James Rosewell could see his company’s future was in jeopardy.
It was January 2020, and Google had just announced key details of its plan to increase privacy in its Chrome browser by getting rid of third-party cookies and essentially breaking the tools that businesses use to track people across the web. That includes businesses like 51Degrees, the U.K.-based data analytics company Rosewell has been running for the last 12 years, which uses real-time data to help businesses track their websites’ performance.
“We realized at the end of January 2020 what Google was proposing was going to have an enormous impact on our customer base,” Rosewell said.
Under the banner of a group called Marketers for an Open Web, Rosewell filed a complaint with the U.K.’s Competition and Markets Authority last year, charging Google with trying to shut out its smaller competitors, while Google itself continued to track users.
But appealing to antitrust regulators was only one prong in Rosewell’s plan to get Google to delay its so-called Privacy Sandbox initiative. The other prong: becoming a member of the World Wide Web Consortium, or the W3C.
One of the web’s geekiest corners, the W3C is a mostly-online community where the people who operate the internet — website publishers, browser companies, ad tech firms, privacy advocates, academics and others — come together to hash out how the plumbing of the web works. It’s where top developers from companies like Google pitch proposals for new technical standards, the rest of the community fine-tunes them and, if all goes well, the consortium ends up writing the rules that ensure websites are secure and that they work no matter which browser you’re using or where you’re using it.
The W3C’s members do it all by consensus in public Github forums and open Zoom meetings with meticulously documented meeting minutes, creating a rare archive on the internet of conversations between some of the world’s most secretive companies as they collaborate on new rules for the web in plain sight.
But lately, that spirit of collaboration has been under intense strain as the W3C has become a key battleground in the war over web privacy. Over the last year, far from the notice of the average consumer or lawmaker, the people who actually make the web run have converged on this niche community of engineers to wrangle over what privacy really means, how the web can be more private in practice and how much power tech giants should have to unilaterally enact this change.
Two sides
On one side are engineers who build browsers at Apple, Google, Mozilla, Brave and Microsoft. These companies are frequent competitors that have come to embrace web privacy on drastically different timelines. But they’ve all heard the call of both global regulators and their own users, and are turning to the W3C to develop new privacy-protective standards to replace the tracking techniques businesses have long relied on.
On the other side are companies that use cross-site tracking for things like website optimization and advertising, and are fighting for their industry’s very survival. That includes small firms like Rosewell’s, but also giants of the industry, like Facebook.
Rosewell has become one of this side’s most committed foot soldiers since he joined the W3C last April. Where Facebook’s developers can only offer cautious edits to Apple and Google’s privacy proposals, knowing full well that every exchange within the W3C is part of the public record, Rosewell is decidedly less constrained. On any given day, you can find him in groups dedicated to privacy or web advertising, diving into conversations about new standards browsers are considering.
Rather than asking technical questions about how to make browsers’ privacy specifications work better, he often asks philosophical ones, like whether anyone really wants their browser making certain privacy decisions for them at all. He’s filled the W3C’s forums with concerns about its underlying procedures, sometimes a dozen at a time, and has called upon the W3C’s leadership to more clearly articulate the values for which the organization stands.
His exchanges with other members of the group tend to have the flavor of Hamilton and Burr’s last letters — overly polite, but pulsing with contempt. “I prioritize clarity over social harmony,” Rosewell said.
To Rosewell, these questions may be the only thing stopping the web from being fully designed and controlled by Apple, Google and Microsoft, three companies that he said already have enough power as it is. “I’m deeply concerned about the future in a world where these companies are just unrestrained,” Rosewell said. “If there isn’t someone presenting a counter argument, then you get group-think and bubble behavior.”
But the engineers and privacy advocates who have long held W3C territory aren’t convinced. They say the W3C is under siege by an insurgency that’s thwarting browsers from developing new and important privacy protections for all web users. “They use cynical terms like: ‘We’re here to protect user choice’ or ‘We’re here to protect the open web’ or, frankly, horseshit like this,” said Pete Snyder, director of privacy at Brave, which makes an anti-tracking browser. “They’re there to slow down privacy protections that the browsers are creating.”
