Contract for the Web

The Web was designed to bring people together and make knowledge freely available. It has changed the world for good and improved the lives of billions. Yet, many people are still unable to access its benefits and, for others, the Web comes with too many unacceptable costs.

Everyone has a role to play in safeguarding the future of the Web. The Contract for the Web was created by representatives from over 80 organizations, representing governments, companies and civil society, and sets out commitments to guide digital policy agendas. To achieve the Contract’s goals, governments, companies, civil society and individuals must commit to sustained policy development, advocacy, and implementation of the Contract text.

This is part of my “maiki reads up on what folks are doing to the web” kick lately. See The Mozilla Manifesto - #4 by maiki for more fun.

This is broken into 9 principles, here’s a great rundown, from Contract for the Web - Wikipedia

Contract for the web indicates principles 1 to 3 are for governments, 4 to 6 are for companies, and 7 to 9 are for citizens:[6]

  1. “Ensure everyone can connect to the internet”.[6]
  2. “Keep all of the internet available, all of the time”.[6]
  3. “Respect and protect people’s fundamental online privacy and data rights”.[6]
  4. “Make the internet affordable and accessible to everyone”.[6]
  5. “Respect and protect people’s privacy and personal data to build online trust”.[6]
  6. “Develop technologies that support the best in humanity and challenge the worst”.[6]
  7. “Be creators and collaborators on the Web”.[6]
  8. “Build strong communities that respect civil discourse and human dignity”.[6]
  9. “Fight for the Web”.[6]

On the document’s website they provide details for each principle, so we’ll be reading those over the next few weeks.

Now… about this website…

The website for the Contract for the Web has this lovely message popup on visiting:

Screenshot_2020-09-02 Contract for the Web

We have placed cookies on your device to help make this website better. You can use this tool to change your cookie settings. Otherwise, we’ll assume you’re OK to continue.

The options are:

  1. Accept Recommended Settings
  2. Change your Settings

We’re gonna check what the World Wide Web Foundation thinks is acceptable settings in a moment, but first I wanted to point out this is a bullshit anti-pattern.

No one feels good about this action against the user, where they clicked on a link and now have some kind of business transaction with you. Bull. Shit. Anti. Pattern.

The settings box is actually very short compared to every other I’ve seen. Here’s a screenshot that almost, but not quite gets the whole modal text:

Screenshot_2020-09-02 Principle 1 - Ensure everyone can connect to the internet - Contract for the Web

It says:

We have placed cookies on your device to help make this website better. You can use this tool to change your cookie settings. Otherwise, we’ll assume you’re OK to continue.

Strictly Necessary

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Analytics

On Off

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.

And Analytics defaults to “off”.

:face_with_raised_eyebrow:

This is like inception-level bullshit. Who the fuck opts in to analytics? Why is this an option?

Wait… wait, I’m gonna go look at…

Do these! Build online trust by not asking questions when you don’t need to, and stop co-opting design anti-patterns used by companies that sell user data. Support a user’s cognitive right to receive information, challenge the impulse to enter into a transaction.

Also, all your assets load from a third-party staging URL. :pfft:

:roll_eyes:

Really looking forward to seeing what this group has put together…

Principle 1

Ensure everyone can connect to the internet

So that anyone, no matter who they are or where they live, can participate actively online

Okay, I agree. Of course, this is for governments, which is composed of people, so it’s good to keep in mind.

But there’s more! They have specific plans!

And they are kinda involved, so I’m gonna spend more time for each one, starting with:

  1. By setting and tracking ambitious policy goals
    • 1GB of mobile data costs no more than 2% of average monthly income by 2025.
    • Access to broadband internet is available for at least 90% of citizens by 2030, and the gap towards that target is halved by 2025.
    • At least 70% of youth over 10 years old and adults have Information and Communication Technology (ICT) skills by 2025.

Okay… so many questions! I want to know how “ambitious” these goals are. Gonna try to figure out what the current numbers are…

Continuing Principle 1:

  1. By designing robust policy-frameworks and transparent enforcement institutions to achieve such goals, through
  • Fiscal and investment policies that stimulate investment in-and adoption of- connectivity solutions.
  • Passive infrastructure sharing (towers, ducts on roads/rail/power lines), dig-once regulations and non-discriminatory and efficient management of radio spectrum to facilitate access to-and sharing of-spectrum for broadband connectivity.
  • Open access rules on wholesale infrastructure in non-competitive areas, and access to license-exempt spectrum.
  • Institutions with capacity to ensure compliance with laws and regulations designed to foster Internet adoption.

