Present: Robin, Dan, Jeffrey, Sam, Pete, Jonathan, Christine, Amy
Review #28
Jeffrey: This is almost completely rewritten, so best to review https://pr-preview.s3.amazonaws.com/jyasskin/privacy-principles/pull/28.html#identity instead of the diff.
Dan: first use of term partition?
Jeffrey: yes
Dan: we were just talking about the CHIPS review.. feedback that it would be great to have a definition of "partition", the terms are being used as shorthand to mean a certain thing. "Unpartitioned" means "how it works now" (re: cookies). That caught my eye becuase linking the concept of partitioning to context is powerful. Defining partition in terms of context is powerful and potentially useful
Pete: looks great.. where it's describing boundaries of context seems to be focussed on describing decision space rather than the principle. Valuable but be narrower. Appreciate connection between identity and it being used to link across sites, but maybe the discussiona bout data minimisation might happen somewhere else but seems important to say which aspects are being share dindependantly of whether that's linkable
Jeffrey: more about data minimisation. The definition of identity in a context is that it's the set of characteristics that someone chooses to present. Data minimisation is about allowing someone to choose rather than insisting they present mor echaracteristics than they want to. Fits with this but I'd rather not also write that as part of that PR. On the question of choices vs principles.. I was trying to say that the principle is that user agents are responsible to help their users the intended identity to a context. The menu of choices is how th euser agent carves or separates contexts and understands contexts. We know that a sub origin context is not going to be something a user agent can really identify. It's never going to be perfect, UAs are going to have to vary on how they choose to separate contexts and what assumptions they make about their users preferences
Pete: if the goal is not to establish the principle but define how people might make choices I suggest ..
Dan: what I heard was this could define a principle. The paragraph that starts User Agents should maybe needs to start with the principle being "UAs are responsible for protecting users" high level kind of thing
Sam: it says that two paragraphs up?
Jeffrey: yeah that's the principle. The rest is details of how we do it
Pete: give examples how different .. confusing to have that be the..
Jeffrey: I think Pete was saying we should identify the principle more clearly. I didn't understand about using something other than websites as the example
Pete: if the goal is how people can make responsible choices about different things, and the rest is about websites.. nominally this document is about what are the right choices to make about dividing context between websites. It seems confusing to say here are different ways to make choices if the rest of the doc is 'here are the right choices'
Jeffrey: there's an acceptable variation in what users can accept. We need to accept some of that while pushing more towards privacy
Sam: fascinating that "choices" keeps coming up and th eonly time is in the first paragraph.. identity includes things a user has not chosen. Part of this is giving choice. Unfortunately identity includes things they haven't chosen
Robin: I don't think this is about things you have chosen to be your identity vs chooses to present
Jeffrey: good point that there are aspects of identity one might be forced to present ot a context
Dan: IP address
Sam: Something in choice, but I don't think it's..
Jeffrey: forced to present?
Sam: "do" present. Distinction is trying to increase choice about how much they present
Dan; resonates with me becuase of all the discussions i used to have with people who would argue that if somebody clicks agree to a t&c that they have "chosen" to provide certain information. That's arguable..
Robin: need to separate the set of characteristics that they do present from the set they wish they presented. People probably don't think in terms of characteristics in the IP address level.. mor elike I'm hanging out at my dive bar talking about sports / swords vs at the book club talking about metaphysics. Autonomy thing is about making it closer to the wish.
Dan: also making it clearer which part of this sentence ins the principle. Do we need to do that in general? Call out using a document feature?
Robin: not sure how to answer that. What do we mean by principles? Should probably agree on that. Are we saying that definitions would be definitions? Principles are more on the 'should' category?
Dan: yes. Aspirational statement, backed up with the rest of the info that explains and defines terms and expands on the statement. Statement doesn't need to come at the beginning.
Jeffrey: another document that does this so we can steal CSS?
Sam: I'm sure I've seen something good..
Robin: the original architecutre of the WWW volume 1 probably has that...
Jonathan: could use non normative references, the yellow boxes?
Jeffrey: Robin and I will make something up
Robin: there is a style for practice and description..
Christine: eg. https://www.w3.org/TR/fingerprinting-guidance/
Pete: depends if the document has certain types of context definition..
Jeffrey: space to constrain.. default paragraph gives examples of acceptable widenings and narrowings, would be reasonable to draw lines around that, but I don't have lines in mind. Accept the PR and add lines in a separate one.
Dan: good idea
Review #29
Jeffrey: Christine also has an issue about rewriting the abstract
Robin: not sure how to apply the feedback. Proposed we don't define privacy but say what a privacy repsecting web is. Not sure how to make that work.
