review
-
What will happen to digital privacy? | Marco Pruess, IT Portal
-
Privacy questions for COVID-19 testing and health monitoring | Cathy Cosgrove, IAPP
-
Contact-tracing apps may seem like the coronavirus solution. They’re not | Shubham Agarwal, Yahoo Finance
-
Contact tracing apps: A new world for data privacy | Anna Gamvros and Steven Hadwin, Data Protection Report
-
Privacy Litigation in the Age of Coronavirus | Paul Karlsgodt and Justin Donoho, Data Privacy Monitor
-
The NHSX tracing app source code was released but privacy fears remain | Laurie Clarke, NS Tech
-
COVID-19 could set a new norm for surveillance and privacy | Alfred Ng, CNET
-
Would You Let The Government Track Your Smartphone If It Meant We Could Reopen Sooner? Assessing the Google/FB idea | David Freedman, Newsweek
-
Health Officials Say ‘No Thanks’ to Contact-Tracing Tech | Will Knight, Wired
-
New survey shows US adults split on COVID-19 cell phone tracking and data collection | R. Dallon Adams, Tech Republic
|
|
|
German “SSO” identity consortium accelerates effort to privacy challenge Google and Facebook logins
A German industry-dominated, non-profit consortium made up of big publishers and Internet Service Providers, is moving ahead with an ambitious effort to challenge Google and Facebook’s dominance over first-party user data. First, it has fielded a privacy-oriented federated Single Sign On service. Now it proposes to use it to tailor advertising to individual users.
“Complementing our federated single sign-on, I think it’s safe to say that this is the first holistic user-centric identity and privacy management solution for the digital market,” Achim Schlosser, CTO of the European NetID Foundation, said in a LinkedIN post last month.
The foundation opened up its SSO service in November 2018 to millions of registered users of its partner corporations, although it acknowledges only a small fraction of them are using it so far. The major backers are German broadcasters Mediengruppe RTL Group and ProSiebenSat.1 Media SE and ISP United Internet. RTL is one of Europe’s leading entertainment providers and it is 75% owned by Bertelsmann SE & Go. KgaA, the international media conglomerate.
“With our two new consent products, we are offering our potentially 38 million netID users and our partners legally compliant consent management and the highest level of transparency,” Sven Bornemann, CEO of the foundation, said in an April 24 statement. “ This strengthens our position: On the one had as a leading open login standard and on the other hand for the digital economy as an alternative to the U.S. login providers such as Google or Facebook.”
NetID uses a user’s email address as an identity. A user from one of the partners who seeks to access resources at another partners’ web services is redirected to an identity service provider (IdSP) — one of several in the NetID system — where the user’s email address is checked. The user’s browser or application is then redirected to their “home” provider to be “authenticated.” The IdSP doesn’t store data about the user or their activity.
So far, that’s as far as the exchange goes. But NetID’s intention is to engineer methods for getting the user’s permission to share data points that might be useful for targeting advertising or personalized content. The tricky part is how to do that under the requirements of consent of the General Data Protection Regulation (GDPR). The NetID Enterprise and NetID Professional enhancement noted in the April 24 announcement air aimed at doing so, part by promising compliance with IAB Europe’s Transparency and Consent Framework 2.0.
“Via the NetID Privacy Center, every user has the opportunity to release their consent for various uses, such a target group-specific content / advertising, market research or range measurement — and to revoke it at any time,” the consortium’s announcement said, adding: “Instead of increasingly blocked third-party cookies, all NetID products use the NetID identifier stored on the server to recognize users.
There is a technology race underway to address the loss of third-party cookies, which all the browser makers have already blocked or are planning to by 2021. Consumer-data aggregator and ad-tech giant LiveRamp Holdings Inc. (formerly Acxioim Corp.) is working to gain support for its IdentityLink service, promoted in Feb. 2019. And ITEGA, the publisher of this Privacy Beat newsletter, is testing a login service similar to NetID with the prototype name “NewsSSO.”
GDPR ENFORCEMENT
NEWS AND TRUST
|
|
Dutch-Spanish marketer sets May 26 for virtual convening to raise support for the Swiss-based YourID Foundation
For at least three decades, technologists, academics, public officials and privacy advocates have been meeting and debating methods to improve the way identity is handled on the web — to assure secure transfer of data and enable consumer control over privacy. But it’s complicated, typically involving cryptography and things like “self-sovereign identity.”
Ted Oorbals is a refugee from that world of ongoing conferences, money raised and money spent. And on May 26, he hopes to gather corporations and supporters to try out his own attempt at a solution. It’s called YourID and Oorbals has been working on it with four colleagues and at least $360,000 (so far) of his own and friends’ investment.
