Bruce: Hello and welcome to episode eight of The F-word. The F-word, of course, stands for “front-end”: browsers, web standards, the politics and economics of the web, and all things in between. I’m Bruce Lawson, coming to you from Birmingham in the UK. My usual co-host, Vadim Makeev, couldn’t make it today. He’s at some secret palace on the Black Sea installing Internet Explorer on all the computers. So I’m here today with a special guest, James Rosewell.
Bruce: The CMA, which has the monopolies commission or the monopolies investigator in the United Kingdom, which is of course where I live, have announced they’re going to investigate Google. One of the prime movers behind the decision to investigate is an organization called Marketers for an Open Web. So as we occasionally do on The F-word to remove the boredom of listening to me and Vadim all the time, we’ve invited a special guest. And our special guest this episode is a chappy called James Rosewell. Hello, James.
James: Hello, Bruce. Hello, listeners.
Bruce: Now, James is the chair or the chief exec or the head honcho, because I’m not a business tycoon, of Marketers for an Open Web. And in full disclosure here, folks, I’ve been doing some unrelated work for James’s main company, 51Degrees. So in the course of doing that, he’s told me some of the stuff. James, 51Degrees, now, you and I met when I was working for Opera and I was busy thumping the table and saying, “You should never do user agent sniffing.” Which I rather unkindly called browser sniffing. You gave me a beady eye, and straightened your pin stripes and your rolled umbrella, and said, “It’s not browser sniffing it’s device detection.” And you told me some of the use cases which frankly I didn’t know. So device detection, what is it good for?
James: Well, the problem that the time that you are referring to is if you just have a little regular expression that says, does this sequence of characters contain an iPhone, that’s a bit of a problem. And I think that was the issue, I had user agent sniffing, browser sniffing tend to be focused around those sorts of solutions. What we operate as 51Degrees, is a solution that looks at a large volume of user agents and works out what is likely to be the outcome, using machine learning techniques, for a particular input. That’s then used for situations like analytics. So when you see reports that show how many percentage popularity of certain operating systems or browsers or devices or whatever it might be, it’s used in fraud, it’s used in content optimization.
James: Fraud is a very interesting use case. So the diversity of devices that come from a particular IP address range, for example, is a very good indicator of whether it’s a genuine source of good traffic. Mobile network Operators, IP addresses will tend to be associated with a large diversity of devices. Whereas even the most sophisticated hackers tend to emulate a small selection of devices rather than ones that are representative of the entire outside world. I think it generally can be quite misunderstood, but it is useful to lots of businesses, I wouldn’t be here talking to you otherwise. And I think we’ve been shown how it can be used in these particular use cases and used well.
Bruce: I think I hated browser sniffing because at Opera we mostly saw people saying, “Hey, you’re using Opera, so therefore you can’t use this website’s features.” Because they were sniffing for the word Opera. And actually at the time, Opera was based on Chromium and it could very well support those features, but that was, as you say, a crappy ragexe or some dreadful WordPress plugin. Whereas I believe you have a massive database of all different devices.
James: Yeah, we’ve improved over the years. We have a professional team of people who maintain the database. It’s lovely when people set up and start doing open source, but it needs to be maintained. And when it comes to devices and things like that, they change all the time. So if you use a solution where there’s a guy who’s on holiday or has given up because he’s got another contract and he was only doing it between contracts, then it’s not really an enterprise level solution and it ages very quickly. So you need a solution that can be kept up to date and that’s what we do.
Bruce: Your data is open source, is it?
James: So we’ve tried to operate an open source freemium model. So we can’t do everything for free, we have to pay people, hopefully you will understand that. So we make the software open source and then we make some of the data available for free, we make the cloud service available for free. But if you want certain SLAs or you want certain volumes or you want daily updates of data, for example, or you want to know information about chip sets and codecs supports because you’re a big video platform or something like that, then that’s where the subscription comes in. So we’ve tried to keep our pricing well within the limits of a team coffee budget effectively at one end, if you want to go for the professional product, keep free and for larger organizations also present good value for money for a good SLA.
