Scope for PATCG Privacy Principles

[grahammudd]

The goal of this issue is to iterate on and eventually arrive at an agreed upon outline of the scope the privacy principles this group has committed to developing. With scope in place, we can begin drafting principles that align with each area of focus.

Most of these scope dimensions were discussed in our 3/13 meeting. In no particular order, our principles should address:

• Consolidation of Data: Most would agree that the greater the amount of personal data consolidated in one place (e.g with a company, government or other entity), the greater the potential privacy harm. The development of cross-context/site profiles is a particularly relevant concern when considering digital advertising privacy.
• Consent: What is our general position on the role of consent (opt-in and/or opt-out) in protecting people’s privacy? When is consent appropriate and when does it put an overly onerous burden on individuals? When should consent be assumed to be inherent by default (i.e. opt-out) and when should it be requested explicitly?
• Control: Regardless of whether consent has been explicitly requested, individuals should have the ability to make informed decisions regarding the collection, transfer, and usage of their personal data. This is particularly important in the context of advertising data, as it raises questions about what types of controls should be implemented to ensure that people have the agency and autonomy to manage their data as they see fit. What measures can be taken to provide individuals with the level of control they deserve over their data?
• Relevance: Setting aside the treatment of the underlying data enabling advertising, is the relevance of advertising an inherent privacy issue? Said another way, is relevance the enemy?
• Harmful Use: While the collection and transfer of data through or for advertising is almost certainly in scope for these principles, to what degree is the use of that data, particularly in cases where the use may result in harm. For example, should these principles address the use of data to deliver advertising that may be emotionally harmful, biased or manipulative?
• Security / Trust Model: Any reasonable definition of privacy is impossible to achieve without data security. When considering data security, what types of parties, if any, can be trusted to keep data secure?
• Competition: Data is a critically important asset for both the buyers and sellers of advertising, therefore strong incentives exist to acquire it — or keep it from one’s competitors. Systems that control the flow of data are necessary to support privacy, but they can potentially impact competition. How should access to data and the related impact on competition be considered when considering approaches to privacy?
• Identifiers: Identifiers support the transfer of data and the consolidation of data related to a given individual or device, and are therefore an important privacy consideration. How should the use or transfer of identifiers be limited?
• Inferences: Inferences, whether related to an identifier (often referred to as a ‘probabilistic ID’) or an attribute can be sufficient accurate as to be essentially indistinguishable from deterministic data. Incorrect inferences can also create harm. To what degree should these privacy principles consider inferences derived from advertising data?

Feedback appreciated.

[dmarti]

Context and reporting: The context in which an advertisement appeared must be reported to, and available to, the advertiser. (This is related to the "harmful use" principle: most advertising-related harms to users are side effects of obfuscating context in reports to the advertiser)

[npdoty]

This may seem basic/fundamental, but seems important to include explicitly in some framing:

• profiling: collection of data about a person from different contexts (this would relate to same-context and cross-context recognition, for example) and use of a profile to target advertising (or otherwise customize content and offers) in potentially unwanted ways.

[npdoty]

I think "harmful use" can be a broad title, as there are harms that aren't even privacy harms, as dmarti has noted as an example. (I don't think reporting where I saw an ad back to the advertiser helps protect my privacy at all, it might intrude on it, but I think Don is getting at a separate category of harms where advertising can be used to financially support harmful activities.)

One narrower category might be distress and intrusion to cover harmful uses where ads are abused to cause harm just by their presentation, by bothering people, following them around with distressing content, showing particular content to people who are vulnerable in some way, etc.

[npdoty]

To the scoping question, I think consolidation is an example of a privacy concern which competition issues might implicate, but competition is relevant beyond privacy and I wouldn't expect this document to address all potential impacts, including competition impacts or impacts on every potential business, of privacy protections.

[dmarti]

@npdoty My suggested principle would be reporting ad locations, not (location+user) matches. I agree that reporting location+user is a likely privacy violation. There just needs to be a principle that advertising contexts must be reported to the advertiser.

Reporting the location to the advertiser helps the user by helping participants in the advertising market to enforce norms. A more honest advertising market is less likely to reward companies for perpetrating privacy and other harms to users. This applies even if you take the position of being totally neutral on the value or harm of any particular context.

A good example is adware/spyware browser extensions that insert ads on Wikipedia.

