jkarlin
commented
5 years ago Thanks Steven. The parts you quoted are the goals. The privacy section below describes (but does not yet fully address) the privacy concerns that you've brought up here. We're searching for solutions to these problems and would appreciate any collaboration with Mozillans in the process.
The constraint that a user’s attribute/interest is only revealed when it is part of a sufficiently large set of users (i.e., k-anonymity) helps address the risk of user re-identification. In terms of this proposal this would mean it is difficult to determine the identity of the user given their FLoC Key.
This is a much different property than the privacy property this proposal claims to provide, i.e., preventing the exposure of information that is “too personal”. How personal a piece of information is does not depend on the number of people that share that attribute. K-anonymity does nothing to help provide this property.
To give a concrete example: more than 30 million Americans (~10% of the population) suffer from diabetes. While we’re very unlikely to re-identify any of those users based solely on the knowledge that they have diabetes, I suspect we can agree that nearly every individual in this group would not want this information used by advertisers.
Similar to the statement above, this is a misapplication of k-anonymity. A limit on the space of possible FLoC values does not provide the guarantee that the browser isn’t exposing “detailed information”. To provide another concrete example: the space of possible sexual preferences of a user is small, but would presumably be considered “detailed” by the majority of those users. The same goes for income level, age range, major health conditions, and so on.