“I started YourID out of frustration and disbelief and I was angry also and also very disappointed,” Oorbals told Privacy Beat this week. “The company I headed at the time, Biocryptology, couldn’t go anywhere. Like all the other identity companies, it would eventually get stuck or be eaten. It raised $30 million.”
Now Oorbals, who is Dutch but now lives in Spain, is in the process of forming a nonprofit foundation in Switzerland that he syas will both protect the public’s privacy, but also facilitate commerce. He calls the idea “a kind of Swiss digital vault where you can manage all the different identities you have — financial, medical, business, privacy, social — from this place and portal and you decide where to give consent to use it.”
Many companies and projects have proposed a similar idea and its not clear yet how Oorbal’s is different. But instead of building technology and then trying to get the market to adopt it, Oorbal’s — who has a marketing rather than technology background — has focused instead on lining up technology vendors and setting up a quasi-non-profit governance structure.
Now, he’s sent out at least 300 invitations to major publishers, brands, corporations and the like worldwide and asked them to join his virtual call to arms on May 26. He’ll be happy if he gets a fraction of those to drop in — virtually. He wants to use mostly open technology.
“We have selected technologies and done tests,” he says. “The gathering will talk about functionality and customer experience. We are going to ask these companies to support us financially.”
|
|
WASHINGTON WATCH
-
New Privacy Bills Aim to Protect Health Data During the Pandemic | Thomas Germain, Consumer Reports
-
Amendment to Surveillance Reauthorization Bill Is a Step in the Right Direction. More Is Needed to Protect Privacy Rights. | Timothy Karr, Free Press
-
Republican senators introduce bill focused on consumers’ data privacy during COVID-19 | Dave Muoio, Mobi Health News
-
Democrats introduce bill to protect health data used for tracing the coronavirus | Lauren Feiner, CNBC
-
Worried About Misuse of Coronavirus Data, Privacy Advocates Rally for Federal Privacy Laws | Scott Ikeda, CPO Magazine
-
Safeguarding Privacy Through Law and Technology | David Hoffman and Gal Ringel, CPO Magazine
-
FTC Seeks Ad Tech Pros To Bone Up On The ‘Opaque’ Business Of Digital Advertising | Allison Schiff, Ad Exchanger
-
Wicker, Thune, Moran, Blackburn Announce Plans to Introduce Data Privacy Bill | U.S. Senate
-
The COVID-19 Consumer Data Protection Act of 2020: What Companies Should Expect If Passed | Krishna Jani and Donna Urban, JD Supra
-
COVID-19 Consumer Data Protection Act 2020 | Jenner & Block LLP, Lexology
-
Senators Propose the COVID-19 Consumer Data Protection Act | Vorys
-
TikTok Should Face FTC Moves Over Children’s Privacy, Groups Say | Daniel Stoller, Bloomberg Law
-
AMA issues new principles to restore trust in data privacy | American Medical Association
-
U.S. FTC indicates it is looking at Zoom privacy woes | Reuters
STATES WATCH
PRIVACY BUSINESS
EVENTS DATEBOOK
|
|
QUOTES OF THE WEEK
A lawyer’s meditation: Tightened privacy rules now will hamstring Google, Facebook business: Do we want that?
“If we have thought to protect privacy in the same manner the EU protected it in the 1990s, Google, Facebook and other world-dominant U.S. data-driven businesses would not exist in their current form. In fact, the EU felt it necessary to tighten its privacy regulations in part to reign in American data monsters. So now our legislative/regulatory decision to grant people broad rights concerning the use of the data generated about their behavior will hamstring some of America’s most innovative and successful businesses. Companies are pulling information from every action taken online and many actions out in the web world. Artificial intelligence and other deep, decades-tested analytics can blend this data into something coherent and commercially useful. The simplest aspects of consumer information collection – a single transaction at a single ecommerce site – is easy to regulate. Deep analytics and AI logical leaps may be much more difficult to find, categorize and address as government enforcers. So, are we willing to kill entire profitable industries, like online advertising and behavioral analytics, because we have finally found religion on consumer privacy?”
– Atlanta, Georgia, privacy attorney Ted Claypoole, writing May 12 on the “HeyDataData” blog of his firm, Womble Bond Dickinson (US) LLP, in a post entitled, “Better Never Than Late? A CCPA Meditation.”
|
|
ABOUT PRIVACY BEAT
Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker. Submit links and ideas for coverage to newsletter@itega.org.
|
|
|
|
|
|