Christine: perhaps we're speaking at cross purpuoses... as the ietf document doens't define privacy, talks about it but doesn't come up with a definition, the way we talk about a privacy respecting web, the document is going to set out the principles we think are important for protecting privacy. When I started with this alternative approach it was largely becuase I was uncomfortable with privacy is contested. I don't think privacy is contested. General consensus that privacy is important to protect. DIfferent views in different cultures as to what that means. Even though people may have a different feeling as to what privacy is there does seem to be globally general consensus about principles for protecting privacy. This was a suggestion for another way to frame what we're doing, but I dont' think we're at odds
Robin: I see what you mean and where we're aligned. I understand better your first paragraph around consent. What I worry about is that it's not clear to me that there is that much consensus in the web community. There is a significant portion of it that if you get consent for something anything goes. I tend to think we need to be ready to be opinionated about explaining why that's not the case. The manner in whcih consent is leveraged at scale today on the web is really not privacy friendly.
Dan: I'm sympathetic to what Robin is saying.
Robin: maybe the rewritten version might soften some of what you found problematic. I no longer talk about it being contested even though I still reference that text but talk about there being 'debate'.
Christine: I guess my concern is by putting it as a 'debate' you are setting the scene for the potential argument that relying on consent to do whatever you want is totally okay. I'm very concerned about the overuse of consent on the web. When I was trying to reframe the abstract I was trying to make it a general intro and I tried to highlight what users expectations might be, so I'm guessing the answer is to see how you want to rephrase it and take a look at it.
Robin: the reason I mentioned 'debate' is not to say it's good, it's to state the fact that there has been and the goal of this document is to close it. I agree with your perception of the overuse of consent.
Dan: helpful to reference the ethical web principles #privacy?
Christine: I want to make sure we don't preface this whole document on the consent model. There's a lot of things that happen outside of the consent/no consent construction. When businesses say I have legitimate business interest so I'm not going to ask for your consent.
Robin: the abstract doesn't mention consent and there's a section 2.8 goes into issues with consent models. I think we're aligned on the idea that consent is highly problematic but I'm not sure that's something that we would want to surface at the abstract level. I'm not sure we can explain why iwthout this background work
Dan: the points about consent are important. I agree not inthe abstract. Also sympathetic to what Christine is saying by framing it as a debate you allow for people to say "wer'e in a post-privacy world" and all data is in the public domain and privacy is a dead issue. You see so many people saying that. Maybe instead s ay privacy is essential for the web, therefore we need to think about what the right technical means to support privacy is, especially in a manner... etc. Like stating privacy is essential rather than starting off with wording about debate
Robin: yep. I get that.
Jeffrey: None of these are abstracts. These are the beginning of an introduction. The abstract should summarise what the document says, not why. Thinking of them as introductions I lean towards Christine's text to start with everyone agrees that privacy is important. The only part of Christine's text i don't like is about affirming the w3c's committment, I don't think the purpose of the document is to say we care. Other than that I think we could take Christine's text and tweak. I'm not certain we should try to define privacy, I want to think about that more.
Sam: agree, this text looks more like intro
Dan: 2.6 starts to make a go of that.. that struck me on the previous PR. Goes a long way towards defining what we mean by privacy.
Robin: we do define privacy in 2.4. The entire thing is a whole bunch of toolbox concepts that together define privacy. I can take the feedback about the abstract and take another stab at rewriting it. I do believe that the expectation from spec readers about abstracts are different from the expectations of scholarly document readers about abstracts.
Dan: yes, take the point
Robin: should say 'natural person' ..
Dan: id' like to focus on clear language. From i18n standpoint and to make the document more accessible to a wider range of people. Using the word 'person' make sense even if we have to caveat that we mean a real person not a corporation.
Robin: that's why I have individual as an alternative. user is commonly used. Data subject becuase that's the Euro thing but..
Dan: data subject sounds very dystopian. 'User' we're trying to get away from that term, though we talk about users in terms of user needs quite a bit in the TAG. We have been thinking about minimising the use of the word 'user' in the ethical principles. Not proliferate unless we need to. Talking about people is probably the better approach.
Robin: strong current in privacy about using person instead of user. The reason I wanted to define user anyway is becuase it its very pervasive in web stuff. We do talk about User Agents. But agree.
