Cybercrime; GPC at the W3C

Cybercrime; GPC at the W3C
Photo by Eugenia Kozyr / Unsplash

A new Cybercrime Treaty: Next week final negotiations kick off in New York on the UN's Ad Hoc Committee process to negotiate a Cybercrime Treaty. Since its inception in early 2021, accredited civil society and other stakeholders had hope that improvements on the Council of Europe's Budapest Convention could be made, and have been following the process to ensure protections for human rights.

Yet the top three problems with the treaty have persisted throughout: overbroad scope, handling of data protection across jurisdictions, and lack of safeguards for human rights and civil liberties.

In fact, the text has become significantly worse across these concerns, and introduced new concerns.

The treaty process has aligned hundreds of civil society groups from around the world against the current text. Depending on the outcome of the negotiations in a couple of weeks, many groups are likely to shift into anti-ratification tactics to ensure their country will not be subject to it.

Good reads:

My first guest post is from Robin Berjon! (On: What are we doing about cookie banners?)

Emerging as a response to the increasing concerns over personal data protection, the Global Privacy Control (GPC) provides a simple yet effective way for users to communicate their privacy preferences to websites and online services. By enabling GPC on their web browsers or devices, users can automatically signal to websites that they do not want their personal information to be sold or shared. This technical signal originated in California where it is legally mandated by (initially) the California Consumer Privacy Act (CCPA) and (now) the California Privacy Rights Act (CPRA), and has been steadily spreading to other jurisdictions since.

There has been some mild push back on the GPC remains from a couple of members of the World Wide Web Consortium (W3C) where it's being standardized. Because GPC began in the US and is formally supported primarily by US state legal frameworks, there are questions as to whether it can benefit from an actual wider “global” relevance, notably in the UK, Europe, and other jurisdictions under the General Data Protection Regulation (GDPR) or regimes similar to it. And as GPC is meant to be a mechanism that only indicates a data sharing/selling preference, some wonder whether users will be confused about its utility to ensure "privacy" as a whole (perhaps similar to "private" browsing whose only function is to not record browsing history locally).

As it happens, GPC is applicable outside the US and is in my opinion the best way to replace the ubiquitous use of cookie banners on websites. Whether or not any given automated signal is legally binding in any given jurisdiction is a matter of legal advice and I will stop short of providing that. I will note however that European courts have made decisions in support of automated signals and that the GDPR has hooks to support them. As things stand, whether GPC would be legally binding is a matter for courts and/or Data Protection Authorities to support but it is important to note that nothing prevents its applicability. In fact, standardised support gives it strong credence.

The primary issue with cookie banners is that all websites implement them, which leads to "consent fatigue" among users, who may hastily agree to tracking without fully understanding the implications for their privacy, while not meaningfully addressing the privacy concerns with web browsing. Many also use deceptive patterns to trick people into consenting their data away. Solving cookie banners is, in fact, very much in scope for GPC and something that the GPC group had in mind from the beginning. Taking a step back, on the cookie banner problem, there are multiple approaches:

  • Do nothing. That's the current hell.
  • Create a signal that is a nuclear "refuse all" in all cases. This is tricky because it excludes many practices that aren't particularly invasive. Data authorities are progressively carving out cookie uses that don't require consent, but it has been a slow and dodgy process (and the carve outs are getting closer to GPC). An outcome that has very strong data protection for people but excludes even some relatively basic functionality for publishers will not foster the consensus regulation needs, no matter how much some may deem it desirable.
  • Create a highly granular signal for consent preferences. With this kind of beast, the odds are that most people, when given a choice, will just go for the nuclear option (like the previous one) or will make themselves highly fingerprintable, actually worsening the situation.
  • Create a signal that has semantics that provide a reasonable (if of course always imperfect) consensus between the privacy needs of people and the data processing requirements of publishers, and find a pathway to implementing it in existing frameworks. That's GPC.

GPC was created based on an emerging legal right and through open and frank multistakeholder discussion between civil society privacy and consumer rights advocates, publishers, "adtech" companies, researchers, and browser vendors, across multiple countries. The goal was to hammer out a level of data processing that makes it possible for publishers to continue operating their website, for adtech or marketing tech services to keep working, and that provides robust privacy to people. Subject to user preference, the "do not sell" approach rules out unfair practices like third party services that take publishers' data and use it to compete with them.

It’s arguable that no one will ever find it ideal, but it works, it brings a huge improvement to people’s privacy, and it’s got legs in both the technical and legal spheres. I think it’s ready to go global.

Follow Robin's blog:

Subscribe to Internet Exchange

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.