Snyder and others argue these new arrivals, who drape themselves in the flag of competition, are really just concern trolls, capitalizing on fears about Big Tech’s power to cement the position of existing privacy-invasive technologies.
“I’m very much concerned about the influence and power of browser vendors to unilaterally do things, but I’m more concerned about companies using that concern to drive worse outcomes,” said Ashkan Soltani, former chief technologist to the Federal Trade Commission and co-author of the California Consumer Privacy Act. Soltani likened the deluge of procedural interjections from Rosewell and others to a “denial of service attack.”
James Rosewell, left, and Ashkan Soltani, right, are on opposite sides in this debate.Photo: James Rosewell; New America/Flickr
But what is perhaps more alarming, Soltani and Snyder argue, is that the new entrants from the ad-tech industry and elsewhere aren’t just trying to derail standards that could hurt their businesses; they’re proposing new ones that could actually enshrine tracking under the guise of privacy. “Fortunately in a forum like the W3C, folks are smart enough to get the distinction,” Soltani said. “Unfortunately, policymakers won’t.”
The tension inside the community isn’t lost on its leaders, though they frame the issue somewhat more diplomatically. “It’s exciting to see so much attention to privacy,” said Wendy Seltzer, strategy lead and counsel to the W3C, “and with that attention, of course, comes controversy.”
And with that controversy comes a cost. Longtime members of the organization said that at its best, the W3C is a place where some of the brightest minds in the industry get to come together to make technology work better for everyone.
But at its worst, they worry that dysfunction inside the W3C groups may send a dangerous and misleading message to the global regulators and lawmakers working on privacy issues — that if the brightest minds in the industry can’t figure out how to make privacy protections work for everyone, maybe no one can.
Do Not Track 2.0
If any of this sounds like history repeating itself, that’s because it is. About a decade ago, the W3C was the site of a similar industrywide effort to build a Do Not Track feature that would allow users to opt out of cross-site tracking through a simple on-off switch in their browsers. The W3C created an official working group to turn the idea into a formal standard, and representatives from tech giants — including Yahoo, IBM and Microsoft — as well as a slew of academics and civil society groups signed up to help.
Separate from community groups, interest groups and business groups, all of which facilitate informal conversations among developers inside the W3C, working groups are supposed to be where actual technical standards get written, finalized and, hopefully, adopted by key companies sitting around the virtual table. Working groups are, in other words, where ideas for new standards go when they’re ready for primetime.
“This seemed like the game,” Justin Brookman, director of consumer privacy at Consumer Reports, said of the Do Not Track working group. He briefly chaired the group while he was working for the Center for Democracy and Technology. “The browsers were going to implement it, and the browsers have a lot of power,” he said.
But the Tracking Protection Working Group, as it was called, ended up being where Do Not Track went to die. Over the course of years, members — who, in keeping with the W3C tradition, were tasked with reaching decisions by consensus — couldn’t come to an agreement on even the most basic details, including “the meaning of ‘tracking’ itself,” Omer Tene, vice president of the International Association of Privacy Professionals, wrote in a 2014 Maine Law Review case study.
Perhaps it should have been a clear sign Do Not Track was doomed when, Tene wrote, the group tried to settle its dispute over the definition of tracking by seeing which side could hum loudest. “Addressing this method, one participant complained, ‘There are billions of dollars at stake and the future of the Internet, and we’re trying to decide if one third-party is covered or didn’t hum louder!'” Tene wrote.
But both Tene and Brookman seem to agree that what really put Do Not Track underground was Microsoft’s decision to turn the signal on by default in Internet Explorer. Ad-tech companies that had banked on only a sliver of web users actually opting out of tracking resented a browser unilaterally making that decision for all of its users. Suddenly, Brookman said, they lost interest in participating in discussions at all. “They totally made a meal out of it,” he said, comparing their response to soccer players flopping on the field. “They totally exaggerated for effect to try to get out of doing this.”