User Agent freeze
Bruce: Okay, commercial over. So you were telling me that you were unhappy because although 51Degrees doesn’t only do device detection, it has been the bedrock of your business. And our chums at Google have unilaterally decided to freeze the UA string and replace it with something called user agent client hints and that you’re unsatisfied with that as a technical solution. Can you briefly tell us the technical demerits of what Google is proposing?
James: Yes. So at the moment we have a single sequence of characters that whilst it has a lot of history and could be better structured and more uniform, it is what it is. But all the data models, whether that’s log files that use this data simply store a single sequence of characters against a field name called user agent. So any solution that introduces new fields is going to create a challenge for people who wish to use and consume that data. This is widely used, it’s particularly widely used in non-English speaking countries. We’re popular in Indonesia, Southeast Asia generally, South Saharan Africa, where the issues of device diversity are far greater than they are in say Western Europe or North America for example. There’s a lot of developers who are going to be impacted by a change to a data model, and I think we should be more sympathetic to those folks.
James: We then move into the restrictions that are being associated with the data. So there’s no personal data that’s contained in a user agent string or user agent data in any case it’s not directly personal data. But there’s become a focus on things that could represent entropy as far as privacy is concerned, and that creates a discussion. There’s a balance on one hand, you have total privacy, you wouldn’t have an internet. We’d all be like Mission Impossible and Tom Cruise coming down on his wire into the secure computer room. So I think we can accept that that’s not a desirable spectrum where we would want to be at that point. And neither does anyone wish to have complete chaos or any other consideration. But when you start having effectively a dominant market player, which is what Google are, to restrict information from the open web that is used today in use cases like fraud, device optimization, et cetera, then I think that should be concerning for all of us.
James: And I don’t think there’s been a dialogue really around this particular solution. It’s been presented as a fait accompli. There are a number of practical challenges with it. I’ve mentioned the data model one because it’s the easiest to explain in a few minutes on a podcast. But there are other challenges with the implementation and I’d like to see more time being spent on gaining consensus and getting those issues addressed. I certainly don’t deny that there’s an opportunity to refresh what has been done in the past, but we must be mindful of unintended consequences.
Bruce: Is it that, and I presume it’s not only you because you have competitors and there are other people in the field who are similarly concerned, but is it that Google are trying to do this too fast? So not allowing companies that don’t have a massive budget to pivot immediately. But you’re generally happy with what they want to do, you just need more time to implement it or are there technical deficiencies of what they want to do? Is it they are favouring themselves at the detriment to other people? What’s actually the beef that took you to CMA?
James: Well, the CMA route I’ll answer in a minute. Let me answer the question specifically in the context of user agent client hints. Basically the way these things work is unless you know about the W3C and you’ve got a huge amount of time, you tend to just trust that there’s this ephemeral thing that’s out there that looks after your interests and everything’s going to be okay. I would suggest, based on my observation, that very few people really understand what’s happening and what’s changing. I think therefore there is an onus on those that are driving change, particularly when they’re a dominant market player, to ensure that stakeholders are being communicated with. So if we take something that sits outside of the technology sphere but has a huge impact on technology, GDPR introduction, none of us are sitting here following the machinations of the current legal team within the European Commission or any government for that matter.
James: But when they decided what was going on and elected representatives that had their say and enacted it into law, then there was two year notice period with a wide publicity program and lots of briefings that were going on and then a grace period after it had gone live before any bad consequences came through. So there was a three to three and a half year period between the change having been agreed and it being rolled out. I think there’s an argument which is, oh, this is the web, we can’t do things like that, it’s doggy as well. It’s not 20 years ago, it’s not 1990s anymore, this is a resource used by over 4.5 billion people supporting trillion dollar industries where individual participants have market capitalizations larger than a trillion. So I think that that whole process for change is ultimately where I ended up coming back to, which is actually how do we go about making these changes? How do we consult stakeholders? How do we ensure that unintended consequences are understood upfront and that dominant market players don’t dictate what’s going on?