Have I mentioned I can’t find an affordable phone line? We are always tracking hardware manufacturers, trying to find to most free hardware possible, but the enumerated list, that’s the soil for connectivity.

Fortunately, there are a lot of folks working on this from every angle. I need to find them.

I know of:

  • People’s Network, creating a mesh network
  • OakWifi, City of Oakland making Downtown and International Blvd. online
  • A few “local” ISPs (Sonic.net, Monkey Brains, etc.)

I need to find other orgs moving in Layers 8-10.

Who should I be aware of? :slight_smile:

Continuing Principle 1:

  1. By ensuring systematically excluded populations have effective paths towards meaningful internet access
  • Implementing national broadband policies with specific actions designed to target systematically excluded populations.
  • Developing policies and providing funds for broadband strategies, including universal access and services definition, with effective technology neutral financing mechanisms for network development in unserved and underserved areas.
  • Supporting the local production of content and applications, and the development of the necessary infrastructure and enabling environment for accelerating the growth of local digital businesses.
  • Designing policies to increase internet access and digital literacy of women and other systematically excluded groups.

California feels large enough to operate as a “national level”. I’ll apply the points to that levels of geography + jurisdiction.

Broadband policies

  • What does rolling out broadband look like, in terms of process? Who does it, who pays for it? I feel without knowing the process I won’t be able to assess the political talking points.
  • What broadband policies or efforts are active right now in California? The Bay Area? Oakland?
  • How are those policies or efforts affecting progressive change for excluded populations?
  • Developing policies and providing funds for broadband strategies, including universal access and services definition, with effective technology neutral financing mechanisms for network development in unserved and underserved areas.

There’s a lot going on in that sentence, and I think it is covered in the other points, except for the “technology neutral financing mechanisms” portion, which I guess I just have a question about what that means.

Local Production

  • What are “content and applications” and “digital businesses”? I live in the Bay Area, so our local digital businesses shove their content and apps down the throat of everyone on Earth. And yet, we still have poor folks, we still have unequal network access…
  • What does this look like for your place of living?

Increase access and literacy

  • I’m all for it, how may I help in California? The Bay Area? Oakland?

Principle 2

Keep all of the internet available, all of the time

So that no one is denied their right to full internet access

Whoo, that’s gonna cause some feathers to ruffle!

  1. By establishing legal and regulatory frameworks to minimize government-triggered internet disruptions, and ensure any interference is only done in ways consistent with human rights law
  • Engaging in national and international multi-stakeholder dialogues and mechanisms to ensure the maintenance of uninterrupted internet connections and promoting a Web that is not restricted by public policy at borders.
  • Engaging in transparent and documented coordination with private sector actors to ensure that any attempts to restrict access to the internet are necessary and rely on means that are proportionate to achieving a legitimate end, while minimizing the unintended side-effects of legitimate actions on third parties.
  • Researching and documenting the cost of service interruptions to the national economy, business and users.

That last point is fascinating! We should understand also the cost of delaying infrastructure.

But I wonder: is this section relevant to my personal experience in California? I can think of the “Domain Awareness” thing Oakland PD was developing, but I’m not sure my governments have the ability to “disrupt” the internet.

:thinking:

1,000 years ago folks used a website to “trade votes” between states to get third party candidates more votes, and a Judge turned off the domains (I expect it redirected them somehow) used to coordinate that activity. I’d say that counts.

Are there current internet disruptions caused by an American government?

Principle 2, Section 2:

  1. By creating capacity to ensure demands to remove illegal content are done in ways that are consistent with human rights law

Whenever someone says “illegal” my ears perk up. This addresses an existing, ubiquitous issue: how do we decide how to communicate? I consider very little to be problematic, others believe a lot should not be allowed… it’s a pickle. Let’s look at each point.

