Google takes sole stand on privacy, rejects new rules for fear of 'authoritarian' review

Google has blocked a proposed revision of the charter of the Privacy Interest Group (PING), a part of the W3C web standards body, over concerns that establishing an unchecked "authoritarian review group" will create "significant unnecessary chaos in the development of the web platform."

The PING's job is to ensure that technical specifications recommended by the W3C respect the privacy of people using the web. The group does so by providing a "horizontal review," in which members make suggestions to the authors of technical specifications to ensure the web tech being developed takes privacy into account.

The group, which currently counts 68 participants, has been trying to adjust the agreed terms under which it operates.

In June, PING polled the 450 or so W3C members about the proposed new charter. Voting closed on August 4th. According to an individual familiar with situation, only 26 W3C members responded and Google alone among them objected. Because the group requires unanimous consensus, the new charter was not adopted.

A copy of Google's formal objection was posted to the PING mailing list on Monday. "Although we would like the PING to take a strong role in horizontal review, we are uncomfortable investing it with Process authority without more experience," Google's note says.

Shortly thereafter, Chris Wilson, a project manager at Google and W3C participant, posted a follow-up message to add additional context, presumably out of concern that Google's objection might be read as hostility to privacy.

"To be clear: Google does NOT have concerns about the PING reviewing web platform specifications," he said. "...We do have slight concerns about the additional workload that might entail for the PING group, but we have been actively working to increase our participation in the PING to help account for that."

The new charter isn't all that different from the current one. Nick Doty, a privacy researcher and doctoral student at UC Berkeley's School of Information and a PING member, provided The Register with a diff to compare the two documents.

"The new charter is not dramatically different from the existing one," Doty said in an email. "It includes providing input and recommendations to other groups that set process, conduct reviews or approve the progression of standards and mentions looking at existing standards and not just new ones. I think those would all have been possible under the old charter (which I drafted originally); they’re just stated more explicitly in this draft. It includes a new co-chair from Brave, in addition to the existing co-chairs from the Internet Society and Google."

Doty said he's not surprised there would be discussion and disagreement about how to conduct horizontal spec reviews. "I am surprised that Google chose to formally object to the continued existence of this interest group as a way to communicate those differences," he said.

"I don’t know why Google representatives chose to object to this charter, but I do hope the now expressed interest in reviews and the deliverables of the Interest Group will lead to more investment in PING and in Web privacy."

As The Register has heard, the issue for Google is that more individuals are participating in PING and there's been some recent pushback against work in which Google has been involved. In other words, a formerly cordial group has become adversarial.

The required context here is that over the past few years, a broad consensus has been building around the need to improve online privacy. Back in 2014, not long after Edward Snowden's revelations about the scope of online surveillance transformed the privacy debate, the Internet Engineering Task Force published an RFC declaring that pervasive monitoring is an attack on privacy. That concern has become more widespread and has led to legislation like the California Consumer Privacy Act (opposed by Google) and efforts by companies like Apple, Brave, and Mozilla to improve privacy by blocking ad tracking.

"The strategic problem for Google, with Apple, Brave, Mozilla, Samsung all blocking tracking, is how to preserve their business advantages and share price while appearing to be 'pro privacy,'" said Brendan Eich, CEO of Brave, in a message to The Register.

Facing efforts to block browser fingerprinting and change the way HTTP cookies work, the ad biz last month floated a set of proposals to address privacy concerns without starving advertisers of cookie data. The company's "Privacy Sandbox" met with mixed reviews from privacy groups and academics, who characterized Google's claims about the privacy risks of cookie blocking as "privacy gaslighting."

Eich expressed skepticism of Google’s prioritizing a formal privacy model before the PING could review other specifications for privacy problems, in light of real privacy protections already in browsers that need standardization, and of the lack of formal models gating progress elsewhere in the W3C.

"The W3C is obligated to help fix interoperation problems these privacy protections create, at a minimum; engineering in better privacy over time is even better, but interop is enough of a justification, and no 'utopia first! then we can solve lesser problems' objections should be tolerated," he said.

The Register asked Google for comment. We've not heard back. ®