I don't think the vision should try to list the harms.

If the Vision is a "star to steer by" it should also note the rocks to not steer into. 🤔

yes, but assuming I have the right definition malvertising is 'just' using adverts as a channel to impact users' security/privacy. our values say that users should be free of fear of any kind of such attack; the channel is not relevant to the value.

I think @dwsinger captures my uneasiness here - not that malvertising is bad, nor that we should be against it. I'm just not sure how to channel that toward specific guidance for the W3C in how to ensure it is addressed (unless this is just a supporting harm that is caused by poor privacy/security). (If we can do this - if there's something specific we should strategically guide toward to address malvertising - I'm all for this.)

Re-reading the current draft of the Vision, I see

But the Web's amazing success has led to many unintended consequences that harm society: openness and anonymity have given rise to scams, phishing, and fraud. The ease of gathering personal information has led to business models that mine and sell detailed user data, without people's awareness or consent. Rapid global information sharing has allowed misinformation to flourish and be exploited for political or commercial gain.
This has divided societies and incited hate.

IMHO, that's a sufficient enumeration of the "rocks not to steer into" for the purposes of this document. Adding "malvertising" isn't really needed: It's essentially a particular type of "scams , phishing, and fraud", no?

I wish the document would say more / be more explicit about how W3C can and will use Web Integrity as the star it WILL steer by in the next decade, but that's another issue.

@michaelchampion thanks. Do you mean that this vision is useless unless we adopt it and agree to steer by it, or that there is a principle of web integrity that we're not talking about and should?

I think the current draft enumerates the principles of web integrity — openness, security, privacy, neutrality … — reasonably well. I would like a stronger, more aspirational assertion that W3C REALLY WILL steer by the star of integrity (even if it causes discomfort to some current members) than I see currently, but that’s not the “malvertising” issue.

And I'm not saying it's "useless" even if the rhetoric in current draft has been watered down from the earlier versions I helped draft. Apparently that was needed to get AB consensus.🤷‍♂️ I personally prefer a strong, clear statement that a critical mass of the community can get behind ... over a consensus statement that doesn’t cause any AB or AC member discomfort. But I don't have an employer to embarrass or an electorate to satisfy any more 😉

ah, OK. once it is our adopted vision, we can edit the 'state of this document' to say so

Web harms including "malvertising", and any other content that requires a judgement to be made as to what is and is not acceptable for people and society, needs to be avoided in the Vision (and any other document or work of the W3C).

False or malicious advertising is an issue for the appropriate authorities in different jurisdictions. For example; US marketing for many medicines would be illegal in the UK and EU. The W3C needs to stick to the knitting of technical standards and not get involved in such matters.

The vision should allow for the W3C to work on a technical standard for those people who want to share their online activity with parties they trust for the purposes of monitoring the content their exposed to such that those parties can identify harms.

Web harms including "malvertising", and any other content that requires a judgement to be made as to what is and is not acceptable for people and society, needs to be avoided in the Vision (and any other document or work of the W3C).

I disagree. The W3C is entitled to include, in the vision it is working to develop, a lot of judgement on what it considers acceptable for society. There are some limits. For example, if it tries to include things that are generally illegal, there are likely to be a lot of problems. But there is no requirement to take a values-free approach.

Hence, I'm not opposed to this proposal on those grounds. It is a legitimate proposal to discuss.

However, the practical issue of determining what we mean gives me a lot more pause.

False or malicious advertising is an issue for the appropriate authorities in different jurisdictions. For example; US marketing for many medicines would be illegal in the UK and EU. The W3C needs to stick to the knitting of technical standards and not get involved in such matters.

Technical standards depend on a shared notion of "truth". There isn't a clear boundary, beyond whatever we choose to set one, between deciding how a messaging protocol works and how to determine whether certain types of message are harmful and should be blocked.

The vision should allow for the W3C to work on a technical standard for those people who want to share their online activity with parties they trust for the purposes of monitoring the content their exposed to such that those parties can identify harms.

I agree with this last statement. Equally, the Vision should allow for any such group to set requirements on reporting of what is done with the data, expressed in a way that makes it useful for dealing with actors who misrepresent what they are doing, among the many things it should allow.

The W3C is entitled to include, in the vision it is working to develop, a lot of judgement on what it considers acceptable for society.