James: So if we take this particular change, all the documents have been authored a limited number of Google employees working on Chromium. It doesn’t really enjoy consensus even within that very elite bubble of those that can actually follow what’s going on. There are a number of challenges we’ve raised with it, I’ve listed some already, just one other is just the availability of the information to what are often called third parties, but resources that are included in webpages from origins that are different to the one that’s shown in the navigation bar. That presents lots of practical challenges when you have companies that are small, that rely on a supply chain of partners in order to compete with larger companies.
James: So if you take something like the feature policies and permission policies, which can be driven not just by users actually setting settings in their browser. I think we can all agree we don’t want more problems where users are asked cryptic questions that they have to somehow agree to without knowing what they’re agreeing to. But where you have things like, well, we’ll decide on this based on how trustworthy the site is. Well, who gets to decide that? And if it’s based on how often someone visits, then if it’s the home page that’s installed as the search engine by default in the browser when it’s installed, then of course, that company is going to get more reputation than a smaller company that’s trying to compete with them that’s visited less often. So we end up with a whole suite of questions that aren’t just about how you lay out bits and bytes or specifications, but how these things are actually used in practice. User agent client hint is a really good example of something that hasn’t been thought through to the standard that I would expect, and there are others that I’m equally concerned about.
Bruce: Quick question before I go on to the main question that you said prompts me. You mentioned a three and a half year grace period with the GDPR. And for listeners outside the EU, including me and James now, that is the EU privacy regulation that requires the annoying level of cookie notices on every webpage you see. But James, so how long is Google giving the industry to make any changes they need to to their device detection?
James: So this was announced formally with a timeline on the 14th of January 2020, so just over a year ago, the entire process was due to complete in September 2020. It’s been delayed, I don’t know how long for, that would be a question for Google. And I think the fact that I can’t answer that as clearly someone who is very interested in this space has a lot of users and customers who would like to know the answer, and I’ve asked Google. I think that shows that something is not functioning well in our industry when we don’t know the answers to those things, when we don’t understand those things. One goes and talks to people who are are in this elite bubble who do have the absolute privilege of being paid to work on this stuff. It’s absolutely wonderful. And they’re very clever, intelligent people at the very top of their profession.
James: I do think that there is an onus to think more about those people outside. And I’m sorry if people feel they’re already doing that, I think they need to do a lot better in that communication and setting out those timelines and not just look on a rolling three month basis. We need to look a lot further ahead. The problem is it is very difficult to take a position in a debate that goes counter to that what Google are advancing. The engineers and the people who’ve put it forward are very articulate, they’re very clever. The people who need to come forward and present that argument often don’t feel confident coming forward in these new forums to question and challenge.
James: But more importantly still, do you really want to take a position that seems to be going against what Google are suggesting? Is that good for your career? Is that good for your company? Many of the larger companies actually have a policy that prevent you talking about it. Which is one of the problems with the W3C, by the way, which is well, we’ve all got to come together and we take off our employer badge when we come into the W3C. In reality, for smaller companies, it’s very intimidating, it’s not possible to do that, and many companies have policies that prevent them doing it. I find it incredible at the W3C you have no bank, that’s not because banks don’t use the internet or the web, it’s because they have very strict policies and regulation in their sector about what one can and cannot say in public, they’re heavily regulated.
Bruce: You mentioned that lots of other people feel the same and you are the head honcho, for want of a better word, of Marketers for an Open Web, but who were the other companies involved with that?
James: Well, for the reasons I mentioned earlier, we set it up so that there was a structure of anonymity. So there are a lot of companies that were coming forward at the beginning of last year when I started to get involved in these questions. So whilst interest is 51Degrees is in the changes associated with user agent client hint, it very rapidly became clear to me that there were a whole raft of changes that are being proposed here. So let me give you some other example is web ID, this is about moving the sign in service into the browser. You might say, “Well, that’s nice and sensible. Yeah, it should be in the browser.” But if the browser controls and is the gatekeeper of who gets to sign in and who doesn’t and what a reputable website is, what’s your appeals process if you suddenly end up on the wrong side of that decision?
