W3C Logo

World Wide Web Consortium Staff Comments on Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct


The World Wide Web Consortium (W3C) staff welcomes NTIA plans to develop voluntary codes of conduct for online privacy issues through open, multistakeholder processes. We share the following in response to the request for public comments, Docket #120214135–2135–01 based on W3C staff experience with the development of Web standards in general and Web privacy in particular.

W3C is an international community where Member organizations, a full-time staff and the public work together to develop Web standards. Founded by Web inventor Tim Berners-Lee in 1994 and led by Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential. W3C efforts related to privacy on the Web began in 1997 with development of the well-known Platform for Privacy Preferences project (P3P) and has continued with research projects (including PrimeLife, Transparent Accountable Datamining Initiative (TAMI) Project, PRIME and the Policy Aware Web), regular workshops (including W3C Workshop on Web Tracking and User Privacy, IAB Internet Privacy Workshop, W3C Workshop on Privacy and Data usage control and W3C Workshop on Privacy for Advanced Web APIs), privacy considerations in Web APIs and, most recently, the formation of the Tracking Protection Working Group (TPWG), standardizing Do Not Track technology and policy, and the Privacy Interest Group (PING), considering privacy issues across all Web standards.

In response to the NTIA request for comments on issues to address through enforceable codes of conduct, we share an update on ongoing W3C standardization of Do Not Track technology and compliance. Regarding implementing multistakeholder processes, we share feedback on W3C's practice in development of consensus standards.

Issues to address

We encourage NTIA to proceed with its plans to convene multistakeholder bodies around discrete, manageable online consumer privacy issues where multiple stakeholders (including at least consumer groups and industry organizations) have expressed interest.

In choosing issues to address within NTIA-led multistakeholder processes for online privacy, we believe that NTIA should take the globally interoperable nature of the Internet and the Web into account and rely on existing technical standard-setting bodies and multistakeholder processes for the development of technical standards. Further, NTIA can and should augment, nurture and support work in ongoing international multistakeholder processes that address online privacy issues.

Privacy concerns in mobile applications and location-based services are certainly ripe and relevant issues. The W3C Geolocation Working Group been discussing location APIs for use on the Web since August 2008, including extensive debate over the related privacy issues from 2009 through to the present; the Internet Engineering Task Force's Geopriv Working Group was formed in 2001 and published a Best Current Practice for Internet location privacy last year. Privacy guideline documents from the CTIA and GSMA also show active interest in this area. Similarly, mobile applications are an increasingly focused topic of Web standardization (in the W3C Device APIs and Web Applications Working Groups) with explicit discussion of privacy and policy concerns; we note also the upcoming events from NYU/Princeton and the App Developer Alliance/Future of Privacy Forum to discuss mobile privacy issues, a non-exhaustive sample over just the next month. In the experience of W3C, a key predictor of success in a standardization project is enthusiastic and varied interest.

The Tracking Protection Working Group as an example of an existing open and transparent multistakeholder process

While we encourage NTIA to take on new, discrete privacy issues for multistakeholder consensus development of codes of conduct, NTIA can also give support to and build from existing projects. W3C's Tracking Protection Working Group is an existing multistakeholder process developing a voluntary standard for online privacy; it was in fact specifically chartered by our Membership "to seek global consensus definitions and codes of conduct". Led by chairs with diverse academic and industry backgrounds, the Working Group counts over 60 participants including academics, online advertisers, consumer advocates, analytics providers, browser vendors, Web publishers and regulators from multiple jurisdictions. Communications of the group are permanently and publicly archived. The group welcomes public input and W3C employs a number of mechanisms to ensure broad and balanced participation extending beyond its membership base. Although the TPWG began before the administration's release of the Consumer Privacy Bill of Rights, several of those rights (in particular, Transparency, Context, Collection and Accountability) are key points of discussion present in current drafts of the Tracking Preference and Compliance specifications. We believe, and have argued, that standardizing Do Not Track will be a test case for multistakeholder international consensus-building for Web privacy issues. We believe the progress of the TPWG thus far demonstrates a successful test: engaged participants have made substantial progress and recently published a second set of more complete working drafts.

