supporting privacy in Web architecture

Status of This Document

This is a proposal for fellowship/part-time/staff work for a tech-focused civil society organization. This could be a full-time focus for 1-2 years, or individual work areas could be shorter or lower-bandwidth projects. Privacy is one area of particular interest (for the reasons described below), but similar work on modeling, evaluating proposals and identifying novel technology could be attempted for other public policy values.

Feedback most welcome via email, but not to be shared publicly.

Who am I? I’m a Web standards person, privacy researcher and public interest technologist, who recently completed a mixed methods doctoral dissertation on multistakeholder Internet standard-setting processes and their effects on online privacy and security.

Why work is needed

The current moment is a potential inflection point for online privacy. There are new and renewed interests in re-designing the privacy properties of some foundational Internet and Web technologies. That interest includes willingness from diverse and well-resourced implementers in making substantial changes, paired with more substantial pressure from different governments at different levels to require changes. Civil society organizations and public interest technologists can influence these re-designs, in multistakeholder fora as well as in regulatory and legislative settings.

Systematic approaches are needed. In order to fully take advantage of these opportunities, we need technically-informed architectural principles and planning, not (solely) one-off reviewing to find privacy problems. There is a large volume of potential changes in process, and enough experience from previous work that we can develop more systematic responses. Considering key values such as privacy in that basic guidance allows for an outsized impact from public interest sector participants.

The work must be relational. These projects are necessarily multistakeholder – even among the larger market players, we often see challenges of cooperation rather than unilateral changes. But making progress on public interest priorities depends on finding alignment with private companies wherever possible. Most effective would be to gather, connect and organize civil society partners – those who can’t be as deeply involved but still want to understand and provide input. I can bring my existing expertise, relationships and understanding of these communities.

Work areas

Privacy threat model

Many privacy debates in engineering fora come down to case-by-case analysis and argument; this requires constant vigilance in order to maintain privacy protections, and also makes it harder for developers to plan for what will or won’t cause privacy violations or to pursue important opportunities for improving platform-level privacy on the Internet and the Web.

Google, among some others, have expressed interest in a formal Privacy Target Threat Model: what privacy properties we can and can’t provide for the Web and what we should aim for. But current drafts of that threat model are narrow (focused largely on tracking and advertising use cases) and it lacks sustained effort, editorial guidance and civil society engagement.

https://w3cping.github.io/privacy-threat-model/: “A privacy threat model we should migrate the web toward.”
https://www.w3.org/Privacy/IG/: PING both reviews specs for privacy and discusses broader guidance.

Threats & opportunities for privacy in new advertising proposals

At W3C and a few other venues, a plethora of technical proposals suggest new mechanisms related to various parts of online advertising that may improve user privacy or at least mitigate some current privacy harms.

Proposals include mechanisms for interest targeting, re-targeting, measurement and reporting with greater than status quo privacy guarantees, along with steps to reduce fingerprintability and minimize cross-origin identifiers. This standardization work is seeing intense activity from browser vendors and ad tech, but lacks a sustained or coordinated public interest voice.

https://privacycg.github.io/: the Privacy CG “incubates privacy-focused web features and APIs to improve user privacy on the web”
https://w3c.github.io/web-advertising/: the Improving Web Advertising Business Group consists largely of publishers, advertisers, ad tech firms and trade associations.

Bringing new privacy features to the Internet

While much work on privacy and in advocacy is reactive, there are whole classes of new privacy-focused features that could be developed for interoperable platforms like the Internet and the Web. Having promising proposals ready and working with potential implementers can make those new opportunities ready to go when more interest arises, rather than just reducing damage to user privacy in the meantime.

The Global Privacy Control proposes to build on the previous work of Do Not Track, with more direct support from government regulators and directed more closely to online publishers. Effective user preference expression and user controls have too long been lacking in our online interactions.
Nutrition labels, long explored by academics, have recently seen uptake in mobile device app stores, but lack standardization or application to settings outside centralized control. Meaningful, comprehensible notice and transparency are typical requirements for privacy or user choice more generally, but have seen relatively little effective implementation.
Oblivious, blindness or relay protocols show promise in improving access to online resources while revealing even less about the user, but with fewer of the performance limitations (or stricter threat models) of Tor.

https://globalprivacycontrol.org/: Global Privacy Control includes a draft spec (based on DNT) and some initial implementations, with a focus on CCPA and GDPR rights.