w3ctag / ethical-web-principles Goto Github PK

The specification of "new web technologies" in the Sustainability Principle is anticompetitive.

This Op-Ed argues that the TAG Ethical Web Sustainability Principle is both anticompetitive and is being weaponized in a way that inadvertently undermines every other W3C ethical web principle.

Another complaint on the anticompetitive nature of the sustainability principle was discussed here:

What if the sustainability argument was used to thwart the advances made in computing since the very first card punches appeared on the market (1949)? What if card punches were allowed to set power consumption restrictions for every advance in computing from that point onwards)? [The sustainability] argument, IMO, is a concern but not one that can be justifiably used to prematurely block a W3C proposed recommendation.

The <video> tag in the HTML spec is overwhelmingly used for entertainment purposes and directly responsible for an order of magnitude (and more) more energy usage than the issue mentioned in the Op-Ed, above.

Having a sustainability principle that only applies to new technologies is obviously anticompetitive. The sustainability principle protects W3C incumbents which in turn violates the Priority of Constituencies. It is concerning that the W3C would grant an ethical pass to their own existing technologies, that their businesses are built upon, while using the principle to deny emerging technologies based on a completely different sustainability standard.

While the sustainability principle has good intentions, it should either be applied to all technologies equally or removed from the list of principles to avoid the conflict of interests (or even the appearance of a conflict of interest) mentioned in the op-ed above.

Note link with Design Principles as the practical "how to" on top of the Ethical Web Principles, but also note that not all EWPs translate directly to API design issues, as there are other parts of the Web platform to consider as well.

With society relying more and more on digital interactions for work, personal, and community life, many digital activities have come to underpin a de facto set of digital human rights, which include: the ability for people to maintain identifiers that cannot be feasibly taken from them (unlike the identifiers of today, which are leased by companies and centralized entities), the ability of dissidents and at-risk individuals to connect/publish ID-linked data in censorship resistant ways, and the ability of individuals to exchange encrypted communications from self-owned IDs.

While the W3C's Ethical Web Principles document does include these sections:

The web must enable freedom of expression
We will create web technologies and platforms that encourage free expression, where that does not contravene other human rights. Our work should not enable state censorship, surveillance or other practices that seek to limit this freedom. This principle must be balanced with respect for other human rights, and does not imply that individual services on the web must therefore support all speech. (For example: hate speech, harassment or abuse may reasonably be denied a platform).

The web must enhance individuals' control and power
We recognize that web technologies can be used by developers to manipulate people, complicate isolation and encourage addictive behaviors. We recognize these risks and seek to mitigate against them when creating these technologies and platforms. We will therefore favor a decentralized web architecture that minimizes single points of failure and single points of control. We will also build Web technologies for individual developers as well for developers at large companies and organizations. The web should enable do-it-yourself developers.

^ they do not elevate digital human rights above other considerations. This is problematic because the EWP document contains far more subjective principles that can be conveniently used to oppose initiatives and technologies that materially aid in the protection of digital human rights. An example of this can be seen in the recent disagreement over the Decentralized Identifier spec: some have argued that using 1/20th of the emissions we dedicate to clothes dryers is not worth enabling systems that can protect people from the serious harms that result from centralized entities being able to Thanos snap any identifier and reliant connection graph they choose, effectively severing people from the digital relationships and communication connections they have formed. Additionally, the technologies that mitigate this harm can also allow people to connect more directly, removing many third parties who are currently privy to their personal digital exchanges/content. There are many more examples, but we certainly owe it to the world to do whatever we can to mitigate these growing threats to digital human rights.

It is the personal opinion of this participant that digital human rights are the most important of all principles, yet the EWP document does not reflect this. It is incumbent upon us to amend the document and clearly state that digital human rights are the most important consideration of all, a seemingly uncontroversial view I would be surprised to see opposition against.

The acronym TAG is not explained anywhere.
Please write it out in 1 place as The W3C Technical Architecture Group

Should we update the status to make clear this document will continue to evolve?

Often situations arise where there is an unavoidable trade-off between two principles. (This may be a simple trinary "pick two" scenario, or a more complicated continuum between various aspects.)

The document may want to offer advice on how authors/editors should handle these trade-offs. Are some principles always preferred above others? Are there some rough preferences where a major (high impact and/or likelihood) improvement in one aspect is worth a minor (low impact and/or likelihood) reduction in another? Are all principles equal in priority?

