Include references to W3C Process and Antitrust Guidelines only

[jwrosewell]

Moved from #52.

As a minimum.

1. The charter includes a reference to the 'Ethical Web Principles' which are not part of the W3C Process and should not be referenced. A document that basically exposes "be good" strays well beyond the subject of defining technical standards and leaves the "balance of goodness" open to the reader to conclude. It merely adds confusion. Better to relate privacy to laws.

2. The 'privacy principles' are flawed for many reasons documented here and should be removed. In any case the references to 'cross-site' or 'same-site' do not align to privacy definitions and should be dropped. See issue Align the definition of privacy to laws #31.

[AramZS]

Moving from other thread:

@jwrosewell:

Referencing the W3C Process only and not referencing documents that are not part of the Process achieves what we're both requesting. The only exception is the Antitrust Guidelines which for reasons I don't understand are not part of the W3C Process. I'm unsure why you're dismissing this simplification?

A list of the W3C documents we reference in the charter:

• W3C TAG Ethical Web Principles
• https://w3ctag.github.io/privacy-principles/ - but not as a specific binding document, but to use their specific definitions around:
  • cross-site or cross context recognition
  • same-site or same-context recognition
• Many references which we agree are appropriate to the Process.
• The horizontal review process, which is part of the w3c process
• These quotes of w3c standard participation requirements, which I can't see any reason you could object to:
  • 'The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy'
  • 'Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct'
  • 'This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis.'
  • 'This Working Group will use the W3C Software and Document license for all its deliverables.
    '
  • 'This Working Group operates under the W3C antitrust policy.' (This section was added specifically to address your concerns.)
• The IPR notice
• The copyright documents notice.

As far as I can tell this set of links satisfies your request to have the charter "Referencing the W3C Process only and not referencing documents that are not part of the Process."

Am I wrong? Please specify which, if any, of these document references you specifically object to.

[AramZS]

@jwrosewell I'll add again here:

While I have great respect for both the GDPR and the UK... the entire world is not bound by those laws. Indeed, the current active US state laws include different definitions and restrictions than GDPR. We are a global organization, we cannot set ourselves to be bound by UK law in the way that you suggest, while it provides specific limits, those are not the bounds of this discussion. We can go beyond those bounds by agreement. The intent of the definitions in the privacy document are to find useful global definitions that can be used by all. Do you have alternative definitions to suggest?

As for the TAG principles, the charter does not bind us to them, it merely states the truth: we are "motivated by" them. I disagree that this framing adds ANY confusion. What, exactly, among the TAG principles to you believe should not be considered as motivating our work?

[AramZS]

@jwrosewell without alternative definitions to discuss in a PR at this time, while we can continue this discussion and potentially come to changes, I see no point in having it delay submission at this stage.

[jwrosewell]

@AramZS

As you asked about Ethical Web Principles.

"or even be used to cause harm." - 'harm' is not defined and in any case is outside the scope of a technical standards body. Some people will consider the possibility of a technology being used to cause harm a reason to remove or interfere with that technology. Others will see it as an opportunity to improve compliance with laws to reduce the risk of it being abused. The Ethical Web Principles need to align to laws, just like the PAT Working Group charter. Without this the W3C creates quasi-laws that neither it, or the individuals that participate, have the authority to do that.

If individuals are motivated by the Ethical Web Principles then that is a matter for them. Requiring the entire group to be motivated by a single position concerning ethics is non-secular.

[AramZS]

To be clear, the positions which you are referring to are:

In the 30 years since development of the web began, it has become clear that the web platform can often be used in ways that subvert its original mission, or even be used to cause harm. The web should be a platform that helps people and provides a net positive social benefit. As we continue to evolve the web platform, we must therefore consider the ethical implications of our work. The web must be for good.

and

2.2 The web should not cause harm to society

When we are adding a feature or technology to the web, we will consider what harm it could do to society or groups, especially to vulnerable people. We will prioritize potential benefits for web users over potential benefits to web developers, content providers, user agents, advertisers or others in the ecosystem, in line with the priority of constituencies. We will ensure the requirements and views of marginalized communities and underrepresented groups are heard and respected. We will build new web technologies in a collaborative manner according to open processes (for example, the W3C process), and adhering to codes of conduct (such as the W3C Code of Ethics and Professional Conduct).