We highlight the ongoing multistakeholder process for standardizing Do Not Track — including both its technical expression, the "bytes on the wire", and what it means to comply with a user's preference — in case the NTIA wants to learn from or support that process. The administration could support multistakeholder processes around privacy through participating in W3C Working Groups (or similar groups in other venues), encouraging organizations to join the discussion, helping to coordinate meetings or public feedback, or even through supporting financially participants not otherwise able to engage. Government participants can help a privacy standardization process by helping to detail the public policy interests (more specific interpretations of the Consumer Privacy Bill of Rights, for example), giving insight into how regulators may enforce consensus codes of conduct and outlining expectations for a sufficiently open and multistakeholder process.

W3C staff intends to continue convening Working Groups around particular privacy issues on the Web; those groups may consider technical mechanisms and also codes of conduct for services on Web. The Privacy Interest Group includes in its charter the aim of monitoring any Web privacy issues and recommending new specification development to address such concerns. As the number of consumer privacy issues is likely to continue growing quickly as more personal data and activity moves online, we would encourage the NTIA to employ its convener role as an exemplar.

Government and the private sector have complementary roles. Only government can promulgate nationally enforceable law and regulations, but those laws and regulations work best when they draw upon the experience and experimentation of the private sector and civil society. Technological developments, including tools for information feedback, individualized information control and corporate best practices, can emerge and be refined from private efforts. Moreover, the scope of these private efforts can differ from government-run processes. Non-governmental multistakeholder efforts can relate both to more localized and sector-specific problems and to international cross-border concerns (an explicit goal of the Department). All these facets are critical to addressing privacy in a comprehensive, consumer-protecting manner. Recognizing that participants' time is also a limited resource, NTIA may wish to focus its efforts at the ends of the spectrum: where processes with broad public and private engagement have already concluded or have not yet begun. Government involvement there can complement rather than crowd out existing work. Where NTIA can help detail the procedural (open, transparent, multistakeholder, consensus-based) and substantive (Consumer Privacy Bill of Rights) requirements of such processes, the agency can encourage industry and consumer groups that participation in multistakeholder processes is likely to be worthwhile.

Multistakeholder process

3. How can NTIA promote participation by a broad range of stakeholders, i.e., from industry, civil society, academia, law enforcement agencies, and international partners?

We are happy to share our efforts to include a broad range of impacted stakeholders in the most productive way. We commend NTIA for explicitly recognizing the many barriers that can inhibit participation, which may not be obvious or widely-understood.

Recruiting participants requires leadership and hard work. W3C groups benefit from having chairs chosen from industry or other relevant stakeholders; the fact that those chairs have committed their effort to the process is a useful signal to potential participants. Chairs and W3C staff work hard to explicitly recruit a diverse set of participants necessary for standardization work; in the privacy space this requires reaching out to various parts of industry (different business models, different sized companies, different geographic locations), civil society organizations, academia and governmental agencies. Workshops at an early stage to discuss a problem space can help gather ideas and potential stakeholders. Having dedicated staff that regularly keep in contact with various stakeholders can help both in identifying areas of work and in recruiting participants.

We also note different levels of useful participation by stakeholders. Regarding technical discussions, members of the public and many smaller organizations may not have the time and resources to dedicate to intense regular discussion, but gathering input from those stakeholders at different times can help anticipate problems and develop an agreement that will work for the Web as a whole.

6. What impact would a requirement to submit a brief position paper in advance of a stakeholder meeting have on participation?

In our experience, a requirement to submit a brief position paper before a group workshop often leads to improved, informed discussion. Writing a paper ahead of time encourages participants to prepare and distill their key ideas and sharing those papers before the meeting allows for some discussion beforehand and helps potential participants understand the diversity of viewpoints. Such papers can also become a useful archival resource; many of the position papers submitted to our April 2011 workshop on Web tracking have been cited by other sources since. A position paper requirement also doesn't present much of a burden: productive interested parties almost always have some coherent thoughts (whether more or less detailed or definite) they're very interested in sharing with the community and the costs of writing a very short paper (and a committee to review those papers) are entirely manageable.