As part of the stated "human rights, dignity and personal agency", I respectfully suggest adding the principle of user data freedom and portability. The specific wording is a complex question, but the rough idea is that users should be able to download the complete set of data that a provider has on them. The user should also have the freedom to use that data in any way they see fit.

it's a finding but the status section still says "draft"

If new designs to old problems expose that good solutions to one principle are bad solutions to another principle, then reliance on principles will cause politics to hold sway over building solutions for people to communicate with one another.

There are ethical as well as legal motivations for us publishing all our specs.

If anyone is able to implement them -- either by publishing a website or data, or something that can consume them -- then the rules for making that work must be publicly visible on the web. (And legal to implement.)

We should make this explicit in the doc.

"As we continue to evolve the web platform..." but "we" is not defined or described.

Users should have a right to delete their data and request it be de-listed from search engines.

As someone who works on internet archiving, I have to think about this principle a lot when designing digital preservation mechanisms, the right to remove must always be considered.

• https://en.wikipedia.org/wiki/Right_to_be_forgotten
• https://gdpr-info.eu/art-17-gdpr/
• https://gdpr-info.eu/issues/right-to-be-forgotten/

The Draft Finding doesn't link to the most recently published Finding.

The web is often referred to an 'open and decentralised'. I don't see any definitions of references to those terms in this document. Should there be?

"Open" I've often had problems with. It's frequently touted, I believe because it's safe to do so without actually signing up to anything tangible. 'Open', is, essentially, a subjective judgement. The TAG could try to make it more objective, but I'm actually not sure what the definition would be. Do we mean 'open source' (and then presumably only in relation to browser-executed code, but not browsers themselves? And what about webassembly?). I assume we don't mean 'open access' since much of the web isn't.

"Decentralised" is much easier to define, but less frequently lauded. It should receive more attention. There exist perverse incentives on companies that have developed (though their own innovation and quality products) an outsize influence over the web. They now stand to benefit substantially if the web can become more and more within their ecosystem.

The joke that pops up every time GitHub goes down is worth some thought: "Hey, at least git is decentralised, huh!"

This came from a TAG breakout conversation between me, @plinss, @hober, @atanassov and @LeaVerou. We started by talking about when Facebook Memories feature evoked traumatic and painful memories, and moved on to when Twitter's algorithm cropped out faces with darker skin, and then Google's forthcoming "dermatology assist" tool not being trained on darker skin.

We narrowed the conversation down to situations where the algorithm is accurate, but the biases in its training data or lack of consideration of the impact of its results make its results accidentally painful, dangerous or otherwise inhumane.
We weren't sure how to translate this into an ethical web principle, so are creating this issue to start the discussion.

The principles currently address governments surveilling their populations, but I don't see anything that covers employers, intimate partners, parents who oppose their child's identity or health care, etc. This is relevant to w3ctag/design-reviews#606, but I think broader than just the case of managed devices.

Web API design won't always be able to improve the situation, but we should watch for places it can.

Hi there!

Thanks for making these principles - it's really cool to see someone talking about a sustainable web here, and it was awesome being able to refer to these at the recent JSConf

I have a question about principle 9:

The web must be an environmentally sustainable platform

The web, as a whole, is a big consumer of power. New web technologies should not make this situation worse. We will consider power consumption when we introduce new technologies to the web.

I understand this to be about device consumption more than anything else, and all the research I can find points to the web being a sustainability issue in two main areas first (making the devices in the first place, and the emissions from generating energy to power the infrastructure of the web), before we consider end user device energy consumption.

It's a pain, and we should be considerate about user's battery life obviously, but the bigger sustainability levers tend to come from how we power infrastructure (mostly fossil fuels right now), and rethinking how we use and retain hardware.

The best recent report I've found covering this topic is from the Shift Project (Lean ICT, released earlier this year), but there is also formal guidance from the GHG Protocol on measuring the environmental impact of ICT too, but it's lengthy and quite dry.

Would you consider something like this, to make the link between sustainability and the web more explicit?

The web must be an environmentally sustainable platform

The web, as a whole, is a big source of carbon emissions, because it is a big consumer of power. New web technologies should not make this situation worse. We will consider power consumption and the resulting emissions when we introduce new technologies to the web.

