Is W3C Listening to Smaller Companies?

Ever since Chrome announced the eventual slaughter of the third-party tracking cookie, there’s been uproar among advertisers, publishers, and their intermediaries. Oh, what will the future of measurement and tracking look like, pray tell?

Unlike Apple and Firefox, when they blocked cross-site tracking without an alternative, Chrome introduced the Privacy Sandbox—a proposal for a series of browser APIs intended to secure users’ privacy while also enabling advertising tracking and measurement. Chrome seeks the collaboration of publishers, advertisers, and the ad tech and browser communities within the W3C’s Improving Web Advertising Business Group to plan for the future of the open web.

However, we heard about a letter sent to the W3C Advisory Board, signed by 19 W3C members asking for an intervention because they felt that the voices of members from smaller organizations were not being recognized or taken seriously.

The top name on this letter was James Rosewell, CEO and Co-Founder of mobile data services company, 51Degrees. We knew Rosewell from his work with us as a developer source in the past when we wrote about the death of Chrome’s User-Agent String.

We caught up with Rosewell to gain a better understanding of what was behind the concerns outlined in the letter, as well as a W3C proposal for success criteria that he submitted on GitHub.

Lynne d Johnson: You recently wrote an open letter to the W3C Advisory Board asking them to intervene on matters of W3C governance and trust choices. Along with yourself, the letter is signed by 19 other members of the W3C and/or W3C Improving Web Advertising Business Group. The matters addressed in the letter include, “Governance Process” and “Impacts to Choice.” Can you explain how this all came about?

James Rosewell: Google’s announcement of the Privacy Sandbox (PS) encouraged stakeholder participation via the W3C. As an interested party in a multitude of proposals 51Degrees, my company, joined W3C in April 2020.

Ultimately when ratified or de facto standards of interoperability used by millions of websites and 4 billion people over decades are being removed, replaced or modified a method of identifying the impacts of such changes is mandatory before engineering work commences.

No technology standards body should sanction live implementations, risking the fragmentation of the ecosystem, with the intention that at some later date ratified standards will be agreed upon. I, therefore, became very concerned during May when I saw proposals were advancing without debate or agreement at the conceptual stage.

For example; the Federated Learning of Cohorts (FLoC) proposal, one that shifts availability of pseudonymous identifies to only cohort-based personalized marketing, is actively being coded by Google developers but has not achieved approval at the concept stage from any other W3C members.

A Google representative specifically asked for others to comment on the FLoC proposal during the Improving Web Advertising Business Group (IWA BG) meeting of 14th July 2020 over two months after proposing it and at least one month after coding started.

As a result, a lot of FLoC related code now exists in the public domain, and privately within Google, for a proposal that has not followed W3C’s already extraordinarily lightweight governance process. I understand from IWA BG meetings Google intends to invite publishers to start testing this code in the coming months. I fear it will be presented as a “done deal” rather than an experiment on equal footing with other proposals yet to be advanced such as those from IAB Tech Labs Project Rearc.

One web” is central to the W3C’s mission and purpose but is not central to the W3C governance process I’ve observed in practice.

“One web” is central to the W3C’s mission and purpose but is not central to the W3C governance process I’ve observed in practice.

LdJ: Is this also what prompted your proposal for success criteria for the proposals that are currently being tested as alternatives to the third-party tracking cookie? Why is it important that success criteria be aligned with these proposals?

JR: The W3C already apply evaluation criteria to considerations like privacy, security, and diversity and accessibility for all people. Where these criteria exist, they are often biased towards a specific point of view. As just one example, the security and privacy questionnaire does not entertain the possibility that someone can trust the website publisher (first-party) and their supply chain (third parties). They assume the browser vendor must be more trusted than all other parties and must limit the role of third parties.

The approach prevails across all proposed standards that seek only to limit bad acts by third parties without similar considerations that first-parties (publishers or browsers) are equally capable of being bad actors. We have seen public outcry against large publisher platforms and global governments investigating these platforms for wrongdoing. The UK CMA has already found additional evidence of wrongdoing after these first-party publishers have already paid billions in fines.

WebKit or Mozilla as individual organizations are free to advance whatever position they wish in relation to privacy.  Before they can become a formal policy of the W3C, or any other standards body, a far wider consultative review is needed. It is not acceptable for browser engineers working on standards to state “The laws are insufficient due to corruption of the political process by special interests (see the US, for instance). This is why browsers and other folks are having to intervene.” when justifying their proposals.

The success criteria and the interoperability, choice, accessibility, and accountability self-questionnaire for improved web advertising have been written to aid technical standard proposers in evaluating their proposals from a more balanced perspective. I expect the W3C advisory board will be able to advise us all on the method to be used to give these considerations greater prominence within the W3C.

Without a method of explicitly assessing competing proposals, the justification for changes to the open web will be based solely on the position of individual browser vendors. We have seen this with TURTLEDOVE from Google where the justification is based on a limited set of use cases being enabled, in a way that browser vendors “are willing to ship.” Urgent change is needed if the standards process is to be consensual and enables the views of all stakeholders to be considered equally.

LdJ: With some of the proposals in the Privacy Sandbox, does it make sense in your view for the browser to have so much control over audience data and who gets access?

JR: To quote News Corporation in their response to the UK’s Competition and Market Authority (CMA), “Google’s decision to render third-party cookies obsolete … is a telling example of how Google can unilaterally interpret the meaning of privacy and reshape industry standards as it sees appropriate.” I completely agree.

Only national governments and their regulators have been empowered with the authority to decide what is right and implement laws to protect people.

It is the role of good governance to prevent technical standards being created that further the dominance of already dominant market players. The Internet Engineering Task Force (IETF), who controls the standards associated with network protocols used by web browsers, have recognized this issue in their “The Internet is for End Users” paper published in March 2020. I expect the W3C to follow suit and work with the IETF, IAB and others to rebuild a more effective governance model before any decisions are made concerning control over audience data, or any other technical standards.

LdJ: You mentioned the UK’s Competition and Markets Authority (CMA) recently released a report on competition within online digital advertising  And you recently hosted a panel of legal experts (and engineers) to discuss that report. Can you share some of the highlights?

The CMA’s final report issued on July 1, 2020, proves these views, and those of many others, are shared by a credible national regulator who conducted a very detailed year-long study into the advertising-funded open web. The report is a fantastic document to inform the W3C, IETF, IABs and all bodies and stakeholders.

The report reveals Google has achieved “at least 40%” return on capital and the “evidence is consistent with the exploitation of market power.”

The report recognizes privacy regulation is out of sync with competition regulation and that this must change. It also recommends the implementation of common user identifiers as a remedy for the abuses of dominant platforms that now threaten the competitive market.

The CMA will engage in the phase-out of third-party cookies to ensure their proposed alternatives support a necessary level of competition.

New laws are being requested with the view to establish a Digital Markets Unit (DMU) to oversee digital. These are significant proposals, which I wish more people within our communities would pay attention to.

The CMA report provided me the confidence to sign the letter to the W3C AB and seek their urgent intervention on these matters. I sincerely hope over the coming weeks those involved in W3C governance will read the report, or at least a credible summary, and seriously consider their role in the implementation of the remedies recommended.