James: It creates all sorts of issues and challenges that go well beyond engineering, even before we come to the point of addressing the merits or otherwise of the proposal that’s going forward technically. There are a lot of challenges with the broad set of changes that are being proposed at the moment. And in discussion with a lot of other like-minded people, they said what I’ve just said to you, “We’re part of the problem. We have to tell the rest of the world everything’s going to be okay because we’ve got a quarterly shareholder meeting coming up.” Or, “We’ve got an investment round that’s coming up, we can’t say that there’s going to be a problem with this kind of stuff.”
James: So I think that there is an absence of… There’s possibility you say, well, silence is consent. It’s not true at the moment, not just in this problem, but in many other problems that we’re facing on the web. I think until we can recognize that not just as engineers, but as the institutions, whether that’s the W3C or businesses, I mentioned the example of a bank earlier, they’re hamstrung when it comes to influencing these changes, then we’re going to end up making bad decisions which is not good for the future of the open web.
Bruce: Just to be clear, so you’re saying there’s organizations who agree with you and a part of the markets for open web who are scared to be seen to agree with you because they’re scared of Google or other dominant players?
James: Retaliation from Google, yes. That’s absolutely clear. Between us and Marketers for an Open Web, at the moment we have over 10,000 employees, over 4 billion in annual revenues. This is not an insignificant group of companies and many of the companies that support Marketers for an Open Web are household names.
Bruce: Isn’t this what the W3C is for?
James: You would have thought. I’ve been disappointed by the W3C, I think the environment has been conditioned at the W3C over what would seem to be many years to take a particular view on issues like privacy. For example, it seems like one’s a heretic if one’s going to take a counter view. So as an example related to many of these changes, there’s an assumption that supply chains cannot be trusted. So your choices brucelawson.co.uk, your website you’re running that website. Well, you can choose which suppliers you use to help you deliver that, whether that’s your hosting platform or the analytics product that you use or the solution that you use to help prevent fraud because you don’t want hosting adverts, which you’re asking Unilever to pay for which aren’t being served to human beings. These are all legitimate use cases that fundamentally affect the economics of the web, but there’s absolutely no willingness to entertain supply chains can be trusted they’re trusted all the time.
James: If you like organic, you can buy an organic cake. And in you’re trusting the provider of the organic cake that they’ve used organic flour and organic eggs and all those other things. And there’s a, certainly in many countries, there’s the organic organizations that check and validate those supply chains. Why is the internet any different? It seems to be that the browsers have taken a very paternalistic view that says, oh, it’s our job to protect everyone. And that’s become doctrine at the W3C to the point where you present a logical counter-argument, as I hope I’ve just done briefly, that I can support with lots and lots of facts. I’ve presented it to the Competition and Markets Authority, a credible regulator, and they’ve accepted those facts to the point where they are now conducting an investigation into Google Privacy Sandbox, which may involve an interim injunction to prevent these changes being made incidentally, we will see time. But that doesn’t seem to hold any weight at the W3C. I am seen as a heretic for raising these possibilities and asking these questions. And I find that deeply troubling again, I don’t think that’s a healthy situation.
James: What I’ve described as an environment at the W3C, a way of thinking effectively, the process that the W3C have is very interesting, a process that’s evolved over time. But guess what? It doesn’t apply to any of these changes because these changes are being done in a community group called WICCG, none of these processes apply. There’s no need for consensus, there’s no requirement to get a technical standard. So when Google say, “Oh, all these discussions are taking place at the W3C.” Or any organization says they’re taking place at the W3C, it in first legitimacy that isn’t true. These proposals that we’re talking about almost exclusively have been authored entirely by Google employees, they don’t enjoy consensus, there’s no requirement for consensus. And as a dominant market player to go off and act unilaterally, as appears to be the case, is attracting the attention of regulators rightly so. Let’s hope the regulators will move quickly enough to prevent irreparable harm being done.
A right to reply
Bruce: I just want to say that when Vadim and I invited you on, James, because as you probably can tell by now Vadim and I are basically the Illuminati of the web and we know everybody. It just so happens we’re really good friends with a guy at Google who now has Privacy Sandbox in his Twitter bio. So we’re going to invite him on in a future edition for the right to reply. It is entirely possible because this is sub judice, under the courts, but it is part of an ongoing now regulatory investigation that Google will not allow somebody to speak publicly about it, which would be entirely legit.