Because the W3C’s standards are voluntary, no one was under any real obligation to heed the Do Not Track signal, effectively neutering the feature. Browsers could send a signal indicating a user didn’t want to be tracked, but websites and companies powering their ads didn’t (and don’t) have to listen.
In his post-mortem on the ordeal, Tene summed up the Do Not Track effort succinctly: “It was protracted, rife with hardball rhetoric and combat tactics, based on inconsistent factual claims, and under constant threat of becoming practically irrelevant due to lack of industry buy-in.”
For anyone participating in today’s privacy discussions inside the W3C, it’s a description that sounds eerily familiar.
Enter the Privacy Sandbox
After the Do Not Track debacle, Soltani dropped out of the W3C for years, focusing instead on helping draft and pass the California Consumer Privacy Act, or CCPA. That law — and its successor, the California Privacy Rights Act — actually requires websites to accept a browser signal from California users who want to opt out of the sale of their information. The global privacy control, as that signal is called, effectively paired the essence of Do Not Track with the force of law, albeit only for Californians.
When Soltani returned to the W3C in spring 2020, he wanted to turn the global privacy control into a W3C-approved standard, hoping that would lead to more industry adoption among leading browsers. Already, privacy-conscious browsers like Brave and DuckDuckGo have implemented the control, and major players including The Washington Post, The New York Times and WordPress are accepting the signal. But Soltani believed the standard could be improved with the W3C treatment. “Every technical standard is worth discussing in an open forum,” Soltani said. “It exposes bugs, issues and unforeseen edge cases.”
But his reentry into the community gave him deja vu. “Having not engaged in the W3C for years, it was very apparent I was walking back into what my experience was with Do Not Track, but 10 times worse,” Soltani said.
One reason for that: Google had chosen W3C as the venue for developing an array of new privacy standards that were part of its Privacy Sandbox initiative. “We provide Chrome to billions of users, so we really have an immense responsibility to those users,” said Google’s Privacy Sandbox product manager Marshall Vale. “One of the reasons that we are engaged in so many parts of the W3C is to really make sure that that dialogue and evolution of the web really happens in the open.”
One of Google’s proposed standards — Federated Learning of Cohorts, or FLoC for short — would eliminate the ability for advertisers to track specific users’ web behavior with cookies, but would instead divide Chrome users into groups based on the websites they visit. Advertisers could then target those groups based on their inferred interests.
That proposal spurred a backlash from both privacy advocates and companies that rely on third-party tracking. The privacy side argued individuals’ interests might be easy to reverse-engineer, and that targeting groups of people based on their interests would still enable discriminatory advertising. The other side accused Google of trying to kill their companies and hoard user data for themselves. And browser vendors by and large rejected the technology altogether.
The Privacy Sandbox announcement inspired a flurry of newcomers, including from the ad-tech world, to join W3C in response. “It was supposed to be my task to find out what’s going on with FLoC and build a bridge so we could connect to it,” said one ad-tech newcomer who asked for anonymity, because he didn’t have permission to speak on his company’s behalf. “It looked like the real conversation was the one happening at the W3C, and by real, I mean the one where Google was actually listening.”
In fact, Google wasn’t just listening, it was responding. The basic rules of etiquette within W3C hold that participants don’t just get to have their say, they get to have a dialogue. “Our process starts by assuming good faith and engaging with all of the participants as they address the concerns they’re raising,” W3C’s Seltzer said.
That can promote useful exchanges when members are offering constructive criticism. But the policy of hearing everyone out can also grind progress to a halt.
A war of words
That’s what Soltani said happened when he tried to present the global privacy control proposal to W3C’s privacy community group. His most vocal detractor? Rosewell.
Rosewell jumped into the conversation to challenge not the specifics of the technology, but instead the very idea in which it was grounded. He objected to the notion that the W3C, which is a global community, should be turning policy from a single U.S. state into a technical standard, arguing that members might not be so thrilled if the W3C wanted to standardize policies from countries like China or India. “This is a Pandora’s box,” Rosewell wrote of the global privacy control in one October message. “Should web browsers really become implementation mechanisms of specific government regulation?”