Until we have a web running on entirely green power there is a link between power usage and emissions, and this is a decision people who host sites, or provide connectivity to make the web work can take to see immediate progress.

@dbaron wrote, in a comment on w3ctag/security-questionnaire#48:

I also think there's a third piece that needs to be considered: not just the specific security risks added from one specific feature, but the effect of adding those security risks to the overall picture that users have about the idea that it is safe to visit websites. A big piece of the web's value is that it is safe for users to visit websites. In order for this value to exist, users must understand that it is safer to visit websites than to install apps or software, and act based on that understanding. Doing things that complicate that understanding or complicate what users need to understand about the safety of the web (e.g., adding features that are less safe) reduces the ability of users to act based on that understanding of safety, or to act in ways that correctly reflect the safety that exists.

I think this is a sufficiently important insight that we should capture it somewhere, either in our Design Principles (w3ctag/design-principles#146), here in our Ethical Web Principles finding (this issue), or in a resurrected HTML Design Principles finding (w3ctag/design-reviews#426).

This is a wonderful draft and a great contribution to the open web.

One thing that seems missing to me, and worth considering, is a discussion of responsibilities. Rights only function in society because of corresponding responsibilities, responsibilities that are necessary but commonly taken for granted. For example, the right to physical safety is widely acknowledged, but meaningless unless individuals embrace a responsibility to respect the physical safety of others. In the physical world, privacy rights are common, but not absolute, and can be lost in the interest of public safety, for example via search warrants or incarceration.

It is a well established notion in moral philosophy that rights must be matched with responsibilities. If there is support from the editors I would be interested in exploring how this draft might be extended to consider responsibilities.

Currently all principles are in the same section, in an unnumbered list. This makes it harder to refer to individual principles (E.g. "This violates Ethical Web Principle 5.6") and makes the table of contents less useful as an outline of the document.

I propose numbering them and perhaps breaking them into sections, just like the Web Platform Principles are numbered and structured into separate sections, so they can be individually referenced. This would also make it easier to expand on them in the future, add examples etc.

The use of "we" brings to mind - is this a mission statement rather than (or in addition to) a set of ethical principles - and if so can we be more specific about who the "we" is.

The intro notes what to do if principles appear to be in tension with each other, but this is subtly different from not looking at any one principle in isolation. It does also say "that collectively support a web that is beneficial for society" but perhaps we can emphasise this to encourage considering the principles holistically rather than individually?

This also speaks to the problem of "weaponizing" a single principle against a particular technology, without considering how the other principles are also relevant.

Should we have links to relevant work listed after each principle or in an appendex to reinforce the point that each one of the principles is backed up by technical work going on somewhere... e.g. credible web, privacy & security, WAI, I18N, etc...

The document asserts that the architecture of the web is browser based, yet there are many other classes of user agent and many other documents not intended for browsers that are published on the web. These web resources also generate ethical considerations, including many which are already covered.

The document acknowledges that ...

there are a raft of other technologies, standards, languages and APIs that come together to form the "web platform."

But then only discusses browser user agents:

The architecture of the browser-based web is built from a user agent, the browser, [...]

The first principle is

There is one web.

Yet this document divides the one international web into two classes -- the web of HTML documents for browsers, and ... the web of data that isn't discussed.

Another principle reinforces this divide:

The web is multi-browser, multi-OS and multi-device.

Saying Multi-browser is not the same as saying multi-agent. There are many non-browser agents or clients that consume data published on the web.

Thank you for your consideration of the issue!

We should spell out that the user agent's function is to serve the user, rather than other constituencies.

We could do this by invoking the priority of constituencies?

As discussed in meeting minutes, it seems like it makes sense to put this under The web must enhance individuals' control and power.

To note: There is also a relevant bit under People should be able to render web content as they want: "We will build platforms and write specs that respect the user's authority, and will create user agents to represent those preferences on the user's behalf."

The web should empower an equitable, informed and interconnected society. It has been, and should continue to be, designed to enable communication and knowledge-sharing for everyone. In order for the web to continue to be beneficial to society, we need to include ethical thinking when we build web technologies, applications, and sites.