Bruce: But we are going to invite them to reply if they wish to in the future because Vadim and I we care about the health of the web. And I think we both acknowledge that given that we’ve had a really nice career, that’s taken us through many years of having fun. Everybody in different industries has that right. It’s not all browser loveliness and web standards as many traditional industries who need more representation on the web. Last question because I know you have to go James. At the moment listeners, James is sitting on the 39th floor of his penthouse apartment, literally surrounded by piles of money and cocaine. You move in a world that we don’t. I joke—it’s not cocaine, it’s something far better.
James: I’ll think of your words as I get on my bike to cycle home.
Bruce: I don’t know much about regulators and the CMA, et cetera. So what happened is you as Marketers for an Open Web, went to the CMA and said, we think we’ve got a problem? And what happens now? Where does it go? What’s the process? And what do you personally hope will be the end result?
James: Just coming back to your point about inviting Google, I think that’s very, very important. I’m going to be very interested to hear what someone from the engineering side has to say as opposed to from the business side. And I hope they will be able to make some comment. Coming back to the CMA, well, we didn’t wake the regulator up to the fact that there was a problem in the market. The Competition and Markets Authority conducted an investigation that lasted for a year, approximately 25 people were working on it. It concluded on the 2nd of July, 2020, it involved consultation with many participants in the market including 83 respondents to the interim report that came out in January, 2020. They concluded there was a significant problem in the digital market. So significant that new legislation is required in order to set up something called the Digital Markets Unit to regulate in the digital market.
James: They also concluded, as I’ve just explained, that there is an imbalance between competition and privacy concerns and that these aspects of legislation need to be more closely aligned. There is now legislation going to parliament in order to enact the Digital Markets Unit. What Marketers for an Open Web wish to see is that the elected representatives get to make the decision before the harm is done by genuine billionaires, rather than fake ones like you’ve just suggested I am, rather than billionaires in Silicon Valley, making these unilateral decisions inflicting harm on the industry before elected parliamentarians get to have their say.
James: This isn’t just something that’s unique to the United Kingdom, this is happening in Europe, I’ve seen moves from Germany this week, the Department of Justice in the United States is also seeking to take action, Texas and 11 other states have also come together to take action as well. And Australia have been in the news today as well similarly in relation to Google. So this isn’t an isolated incident, this is something that appears to be gaining a lot of momentum globally. I think that’s absolutely right, we can’t have a return to the robber barons of two centuries ago.
Bruce: Thank you for sharing your thoughts. I can see your chauffeur’s turned up in your vintage Rolls-Royce so just he’s sitting there in a very drab looking office somewhere in the outskirts of London. But thank you for sharing your thoughts, James. Hopefully somebody from Google will come and tell us why you’re completely wrong and they’re saving the web for all of us.
James: I hope they’ll come and talk. I hope they won’t dismiss the points that I’ve made. They may not agree with them entirely, but I do think there’s a need for greater engagement, greater dialogue, and recognizing that just because something is agreed or otherwise in a group of effectively 15 people, that doesn’t mean that it’s the right thing to do for the rest of the web, particularly when they’re running unintended consequences in disciplines such as economics, for example, that can materially alter the future of the web. If a problem is just seen from a perspective of code, I think it’s not necessarily fully considered.
Bruce: I’m reminded of Martin Nottingham’s declaration on behalf of IETF that says engineering decisions are not taken in isolation, they are part of a broader global system and need to be considered thus, which I thought was remarkably new for an internet organization and yet exactly the same as Bertolt Brecht had Galileo saying in his play immediately after the Oppenheimer Project in ’46. But history doesn’t repeat itself but often it rhymes, they say.
James: Well, on that, thank you very much. It’s been a pleasure talking with you today.
Bruce: Cheers, James. And that concludes episode 8 of The F-word. Thank you very much for listening. All the links etc. will be in the show notes, and I promise you that in episode 9, Vadim Makeev will be back, even more glorious than normal. So, until then, see ya!