• If the advertiser notices Wikipedia pages on their ad report, they will likely investigate because they know there are no ads on Wikipedia.

• If advertising is placed through a scheme that conceals pages from the advertisers that sponsor them, then more adware/spyware developers are incentivized to trick more users into installing harmful software.

[bmayd]

I'm thinking it might be worthwhile to have a general principle that user identifying data should be abstracted out of advertising data so that the latter is not be linkable to users; something along the lines of:

User data applied to, or generated by, advertising should not be linkable to data outside the advertising context and should provide no information about a specific person. Any user data exposed in advertising use-cases or generated in an advertising context should be rendered unlinkable, either directly or indirectly, to a user and unusable outside of the advertising context to which it applies through the use of aggregation, redaction, mutation or some combination of these.

A high-level principle like this would simplify the trust model and reduce the potential for harm caused by repurposing of advertising data.

[ShivanKaul]

We should add Transparency & Trust here: What all can the user verify regarding their privacy? Can they verify when the system fails and privacy leaks? Who do they have to trust, and can they make meaningful choices regarding who they trust? (this latter is similar to the Security / Trust Model in #36 (comment))

[npdoty]

Maybe Transparency, Security, and Trust Model could all be listed separately.

[michaelkleber]

@npdoty My suggested principle would be reporting ad locations, not (location+user) matches. I agree that reporting location+user is a likely privacy violation. There just needs to be a principle that advertising contexts must be reported to the advertiser.

I agree with Don that this sort of question quickly ends up intertwined with privacy issues (and not just business goals). The problem that we've encountered in trying to formulate something like this in the past is that "context" can easily be specific to a single user. Obviously my signed-in social media feed is unique to me, so reporting that an ad appeared in that context could be tantamount to reporting what person it was shown to.

I would be very happy if we could find a way to pull those apart from each other, so that we could believe there was a real difference between the person who sees something and the context in which it's seen. From the browser-implementer POV this has been difficult, but maybe from the principle-writer POV it will be easier. Some aspiration to "Separate the user from the context" would make me very happy.

[ShivanKaul]

@npdoty @grahammudd it looks like we're collecting principles here. Should we spin up/add to an actual doc so we can make PRs etc?

[michaelkleber]

Any opinions on an "Explainability" principle? Obviously I don't think we should try to solve the ML explainability problem in general, or ask the ad industry to do so. But we could opine on a principle that prefers a situation in which e.g. it's possible for a person to understand what information of theirs was used to make a decision about what ad they saw.

[dmarti]

@michaelkleber Explainability should also include telling the user what party who holds the data. (If the disclosure states, "you are receiving this ointment ad because you are likely to have a fungal infection" the user is going to want to know who has that information)

[michaelkleber]

@dmarti I agree though I want to avoid over-promising — for example, we shouldn't make it seem like the browser can tell you everyone who has some piece of information.

But I think this issue isn't supposed to be about hashing out the details of any particular principle, but rather the scope of what our principles ought to talk about :-). As @ShivanKaul said, maybe let's take it to a doc where we can start the work part of the work.

[tprieur]

A lot of those concepts (consent, controls, profiling...) are also addressed in the TAG document https://www.w3.org/TR/privacy-principles/
I guess our Privacy Principles can't go against any of the TAG principles, otherwise, any proposals from PATCG following our principles would get rejected by the TAG. Shouldn't we wait for the TAG document to officially land before producing our own document, which would be our interpretation of the TAG document for advertising use-cases?
Can you detail how the PATCG Privacy Principles & TAG Privacy Principles fit together ?

[hober]

A lot of those concepts (consent, controls, profiling...) are also addressed in the TAG document https://www.w3.org/TR/privacy-principles/

I assume this document is building on the TAG document, fleshing out how to apply the overlapping concepts in the specific domain that PAT CG is working on?

I guess our Privacy Principles can't go against any of the TAG principles,

They shouldn't, anyway.

otherwise, any proposals from PATCG following our principles would get rejected by the TAG.

The TAG doesn't reject or accept things; it has no gating power.

Shouldn't we wait for the TAG document to officially land before producing our own document, which would be our interpretation of the TAG document for advertising use-cases? Can you detail how the PATCG Privacy Principles & TAG Privacy Principles fit together ?

I don't think the group should wait for the TAG document to be "finalized". There's no reason why work on both documents can't proceed in parallel.