  • Passing appropriate national laws and regulations to ensure the effective enforcement of established international treaty rights on the human rights to freedom of expression, of peaceful association and assembly, and the freedom to access information as applied to online speech, behavior, and online information.

Are there establish “appropriate national laws and regulations” anywhere in the world? To know, we need to understand more about which treaties inform nations.

I normally only hear about legislation when it has gone off the rails, so I don’t have knowledge in this area.

  • Funding research and engaging in multi stakeholder forums aimed at developing future regulation on moderation dispute resolution mechanisms and content take-down, including with the aim of limiting the impacts of misinformation and disinformation, to ensure these are aligned with human rights standards.

It is hard to compromise (“multi stakeholder”) when surveillance capitalists are invited to the table. One way to adjust the system is to dis-incentivize misinformation by making it unprofitable to spread it…

  • Developing mechanisms to ensure all government content take-down requests are grounded in law, properly documented, comply with human rights standards of legality, necessity and proportionality, include proper notification to the poster and potential audience, and are subject to appeal and judicial review.

This very much applies to the US, and California.

The Court in question denied a temporary restraining order against California Secretary of State, Bill Jones. Jones had previously threatened legal action, causing the sites to shut down.

In 2000, many of the vote pairing web sites were hosted in California, and so when the California Secretary of State, Bill Jones, charged that the web sites were illegal and threatened their creators with criminal prosecution, some (but not all) of the sites reluctantly shut down. The American Civil Liberties Union (ACLU) got involved to protect the web sites, seeking a restraining order against Jones and then a permanent injunction against him, alleging that he had violated the constitutional rights of the web site creators. However, the issue would only be resolved after the 2000 election had already occurred. The media at the time gave little coverage to vote pairing, except for how it was being charged as illegal.

Vote pairing - Wikipedia

ACLU’s account: ACLU Disappointed With Court Decision Regarding CA Shutdown of Voteswap 2000 | American Civil Liberties Union

Aside from financially supporting ACLU, EFF, and other similar orgs, what can we do to ensure the government properly conducts it’s business?

  • Developing mechanisms to ensure meaningful transparency for political advertising.

What is “meaningful transparency for political advertising”? I mean, I kinda get it, but are there examples? Even hypothetical?

Well, these government principles really raise more questions for me, but then again, I’m not an elected official, so maybe that’s okay?

Principle 2, Section 3:

  1. By promoting openness and competition in both internet access and content layers
  • Supporting or establishing independent agencies with oversight, rule-making, and enforcement capacity to ensure internet access providers do not unreasonably discriminate against content, platforms, services, devices or users.
  • Supporting effective enforcement of competition law at all layers of the network, including through the promotion of interoperability and open standards, as a means to ensure small actors and innovators have a fair chance to develop and successfully deploy content, new online businesses and new technologies.
  • Funding research to determine the degree and character of competition and/or consolidation online, and its impact.

The first thing that comes to mind when I read this is: who is going to head the US FCC next year.

But the FCC is lacking in vision to deal with competition and the “content layer”. Are there government agencies actively grappling with these issues?

Principle 3

Respect and protect people’s fundamental online privacy and data rights

So everyone can use the internet freely, safely, and without fear

  1. By establishing and enforcing comprehensive data protection and rights frameworks
    – to protect people’s fundamental right to privacy in both public and private sectors, underpinned by the rule of law. These frameworks should be applicable to all personal data — provided by the user, observed or inferred — and include:
  • An appropriate legal basis for data processing. Where the legal basis is consent, it must be meaningful, freely given, informed, specific, and unambiguous.
  • The right of access to personal data, including to obtain a copy of all personal data undergoing processing by an entity, so long as such access does not adversely affect the rights and freedoms of other users.
  • The right to object or withdraw from processing of personal data, including automated decision making and individual profiling, subject to explicit limits defined by law.
  • The right to rectification of inaccurate personal data, and erasure of personal data, when not against the right of freedom of expression and information or other narrow limits defined by law.
  • The right to data portability, applicable to the personal data provided by the user, either directly or collected through observing the users’ interaction with the service or device.
  • The right to redress through independent complaints mechanisms against public and private bodies that fail to respect people’s privacy and data rights.

The two I know of:

I don’t believe either of them address a “right to data portability”, what is that exactly? Does it include everything from phone numbers to social graphs?