These are all just assertions; who is saying it? Why aren't you identifying yourselves? I think this is more powerful / believable:

As stewards of the Web's architecture, the TAG believes the the web should empower an equitable, informed and interconnected society. It has been, and should continue to be, designed to enable communication and knowledge-sharing for everyone. In order for the web to continue to be beneficial to society, the W3C community needs to include ethical thinking when we build web technologies, applications, and sites.

If this goes to W3C statement, it can be modified appropriately.

I would like to contribute with pt-br and es-co translations of this draft. What is the proper way of doing it and proposing it as official?

Thanks.

Feedback from: @oluoluoxenfree

https://twitter.com/oluoluoxenfree/status/1442811890212737024

We should do a pass-through to strengthen the language (and consider subheads).

The web offers incredible economic opportunities, and while a number of the ethical web principles acknowledge the value of empowering individuals or providing equal opportunity, the economic opportunities enabled by the web are barely mentioned in EWP.

I'd be happy to help suggest text once we have agreement that (a) this is worth pursuing and (b) on the direction such a principle would take.

Some principles are "should", some are "must" and some simply "are". Can we make them consistent? I propose aligning on "are" (as aspirational, rather than currently true) but don't have strong feelings. ie:

• There is one web
• The web does not cause harm to society
• The web supports healthy community and debate
• The web is for all people
• The web is secure and respects peoples' privacy
• The web enables freedom of expression
• The web makes it possible for people to verify the information they see
• The web enhances individuals' control and power
• The web is an environmentally sustainable platform
• The web is transparent
• The web is multi-browser, multi-OS and multi-device
• People can render web content as they want

One of the ethical web principals is that the web should be "view source" able. This aught to be a criteria for design reviews.

i.e. if a new spec moves logic from the client to the server (e.g. client hints moving "what image should i load" logic from <picture> to client-server interaction), and makes it harder for users and researchers to audit applications, that should a relevant, strongly-weighing (though possibly (?) not deciding) factor of design reviews.

(apologies if this is the wrong repo for this. Neither of the options in https://github.com/w3ctag/design-reviews/issues/ seemed correct).

For example transparency ("We will always make sure it is possible to determine how a web application was built and how the code works.") can conflict with reducing the web's environmental footprint (shipping binary data would probably be more efficient), preventing the spread of misinformation may conflict with privacy, enabling users to render their content as they please may conflict with security concerns, etc.

Some principles acknowledge this tension, for example in §2.6 The web must enable freedom of expression: "Our work should not enable state censorship, surveillance or other practices that seek to limit this freedom. This principle must be balanced with respect for other human rights […]".

It would be good to acknowledge this in general, maybe right after the introduction or in conclusion.

Do we need to revise to make it clearer about transparency, inspectability, and the role inspection has in learning?

The language of the document focuses on informing the review of new specs, see for example:

The purpose of this document is to inform TAG review of new specifications and to inform other documents such as the Web Platform Design Principles, Self-Review Questionnaire: Security and Privacy or other similar checklists and sets of principles used by specification authors and editors.

#66 makes the point that there's no reason for the principles to not be used while reviewing amendments to existing specs, for example by changing the above paragraph to:

The purpose of this document is to inform TAG review of new specifications and candidate additions to published recommendations and to inform other documents such as the Web Platform Design Principles, Self-Review Questionnaire: Security and Privacy or other similar checklists and sets of principles used by specification authors and editors.

Right now, https://w3ctag.github.io/ethical-web-principles/ is a raw Respec document that gets compiled each time someone loads it. You could use the spec-prod Github Action to publish a pre-built version instead.

I presume that, all else being equal, the minimal change to the web platform should be preferred. It's unclear to me whether this should be called out as a separate principle, or if it follows obviously enough from "for all people" (including people with old user agents) and "multi-browser, multi-OS and multi-device" (given they may have different criteria before adopting changes to the platform).

On the other hand, it conflicts with others, such as "Security and privacy are essential" (as our knowledge about security practices improves over time), so perhaps it's best left implicit.

Some consider the term "user" in tech to be dehumanising or exploitative. Should we replace "user" in this document with "people"?

Eg. See discussion on this recent thread.

Consider:

• is this a meaningful language change, or just ethics-washing?
• is "people" too ambiguous? What is a better alternative?
• understandability for non-native English speakers?
• already too entrenched / this would make this document inconsistent with others ("the Internet is for End Users", "user experience", "user-friendly")?