Before conversation about standardizing the global privacy control even moved forward, Rosewell argued the W3C Advisory Committee should step in to first determine “if there is an appetite among W3C members” to continue.
The suggestion stunned long-time members, who said taking such a vote and foreclosing an entire category of proposals runs counter to the way the W3C has always operated. “It’s not how any of this stuff works. The W3C is not a Senate of the web. It’s a standards body for people who want to build things and collaborate with each other,” Brave’s Snyder said. “It’s not the kind of thing that anybody has ever voted on before.”
Indeed, while Seltzer wouldn’t comment on any specific altercations, she said W3C leaders are aware of general concerns about these tactics. “There is no process for calling work to a halt,” Seltzer said.
The World Wide Web Consortium is caught in a tug-of-war within its community of engineers and developers.
Image: Christopher T. Fong/Protocol
But Rosewell’s certainly not alone in trying. Almost anywhere you can find a browser putting forward a new privacy proposal within the W3C, you can find profound philosophical opposition from members whose companies rely on third-party data. “At least some of this seems aimed towards legislation,” Snyder, who co-chairs the W3C’s Privacy Interest Group, said. “Which is to say, if they can make the waters muddy so it looks like there’s no agreement on the web, quote-unquote, then [regulators] shouldn’t be enforcing these things.”
One particularly contentious fight broke out this spring in a wonky discussion about a technique called bounce tracking, which is a workaround some companies use to circumvent third-party tracking bans.
John Wilander, a security and privacy engineer at Apple, wanted the privacy group’s thoughts on how browsers might put an end to the practice. The conversation caught the attention of Michael Lysak, a developer at ad-tech firm Carbon, who began raising concerns about how Apple tracks its own users.
Wilander politely told Lysak his comments were out of scope, which is W3C-speak for: Take your bellyaching elsewhere. “Please refrain from discussing other things than bounce tracking protection here since doing so makes it harder to stay focused on what this proposal is about,” Wilander wrote.
Lysak continued on with another jab at Apple’s motives: “If a proposal kills tracking for some businesses and not others, that is in scope as it violates W3 rules for anti competition, especially if the proposer’s company directly benefits.”
Wilander shot back again: “I filed this issue and the scope is bounce tracking protection.”
Others were piling on too. Robin Berjon of The New York Times cited a study about users’ privacy expectations, writing, “It’s overwhelmingly clear that users expect their browsers to protect their data.” Lysak replied with a study of his own — one published by the ad industry — that argued differently. Erik Anderson of Microsoft, who co-chairs the group, chimed in asking everyone to focus on the topic at hand.
Wilander responded with a thumbs up emoji. And round and round they went.
Rosewell was there too, largely co-signing Lysak’s arguments about competition. “You make some interesting points,” he wrote to Lysak.
But Rosewell was also there to promote and explain a proposal of his own, another avian-themed standard called SWAN. Unlike FLoC, SWAN would allow publishers and ad-tech companies that join the SWAN network to share unique identifiers about web users. Those users could opt out of personalized ads from any companies in the network, and SWAN member companies would be bound by a contract to abide. But those companies could still use their unique IDs for other purposes, like measuring responsiveness to an ad and optimizing ad content.
To Rosewell, SWAN presents a sort of middle ground, giving web users the choice to turn off personalized ads, but giving ad-tech companies and publishers the data they want as well. But Soltani called SWAN and other industry-led proposals that preserve some level of data sharing “privacy washing,” because they would allow for data sharing even in browsers that have sought to prevent it.
“[They’re] saying: We’re going to define privacy as profiling for ads, but we’re going to collect your information for all these other purposes, too,” Soltani said.
No, you’re privacy washing
If the privacy advocates inside the W3C have been put off by Rosewell’s approach, he hasn’t exactly been charmed by theirs either. “I’ve been — I don’t know what the right word is — somewhere between upset and shocked at just how much of a sort of vigilante group the W3C truly is,” Rosewell said.
From his perspective, browsers have too much power over the community, and they use that power to quash conversations that might make them look bad. In fact, he charged Apple itself with “privacy washing.” Apple, he said, has forged ahead with third-party privacy protections, but has taken in billions of dollars a year from Google to feature its not-so-private search engine on iPhone users’ phones.