Are there other legal data protection and privacy frameworks (active, drafted, or discarded)?

Principle 3, Section 2:

  1. By requiring that government demands for access to private communications and data are necessary and proportionate to the aim pursued,
    – lawful and subject to due process, comply with international human rights norms, and do not require service providers or data processors to weaken or undermine the security of their products and services. Particularly, such demands should always be:
  • Made under clearly defined laws subject to a competent and independent judicial authority that includes fair avenues for redress.
  • Restricted to those cases where there is a legitimate public interest defined in law.
  • Time-bounded, and not unduly restricted from disclosure to affected individuals and the public.

Hey, is/did the US government build a datacenter in the desert to capture all communications and store it for later creeping? Or was something Tony Stark and Nick Fury dreamed up? Oh MCU, always being hyperreal and distracting me from real dangers!

Is the US NSA a threat to international human rights norms?

Principle 3, Section 3:

  1. By supporting and monitoring privacy and online data rights
    – in their jurisdictions, particularly:
  • Minimizing their own data collection to what is adequate, relevant, and necessary to achieve a clearly specified public interest.
  • Requiring providers of public services and private actors to comply with existing relevant legislation and supporting strong enforcement —including administrative penalties— by independent, skilled, empowered, and well-resourced dedicated regulators.
  • Mandating public registers to promote transparency of data sharing and/or purchase agreements in public and private sectors for profiling purposes, as well as for significant data breaches that are of public interest, to make users aware of when and how their data could be exposed.
  • Requiring regular data security and privacy impact assessments, providing independent and transparent oversight of the assessments and independent audits for public and private sectors, and enforcing when appropriate.

The reason this is an important concept is because most folks have no idea how privacy data works, and will ask for things they think make sense, in part because it appears to be the standard.

I know this because I build websites for city governments in California and nearly every project has at least one “ask” that violates user privacy… and for no apparent reason. As in: they have no goal in mind, they just think they need some info on users, while having no plan to utilize it.

Just storing it, for data leaks, I suppose.

What is a “public register”?

Principle 4 (for companies):

Make the internet affordable and accessible to everyone

So that no one is excluded from using and shaping the Web

Section 1:

  1. By crafting policies that address the needs of systematically excluded groups

    • Designing gender responsive and inclusive data plans targeting women and other systematically excluded groups.
    • Supporting the development of community networks, particularly in unserved and underserved areas.
    • Ensuring user interfaces and customer service are effective, and offered in languages and mediums that are accessible to minorities and people with disabilities, including by respecting universal acceptance principles.

Can I just say: I love the term “gender responsive”. Not for any practical reason, just that it makes me think neat, and I enjoy that. :slight_smile:

Principles for companies start applying more to my personally, and especially in the work I’ve been doing building platforms for city governments seeking engagement from their constituencies. In California that means recognizing marginalized communities, and working with partners that have a clue to inform us how we can build useful tools.

In practice it means building resources that are easy to consume for a variety of devices (whereas most city depts. reach for video-laden map iframes, leaving many folks out of the discussion). Also, language is important, vitally so, but not just multilingual messaging support (itself very important, and a space for opportunity, as the current options are quite slim for content translation and publishing): folks need to train on how to communicate their work to others cognitively (and then across languages… :grimacing:).

:thinking:

I wonder if there are resources teaching developers how to approach their work with these points in mind…

Principle 4, Section 2:

  1. By working towards an ever-increasing quality of service
  • Documenting and publishing their investments and best efforts approach towards ensuring the speed, reliability and performance of their networks.
  • Adopting network neutrality guidelines that ensure citizens enjoy an open, unrestricted and non-discriminatory Internet experience through which they can be not only consumers, but creators and innovators.
  • Making progress towards symmetric upload/download speeds to facilitate the work of online creators and the use of interactive applications.

I feel these are primarily aimed towards ISP and infrastructure companies. Of the various rating and/or informative directories for ISPs, are these criteria being tracked?

Which is super important, I just don’t have much to add or comment on, aside from: is anyone tracking this? :slight_smile:

Principle 4, Section 3:

  1. By ensuring full use of the internet by all, through a close coordination with Government and Civil Society towards
  • Crafting corporate policies that minimize access barriers created by differences in language, location, age and ability.
  • Ensuring that applications and services are designed with potentially excluded groups.
  • Designing gender inclusive strategies to increase internet access and digital literacy by women and other systematically excluded groups.