Jeffrey: should probably call out almost a willful violation that many legal contexts include corporations in person and we're explicitly not doing that
Robin: I'll add that
Christine: as long as we're clear about what person means that's fine. Need to make sure person throughout the doc goes back to the definition of natural person
Robin: will be linked almost everywhere. I think individual is less readable to non-native english speakers
Jeffrey: the section that comes from my document uses individual everywhere
Robin: that list of things is long and unwieldy. That whole blurb is not aligned with the style guide. A highly competant reader of english can barely make sense of it. I'm rewriting that. The intent is not to limit it to identifiers. I'm breaking down that thing, PII and identifiers and aspects of a person and derived aspects, trying to make it more parseable.
Christine: sounded great, thanks. Request not to use personally-identifiable information? People regard that as things like name, address, they don't take aboard a sense of what is personal data.
Robin: not use the word PII? Agree. Using it as a shortcut but it's not in the document. If we do mention it it should be to say don't use it.
Dan: pseudonymous definition?
Christine: might contain a persons name and then be not pseudonymous so that needs rephrasing?
Robin: would make it non psuedonymous but would fail the test that technical measures exist to prevent reidentification. It's hard to define pseudonymous in a way that reflects use in eg. health contexts where it's common, and doesn't at the same time bless users in "oh it's just a cookie identifier and everything is fine". The way in which pseudonymous was initially defined for research on human subjects does assume strong technical and IRB like oversight of the sharing. I'll be happy if you can bring it down to something shorter. Ii'm trying to make it legal to do research on human subjects in a properly controlled manner but not okay to say my friends and i made a pinkie promise bunch of contracts and we're just sharing pseudonymous identifier sand everything is fine
Jeffrey: there's a lot of assumption in these bullets that the data is shared with a third party. Also use in purely first party data in large companies where you're worried about insider risk or exploits and the data getting stolen to mak ethe data pseudonymous. I wondere if it makes sense ot make the definition cover that goal also. Talk about it without respect to a third party or about soeone unintended gets a hold of the data or something?
Dan: if it's made use of for a use that was not part of the original... in gdpr world you talk about using the data for an explicit thing when you collect it. If you use it outside of that it's a gdpr violation. You have the same party but the data is still being misused in a violation of privacy
Jeffrey: still violation and misuse but making the data pseudonymous can still reduce the privacy harms in that situation
Robin: better data protection
Christine: the example I gave is the issue of first and third party.. bringing it up becuase i dont' think the technical measures would apply. A first party is storing and using identifiers that acutally have some sort of personal data associated with them in which case they're not pseudonymous. Maybe separating it between... I'm not sure how to solve it, there's a slight problem with the definition
Robin: Ive taken a note to make it clear that embedded data that could lead to reidentification should be covered. I'll try to work something in. and to make it clearer that we don't need there to be a third party involved for these considerations to apply
Dan: we could spend a whole call talking abou tthe rest of the things on this lost... the topic of 'party' is important... is it true that we think that party can include a set of legal entities? Isn't a party a legal entities? If it's a set that would need to be under some umbrella legal entity?
Robin: correct
Dan: even first party sets talks about sets and parties. Agree with what Christine is saying.
Robin: this is coming from DNT. The reason party is a set of legal entities comes from that. The idea though - might not be clear - is if it is a set of legal entities it should be readily evident to the user. If you're travelling to a site that is a joint NYT-Samsung site you should have a thing that has it really clearly commonly branded and you can say that set of legal entities is the first party. What Christine is getting at is just becuase the NYT happens to own DuckDuckGo that doesn't mean it's okay to trnasfer data between NYT and DuckDuckGo ..
Christine: yeah, is there a comeplling w3c reason why we've decided to treat a set of parties as the single first party. With data protection obligations that doesn't apply. Can we just have the first party is th efirst party. There might be other legal entities that might be in the same scenario as the first party, but they're not the first party. Concerned about lumping a whole set of legal entities under the first party
Robin: I need to write this clearer so it's clearer that it's not joint ownership in the political economy that matters, but ocmmon branding that is readily evident. You can have a set if it's very very clear that they are jointly operating
Dan: even in those cases, eg. an airline alliance.. it's a joint thing between AA and BA but there is a legal entity set up for OneWorld which is the actual party. In the case of the NYTizen alliance there was a company set up in Delaware. In many cases it feels like there is still one entity. We need data sharing set up between entitie sin order for data to flow.
Robin: I can figure out how to make it stricter, I hear what you are saying. Assumption is if you have joint branding you still need some kind of common legal construct.
Robin: agree with the feedback on vulnerable, too gdpr based.
Dan: i wonder if there's a real global ngo approved definition of vulnerable person we could reference instead of trying to come up with our own
Robin: christine's point about asymmentries of power is sufficient. It's highly contextual. Can be vulnerable in one context and not in another. I can make it about asymmetries of power than about consent.
Dan: you've got stuff to do based on that.