“Google doesn’t pay [Apple] $12 billion a year just for the kudos of having their logo on an Apple phone. They do it for the data that the deal generates,” Rosewell said.
Rosewell rejects the idea that he is pushing for weaker privacy protections. “I am absolutely on the privacy side of things. I would be aggrieved if I was characterized as anti-privacy,” he said, pointing to SWAN as an example of how he’s trying to advance the cause.
The problem, as he sees it, is that privacy has been ill-defined within W3C. “Until you define privacy, until you define competition, everything becomes an opinion,” he said. “And what happens is it’s those with the most influence that end up dominating the debate.”
He believes it’s a “crap argument” to say that philosophical or even legal questions like this are out of scope in a technical standards body. If the W3C only talked about technical standards, he argued, its members wouldn’t be so focused on a fuzzy concept like privacy. “We are interested in the impact of technical standards and technical choices in practice, and we should be. Of course we should be. Otherwise unintended consequences occur,” he said. “But what gets to be talked about is very self-serving.”
The ad-tech newcomer who spoke with Protocol was similarly frustrated by the community’s culture. “When you’re going up against powerful companies that are very entrenched in the W3C, and you’re saying something they don’t want said, it can feel as though you’re being gaslit, given contradictory information on rules that aren’t applied later,” he said.
Rosewell said he’s taken it upon himself to be vocal about these concerns inside the W3C primarily because few other people can be. One concern shared by both Rosewell and the people who disagree with him is that the W3C’s membership fees and the time commitment these conversations require make it so giant companies with thousands of employees can pack W3C groups with members and float endless proposals, while smaller companies or individuals working on these issues part-time struggle to keep up.
“The advantage Google has in numbers is not so much the number of participants, but the sheer size of the teams they have on these projects,” said one privacy advocate, who was not granted permission by his company to speak on the record. “I can get maybe 20% of two people’s time, that might be enough to produce one or two drafts per quarter. Google could ship a spec every week, and that means they can take up a lot of space.”
Indeed, 40 of the 369 members in the Improving Web Advertising business group work for Google. Vale, of Google, rejected the idea that this might make the community lopsided in Google’s favor, arguing that when it comes down to actually finalizing a specification, every company gets just one vote. “That’s how the W3C operates and makes sure that the voices of the various constituents and the members are really represented,” Vale said.
Still, there is an awful lot of conversation that happens before a standard gets to that stage. Those are the conversations happening right now. So when Google introduced the Privacy Sandbox, Rosewell figured he had the time, the freedom and the motivation to dive head first into those conversations. “As far as the tenacity is concerned,” he said, “if people are acting in good faith, then there should be a debate.”
Facebook’s fate
Rosewell’s “tenacity” has certainly been convenient for Facebook, a company that relies on third-party tracking to sell ads but is in no position to publicly challenge any other company’s privacy proposals after its own seemingly endless parade of privacy scandals. Instead, while Rosewell lobs bombs and takes the brunt of the fire from other W3C members, Facebook’s generals are busy negotiating peace treaties.
Just last month, Facebook engineer Ben Savage drafted a proposal that would give web users more choice over the interests their browsers assign to them. The idea, which Savage presented to members of the privacy community group, was so well-received even Soltani walked away thinking it just might work. Savage has also worked closely in the W3C with Apple’s Wilander to nail down new fraud prevention techniques for Safari, peppering his comments with smiley faces, as if to say, “I come in peace.”
But emoticons aside, it’s clear Facebook has as much riding on the outcome of these discussions as anyone. Among the tech giants at the table, Facebook is the only one that doesn’t have its own browser or its own operating system. But it does collect boatloads of data on billions of people around the world. As Apple takes direct aim at Facebook in public, people like Savage are working behind the scenes to push Apple engineers on technical remedies that might preserve Facebook’s existing business.
In April, Facebook Chief Operating Officer Sheryl Sandberg more or less admitted as much, saying on the company’s quarterly earnings call that Facebook was working with the W3C community on a way through some of the “headwinds” posed by Apple’s mobile privacy updates.