And the charter language is:

The mission of the Private Advertising Technology Working Group motivated by the W3C TAG Ethical Web Principles

And your statement is that stating that as a motivation would be... and I hesitate to use the dictionary definition here, but I am at a loss as to what else you could possibly mean... a "religious or spiritual matter". Is this use of non-secular a reference to some sort of legal version of the term I am unfamiliar with?

Can you clarify for me which one or more of these statements you disagree with?

1. "the web platform can often be used in ways that subvert its original mission, or even be used to cause harm"
2. "when we are adding a feature or technology to the web, we will consider what harm it could do to society or groups, especially to vulnerable people."
3. "We will ensure the requirements and views of marginalized communities and underrepresented groups are heard and respected."
4. "We will build new web technologies in a collaborative manner according to open processes"

I'm skipping the priority of constituencies because that is a general W3C principle outside of this document.

And to be clear, being motivated by these principles allows us to discuss them and refer back to them, it does not force us to either one, both or neither of your stated possible positions:

Some people will consider the possibility of a technology being used to cause harm a reason to remove or interfere with that technology. Others will see it as an opportunity to improve compliance with laws to reduce the risk of it being abused.

Indeed part of the advantage of such language is that we will be able to discuss what the right value and application of those and other positions might be instead of being ideologically locked.

I cannot see how using the TAG document as a reference and noting that it is a motivating force for this group could possibly be considered.... religious. I cannot see how you could find a rough consensus on that statement or that as grounds to remove it from the charter.

'harm' is not defined and in any case is outside the scope of a technical standards body.

One: the point is not to define it, the point is to note that our goal is consider as many possible harms as we can and add that consideration into our process for discussing technology. And I don't think most would agree that this process is outside the scope of a technical standards body or any standards work. Considering the proposals and what they might be used for and how that might effect users, our first constituency, is important. And the many types of potential harms and how they might effect different groups differently is one of the main reasons we must try and be flexible in our definition.

Two: Its use in this respect is not abnormal. Some examples:

The NIST privacy framework states:

The Privacy Framework describes these data operations in the singular as a data action and collectively as data processing. The problems individuals can experience as a result of data
processing can be expressed in various ways, but NIST describes them as ranging from dignity-type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss, or physical harm

(emphasis mine)

• A Mozilla and Ford Foundation funded report notes a set of relevant potential harms around tracking, identification and data sales on page 7 - (see the Full Report link)

• The IEEE runs a forum on "Mitigating Societal Harms in a Social Media World brings together policymakers and technologists to explore the intersection of current technical efforts with public policies, and the resulting impacts to society."

And the fact that privacy-breaching technologies can cause harms is without doubt. I don't think you would disagree with this (but just in case, here's two of many relevant articles: 1, 2). And it is without a doubt a motivation of this group to avoid such harms to users using the technologies.

If there are indeed points among the four listed above that you disagree with, please tell us which ones and state an alternative definition of "harm" that we could consider.

---

As an additional note, I do not see alternative definitions as requested above and this conversation has shifted to a different portion of the document. Should I take this to mean that you do not intend to present alternative definitions for:

• cross-site or cross context recognition
• same-site or same-context recognition

?

[jwrosewell]

This issue is now mute as I understand the charter is advancing for W3C membership consideration.

To briefly address the points raised in the prior comment.

1. Ambiguity should be removed from charters. Charters must not be vague. The fact ambiguity exists elsewhere and in other charters does not mean we shouldn't address ambiguity in this one.
2. The word "harm" is a poor word as it means many things to many people. Many of the worlds problems can be traced directly to different views on the word "harm". It should be replaced in the referenced documents. The NIST references specific harms and this might be a route forward to narrow the scope of the charter and the "harm(s)" it is trying to address.
3. Use of non-secular - my intention was to use the word as short hand for "a particular set of beliefs". The sentence might better conclude as "motivated by a single position concerning ethics is forcing a particular set of beliefs on the participants of the group". I had overlooked the obvious religious definition. I apologise.
4. The original mission of the web - This has expanded beyond anyone's wildest imagination in 1990. There have been many benefits and some harms. In this way the web is not very different to any other new technology adopted widely by society. I'm guided by the users of the web when understanding harms. See the introduction to this request.
5. cross-site / same-site - Domain names need to be removed from the privacy boundary of the web and we must align to privacy laws. See this short video. The terms should be dropped from this charter as a start.
6. priority of constituencies - I realise this is widely accepted at W3C and I've hesitated to challenge it. However there is a symbiotic relationship between constituents. The design principles would benefit from recognising this complexity in the future. However this is not an argument that I see as important at the moment.