The web is a resource used by over 6 billion people who have many different views on what is acceptable to society, many of which are in tension with each other.

The W3C is a technical standards body concerned with interoperability of web technologies.

Have we now reached a point where the W3C can no longer be both a technical standards body AND create policies concerning what is or is not acceptable for society?

My position is that we have reached that point and that the Vision of W3C inc should stick to technical standards that comply with laws in defined jurisdictions and go no further.

W3C has never been merely a "technical standards body concerned with interoperability". Tim Berners-Lee initially provided the vision for "leading the web to its full potential." Through the team and in resolving formal objections, he supplied the non-technical guiding principles -- especially internationalization and accessibility -- that drove much of W3C's work.

Interoperability certainly is ONE of the guiding principles. The former History section https://github.com/w3c/AB-public/blob/main/Vision/History.md describes the organization's evolution. Making the somewhat underspecified early Recommendations fully interoperable was a key part of W3C's effortsin the early part of the 21st century. But that was merely its FOCUS, not its ESSENCE.

The point of the Vision exercise is to write down the guiding principles for the next decade or so. If it is simply a technical SDO that provides no non-technical guiding principles, it might as well shut down and let lighter weight organizations do the technical interoperability work.

There is no such thing as purely technical decisions, especially when shaping technology used by billions. Value based judgements affect how technology is shaped and how it will work. It is not W3C's role to set public policy, but it isn't possible either to develop technology without embedding into such technology some set of principles and values. They can be implied or explicit, but they are going to be there no matter what.

To take a (hopefully) non controversial example, insisting that we have a high bar for accessibility is a value judgement. It has technological consequences, but it is primary about what we consider acceptable or desirable for society. I am strongly convinced it would be unacceptable for W3C to become neutral on this topic, and to happily standardize inaccessible technologies as well as accessible ones.

Something may be interoperable, but if it isn't accessible, doesn't work across languages, puts users at risk if they use it, creates isolated networks separate from the one web, is limited to one geography, and only works on one type of device, it isn't appropriate to standardize at W3C.

I think it is absolutely fair to debate which principles and values we claim to have and to want to uphold, and whether the phrasing we chose to describe them is appropriate. But I do not think that standardizing anything and everything as long as it's interoperable is what the W3C is about.

@michaelchampion stated "The point of the Vision exercise is to write down the guiding principles for the next decade or so. "

I agree. That does not mean we have to continue what has been done in the past. This is an opportunity to reset and learn.

We can state we defer to others with legitimacy and expertise in particular fields and name these bodies and establish relationships with them to benefit from their input into technical standards.

We can bake in adherence to competition laws into the fabric of the W3C.

Interoperability between people and machines encompasses accessibility and internationalization.

All technologies have unintended consequences. The web is no different. In seeking to define "good" and "bad" we are interfering in established markets and taking a position which is not ours to take. It's not 1999 anymore.

Since the Vision already lists privacy and security as well as safety of users as priorities, is is necessary to list malvertising separately @tantek? There are many other terrible things that we do not want done that are not individually identified.

we could change

Rapid global information sharing has allowed misinformation to flourish and be exploited for political or commercial gain. This has divided societies and incited hate.

The web has made it much easier to deceive and manipulate people, and for them to be exploited for political or commercial gain. This has divided societies and incited hate.

This is an alternative to adding malvertizing to the harms, by removing misinformation and making this sentence more general. We could go the other way and put misinformation and malicious advertizing as explicit examples.

On the specific issue of adding malvertising, it seems to me that the Introduction doesn't currently describe security harms (of which malvertising is one). Security comes later, under "Vision for W3C", so maybe something on security harms could be added to the Introduction, but without mentioning malvertising specifically (as it's both too specific and an uncommon term).

I'd like to suggest this issue should be closed without prejudice, given the support on @TzviyaSiegman's comment above.

Agreed @github.com/cwilso. Given the feedback in the comments, I accept that the marginal benefit of explicitly adding "malvertising" as less than the marginal costs of doing so (document length, jargon/uncommon term).

I’m open to other purely editorial changes that help simplify the Vision and improve its readability, but those should be proposed as separate issues / pull requests.

Per @github.com/cwilso’s proposal and no objections to @github.com/TzviyaSiegman’s comment, since I filed this issue I am closing without prejudice.

(Originally published at: https://tantek.com/2024/080/t2/)