It was a blink-and-you-miss-it moment, but Soltani didn’t miss it, viewing it as yet another example of an ad-reliant tech company trying to sway the W3C. “Telling that @Facebook’s @sherylsandberg cites opportunities in @w3c when discussing their ‘regulatory roadmap’ on today’s Q1 earnings call,” he tweeted at the time. “#Bigtech has long known they can leverage standards groups to benefit their business goals.”
This year, Facebook put forward a candidate to serve on the W3C’s advisory board, and in a recent meeting, Facebook volunteered to chair a possible working group on privacy-enhancing technologies. “In the last six months they’ve become a lot more vocal on these subjects, which is fantastic,” Rosewell said, noting that Savage in particular has “done a great job in articulating an alternative voice.”
Still, despite Savage’s attempts at collaboration, there are times his frustration with powerful players inside W3C — namely Apple — has boiled over. In a lengthy Twitter thread last week, Savage accused Apple of “egregious behavior,” saying that while Google has been developing alternatives to tracking out in the open, Apple decided to “blow up” the world of web advertising and only started “thinking about what to replace it with later.”
He charged Apple with trying to push app developers away from advertising business models and toward fee-based apps, “where Apple takes a 30% cut,” striking a note about anti-competitive practices that sounded not unlike Rosewell. “Using the pretext of privacy to kill off the ads-funded business model, in order to push developers to fee based models Apple can tax doesn’t stop being anti-competitive if they lower their cut,” Savage wrote. “And their own apps will always have a 0% tax.”
Apple did not respond to Protocol’s request for comment.
Facebook also declined to make Savage or any other engineer available for comment, but in a statement, the company said of W3C, “These forums allow us to submit and debate new approaches to address common industry issues like how to measure ads and prevent ad fraud while still protecting people’s privacy. All of our suggestions are public and we encourage people to take a look at them.”
Here come the refs
Vale of Google also said the W3C has been instrumental to working out new privacy proposals. He gave W3C members credit for the development of one proposal in particular, called FLEDGE. “We’ve really shown that we’ve taken the input here from many members, whether it’s on the privacy side, or the browsers, or ad tech, and incorporated them into our ideas and proposals,” Vale said. “We’re listening.”
Of course, it’s also in Google’s interest to appear collaborative — now more than ever. Earlier this year, the U.K.’s competition authority took Rosewell’s group, Marketers for an Open Web, up on its complaint, agreeing to investigate the Privacy Sandbox for anti-competitive behavior.
At that, Google blinked, announcing last month that it would delay its plans to kill off third-party cookies another year, in order to “give all developers time to follow the best path for privacy,” a company blog post read. As part of its negotiations, the U.K.’s CMA said it would play a “key oversight role” in reviewing Privacy Sandbox proposals “to ensure they do not distort competition.”
Google also said last month that once third-party cookies are phased out, it would no longer use browsing history to target or measure ads or create “alternative identifiers” to replace cookies. That blog post was signed not by Vale or another engineer, but a member of Google’s legal department.
“Good news. Google won’t kill the open web this year,” Rosewell’s group wrote in a press release following the recent announcement. But the group also vowed to power on, arguing that Google’s commitments so far only cover a small subset of the data it uses to track people. “The proposed settlement agreement is hollow because it does not actually remove data that matters,” Rosewell said.
To him, the CMA’s announcement was, in other words, just a solid start. But to Soltani and others, Google’s decision was the predictable conclusion of a drama they’d watched play out inside the W3C, which is, in some ways, just a microcosm of the larger debate happening in countries around the world.
Regulators in the U.K., he said, had bought the ad industry’s argument that privacy and competition are on a collision course. That, he said, is a false choice. “They could have required everyone to not access that data, Google included, which would have been a net benefit for competition and privacy,” Soltani said.
But regulators appeared to overlook that option and are now using their power to pressure Google to put off changes that would make the world’s most widely-used browser a little more private. “Sigh,” Soltani wrote in an email last month, linking to Google’s announcement. “James & Co succeeded.”