Well, all good ideas. I advocate each of those points, but I’m mostly working for:

  1. Governments, or
  2. Orgs with limited resources.

I point it out, because when creating solutions for large groups (such as an “industry”, such as for targeting a product), companies do not take those points into consideration with the weight they deserve, and because most orgs don’t have their own tool-making teams, they deal with what’s “on the shelf”.

That means there is an opportunity, as well as an obligation, to fulfill that function for orgs to operate ethically and inclusively.

Principle 5

Respect and protect people’s privacy and personal data to build online trust

So people are in control of their lives online, empowered with clear and meaningful choices around their data and privacy

  1. By giving people control over their privacy and data rights, with clear and meaningful choices to control processes involving their privacy and data, including:
  • Providing clear explanations of processes affecting users’ data and privacy and their purpose.
  • Providing control panels where users can manage their data and privacy options in a quick and easily accessible place for each user account.
  • Providing personal data portability, through machine-readable and reusable formats, and interoperable standards — affecting personal data provided by the user, either directly or collected through observing the users’ interaction with the service or device.

I’m on board with this, and these points are actually really interesting criteria to track for companies, services, and software. For instance, I’ve never used it but understand WordPress has a GDPR function allowing users to delete their info; understanding how these types of features differ and are used would be useful to making decisions on which to use.

Principle 5, Section 2

  1. By supporting corporate accountability and robust privacy and data protection by design,
    – carrying out regular and pro-active data processing impact assessments that are made available to regulators which hold companies accountable for review and scrutiny, to understand how their products and services could better support users’ privacy and data rights, and:
  • Minimizing data collection to what is adequate, relevant, and necessary in relation to the specified, explicit and legitimate purposes for which the data is processed, and limiting further processing of the data to what is compatible with those purposes.
  • Supporting independent research on how user interfaces and design patterns ⁠—including processes for obtaining consent and other relevant user controls⁠— influence privacy outcomes, and ensuring those follow good privacy practices.
  • Enabling controls over how personal data is collected and used ⁠—including third-party and persistent tracking⁠— that could be reviewed and adjusted at the user’s convenience, and making those easy to locate and use.
  • Developing and adopting technologies that increase the privacy and security of users’ data and communications.

Okay, this could basically be a marketing document for me. I do each of these points, as a practice.

And it’s hard, so I need to document it more, link to it, explain it in more and more detail to make it the practice.

At https://www.movesanjose.org we survey residents of San Jose, with an extraordinary lack of Personal Identifiable Information. I designed our form submissions in such a way so that even though we ask for “demographics” information and can breakdown a survey by demo, we can’t know who those people are, not even an IP address.

BTW, since launching last year, folks have answered over 43,000 questions! Stakeholders have an abundance of information, we have residents signed up for email newsletters by effort, and we can’t trace anyone’s activity and neither can a third party.

This is part of the reason I’m cultivating a new project to build sites transparently, to demonstrate what is happening at each step, so future developers understand their options, not just the off-the-shelf tech handed to them by technology companies and their company followers.

  1. By making privacy and data rights equally available to everyone,
    – giving users options to access online content and use online services that protect their privacy, and:
  • Providing dedicated and readily available mechanisms for individuals to report adverse privacy and data protection impacts directly linked to the company’s operations, products or services — which the company should address and mitigate as required by law.
  • Promoting innovative business models that strengthen data rights, respect privacy, and minimize data collection practices.
  • Providing clear and understandable privacy policies and consent forms, where the types of personal data processed are listed, and the purposes of data collection and use are explained.
  • Clearly and effectively communicating any updates and changes regarding privacy policies, as well as changes to products and services where the impact on individuals’ privacy rights is not in line with the privacy policies in place.

I provide privacy policies as a service, but fail to identify it. Years ago, I just began hiding privacy practices, and configured systems to record as little as possible. Now the pendulum is swinging back, and I can actually, ugh, advertise that about me. :roll_eyes:

Practical next steps though: identifying the key privacy and data takeaways from various web projects I’ve built…