Discuss.

The W3C TAG Ethical Web Principles mentions enhancing individual control and power and recognizes a few misbehaviors, yet focuses on decentralization, minimizing single points of failure, and enabling individual & DIY developers. All of that is good, however there is the larger class of “dark pattern” harms to be named and explicitly avoided in specification and technology designs.

The Principles should explicitly note (either adding to or splitting off from “The web must enhance individuals' control and power”) the existence of “dark patterns” in web user interfaces (see WP: Dark pattern and darkpatterns.org for examples), with a statement similar to countering misinformation like:

We will avoid introducing technologies that create new or disproportionately enable, benefit, or amplify existing user interface dark patterns, such as confirmshaming, misdirection, friend spam, permissions pressuring or escalation, threat of data loss etc. We should also avoid new technologies that could be easily abused by existing dark patterns to more easily cause new or worse harms to users. We should design specifications that explicitly plan for and mitigate potential dark pattern abuses.

And cite either or both of those above two references. See also twitter.com/darkpatterns for many more real world web examples.

We obviously won’t be able to prevent all dark patterns and their harms, but we can at least reduce some of them by calling them out, and avoiding new technologies that would increase the chance of users being harmed by existing and new dark patterns.

(Originally published at: https://tantek.com/2020/066/b2/avoid-enabling-amplifying-dark-patterns)

who are the stakeholders of this document and how does that list differ from the design principles?

Change the principles to subsections to facilitate a better ToC and readability.

I am sat in a DID WG meeting at TPAC2019. Blockchain is mentioned every few minutes.

It would be good if documents such as https://www.w3.org/2019/09/did-wg-charter.html could link directly to express commitment to the principles listed here: each principle should show up in the (respec?) table of contents, have a nice # URI reference, etc.

At least on mobile, I can't see how I could link directly to "The web must be an environmentally sustainable platform".

The current statement about accessibility is very limited: "We must make our websites accessible for people with disabilities." This should be broadened to better reflect what's needed for an accessible web, as well as the breadth of the accessibility work at W3C. People with disabilities not only need accessibility in websites, we need accessibility in any content and apps, in tools that create content, in tools that render content, in how authentication happens, in our specs, in the tools that we use to develop our specs, etc.
Proposed rewording: "We must make our websites, apps, authoring tools, browsers, specs, and development tools accessible for people with disabilities."

I thought we were on a good track with discussion of a potential rewording of our sustainability issue. Unfortunately this issue has devolved into name calling. I'm calling time out on this discussion, freezing the issue, and putting a temporary ban on certain individuals.

Would it be possible to unlock #66? The overall conversation was productive, in my view, and I'd very much like to be able respond to points in the issue that I opened. Thanks. 🙏

What happens when improving privacy increases your environment footprint or makes controlling the spread of disinformation more difficult?

Which principle should you favor and why?

Is there a priority of principles likes there is a priority of constituencies?

Can you make tradeoff and if so, based on what?

Can the TAG help and if so how do you get their help?

Building on #62, it would be great to have a framework to navigate conflicts between principles, or at least a set of suggestions to do so.

It was brought to the attention of the Credentials Community Group on March 22, that TAG issue #72 was resolved and merged without allowing sufficient time to be reviewed by the broader community. This is in no way a reflection on the solution, but a request to allow time for the community to give feedback prior to merging. #72

CCG co-chairs request this issue be re-opened in order to accept feedback from the broader community for at least 3 days before being committed.

Thank you cc @mprorock @kwlinson @rxgrant

The EWP says:

we favor a decentralized web architecture

Subsequent discussion about whether "decentralized" is the right word, or if "federated" might be better. There are lots of nuances and varying definitions of both so it's not immediately obvious which we should use.

This one came from @danbri.

The TAG's authority or usefulness comes from our experience, our understanding of what works and doesn't work well for the web. This document is drawn from that experience, but it doesn't explicitly reference the experiences or examples that have led us to each of the principles.

Should we find a way to add them in?

(@danbri, please do expand if I haven't done your thoughts justice!)

When we add features to the web platform, we are making decisions that may change the ability of people to protect their personal data

protect doesn't capture all aspects; this would be better as 'control'