(While W3C often uses a position paper requirement ahead of exploratory workshops, Working Groups rarely have such a requirement before their defined face-to-face meetings.)

7. What balance should NTIA seek to achieve between in-person and virtual meetings?

We see advantages in both types of meetings. Electronic communication (email, teleconference, online chat, etc.) is widely used to great effect; participants from around the world can join in with limited cost. Asynchronous as well as synchronous communication can provide participants a chance to respond thoughtfully and with a permanent record. However, many W3C groups also use regular face-to-face meetings; those meetings often help create a social setting in which diverse participants better understand each other's positions, allow candid discussion among individuals, increase faith in the process and speed up decision-making.

8. Which technologies could facilitate discussions among stakeholders before, during, and after in-person meetings?

W3C Working Groups commonly use (but are not limited to) the following technologies for communication among participants:

All of these tools contribute to the goal of having an archived record of discussions among the group which allows for the reasoning of the participants and the process that led to particular consensus decisions to be available to participants and outside observers alike. Using technologies and document formats based on open standards (like HTML) is preferred.

9. How should discussions during meetings be memorialized and published?

W3C meetings (whether face-to-face or virtual) commonly have minutes of the discussion published soon after the meeting. The minutes are a useful resource for any participants who could not attend and wish to catch up on the current state of discussions. But they also play the important role of a partial archive of the reasoning and decision-making of the group: participants regularly refer back to meeting minutes to determine what decisions were made by the group (and more importantly, why). Minutes of discussion also help observers to understand the positions that various participants hold on particular issues.

Minutes of W3C meetings are generally rough notes rather than exact transcripts (which would be much more expensive to produce). A record of precise wording may be useful in disambiguation of sparse notes but would otherwise be an unnecessary expense.

11-12. What procedures should stakeholders follow to explain their decisions on issues discussed within the privacy multistakeholder process?

A key method for reaching consensus among diverse stakeholders is to clearly document reasoning — the reasoning of individual participants and of the group as a whole. Private discussions are welcome, even encouraged, among smaller sub-groups of stakeholders in order to flesh out proposals, candidly share concerns and quickly iterate through options. But decisions made by the group as a whole should rely exclusively on reasoning available to the whole group.

The mailing lists and meeting minutes of W3C Working Groups are permanently archived; in a sense, these archives are their own deliverable, the full documented decision-making process that led to the agreed-upon standard. Those archives may not be regularly referred to by implementers after the fact, but provide transparency into important steps of the process, ensuring legitimacy.

13.-14. Are there lessons from existing consensus-based, multistakeholder processes in the realms of Internet policy or technical standard-setting that could be applied to the privacy multistakeholder process? How did those groups define consensus? What factors were important in bringing such groups to consensus?

The W3C Process Document provides a formal description of the Consortium's process, including how Working Groups are run and how the Consortium defines consensus. Like many technical standard-setting consortia, W3C does not define consensus as unanimity and provides measures for moving forward when dissent cannot be avoided. Additionally, the process used by W3C Working Groups keeps evolving; while the W3C process permits votes as a last resort, the W3C HTML Working Group has devised a still evolving decision policy that avoids votes and carefully weighs decisions according to their merits and the impact on objectors.

The consensus process in technical standard-setting is inherently pragmatic (recall the famous "rough consensus and running code"): consensus is an important property if standards are to be voluntarily implemented by multiple participants, satisfying the goal of interoperability. Voluntary codes of conduct for privacy have the same property: a consensus is necessary not only for the democratic legitimacy of the outcome, but also for the practical concern of having the code adopted where it can be meaningful and useful.

For questions about W3C or these comments, please contact:
Nick Doty (npdoty@w3.org), Thomas Roessler (tlr@w3.org), Wendy Seltzer (wseltzer@w3.org) and Rigo Wenning (rigo@w3.org)