First impressions from TPAC 2018

The World Wide Web Consortium (W3C) is the informal consortium of four universities (one in the US, one in France, one in China and one in Japan) hosting the discussions on the future of web standards. The Technical Plenary and Advisory Committee is the W3C’s big annual event.

This year, the TPAC took place in Lyon. So together with a colleague working in Toulouse, we decided it would be great to travel there to see what goes on during TPAC. As I am working on the privacy-related activities of the W3C, and because I teach in Rennes during the first three days of the week, I missed the plenary on Wednesday, but I was there the whole for the only annual “real life” meeting of the Privacy Interest Group (PING) of the W3C [1]I thank Tara Whalen, co-chair of the W3C PING, for having invited me as a non-member observer, thus allowing me to follow the very interesting discussions that were held during the meeting and get a … Continue reading.

Interest groups, at W3C, are groups that are not chartered to produce standards (known in W3C jargon as “specifications”) but to provide input and expertise across all other W3C groups. One other such group is the W3C’s Web Accessibility Initiative Interest Group.

My research interests in the W3C PING lie in the fact that it is one of the few groups active in the field of Internet standards with the mission to make the Internet, and in this case, the Web, a more privacy-friendly place (click here to see an overview of some of the other groups and of their production).

This blog post is not really the result of such work, but rather a quick summary of some interesting elements seen or heard during this TPAC, that may or may not be of interest for a reader on the web.

The evolution and future of the W3C in question

The first thing that one participant told me about was that Tim Berners-Lee wasn’t there. Instead, he was at the ICDPPC in Brussels, the annual international conference of data protection authorities. I was actually expecting some talk about his new project, called Solid. But I didn’t hear anybody talking about that project. I did hear some talk about plans for reorganising W3C that were apparently presented to the Advisory Committee (AC), where members have a seat. But access to information on past AC’s is restricted to members on the W3C’s website so I will have to do some more investigations to have a clearer picture of this.

There also was just one sponsor this year: a Portuguese company called Igalia. Two years ago, sponsors included Cisco, Google, Viacom, Yandex… much bigger players, with more money. Are major web companies pulling their money and support back from the W3C?

It is a well-known fact that the W3C has seen its position challenged. The existence of the WHATWG (Web Hypertext Application Technology Working Group), and of the WICG (Web Incubator Community Group), both controlled by the major browser makers, is a threat to the monopoly of the W3C on web standards. Is work done at W3C level even relevant any more ? Most browsers don’t wait for a W3C specification to implement a new feature, and they also don’t always implement new W3C specifications.

A significant part of the discussions during the PING meeting was indeed on how to make this group more efficient, and more visible, in this flexible and evolving institutional context. How to have more influence on the features developed by browser makers, so that they become more privacy-friendly?

The development of a Privacy Questionnaire, supported (and edited) by Lukasz Olejnik at the level of Technical Architecture Group (TAG), which is a group coordinating work between the other working groups and having a say on the evolution of all web standards, is one of the priorities of PING related to the question of how to become more visible and more involved in the feature development process of web browsers.

Privacy-related matters

All of these institutional matters aside, the PING meeting (minutes can be found here) was the opportunity to hear a lot of discussion on a wide range of interesting privacy-related topics.

One hot topic are HTTP Client Hints. This new idea, pushed among others by Google, would allow some information on the client device to be sent via HTTP headers. The idea is not to allow access to new information, but only to provide a different kind of access to information already available via JavaScript queries. This raises the following question, which was debated during the meeting: is it a privacy threat to expose already available fingerprinting information through new channels?

I also heard more about the Brave browser, as one of the persons on their team took part in the PING meeting. This browser made a lot of technical choices aiming at protecting privacy. But most of all, the interesting thing is its proposal for a new revenue model for the web, as it allows users to give money to publishers via the browser interface. This is also how the company behind this browser aims at financing itself.

The development of Immersive Web (read: augmented reality and virtual reality) technology was also one of the topics on the PING’s agenda on that day, with a joint meeting with the Immersive Web Community Group. Immersive web technology exposes new environmental (especially geographical) data to the servers, and this poses new challenges in terms of privacy (see the presentation that was made by the IWCG during the joint PING-IWCG meeting).

Finally, I noted a research question that was on the agenda for the meeting and for which some research is apparently needed. The questions are: can users differentiate between content provided by the web browser itself in its interface, and content provided by websites? Do users trust navigators or websites better? What are the implications in terms of designing user interfaces that help users understand and make choices in terms of privacy preferences? For example: if a website asks for permission to activate the camera, and includes a message saying it is necessary for the application to perform its function, if the web browser displays a pop-up asking for permission, how can it include the text sent by the website in such a way that it is clear the promise is not verified by the browser? What are the limits between what a browser can and cannot promise to its user, and how is it possible to best semiotise these limits?

1 I thank Tara Whalen, co-chair of the W3C PING, for having invited me as a non-member observer, thus allowing me to follow the very interesting discussions that were held during the meeting and get a better understanding of how W3C works in practice for my research.

Laisser un commentaire