search

WICG / floc

This proposal has been replaced by the Topics API.
https://github.com/patcg-individual-drafts/topics
Other
936 stars 90 forks source link

PING Privacy Review: The use case being a privacy harm in itself #76

Open kdeqc opened 3 years ago

kdeqc commented 3 years ago

This is the one that Pete and I agreed to disagree a bit on. My take is that if a user isn't specifically identifiable, then I'm good with it and I think this can benefit users. The example I gave Pete was that if I go into a book store and buy a book, I'm OK with that purchase data being used to compile a "best sellers" list. I'd find the list itself useful because it could point me towards other things I might like. What I'd object to is if the best sellers list said "Kris Chapman" bought this book.

@pes10k: I'll let you add his countering point-of-view here so I don't end up misrepresenting your view, though.

I think we also share a joint concern here about timing, and how that might impact someone being able to actually be individually identified, too.

pes10k commented 3 years ago

Just to follow up on @kdeqc 's invitation :)

The concern here is

1) users are often identifiable otherwise (FLoC would be, for example, right now telling Github about my previous browsing behavior which is just plainly telling Github Peter Snyder likes X Y Z kinds of things). This seems like unmistakeable privacy harm

2) It's also telling the same information to every third party on the site. So, for example, i have a walgreens account. FLoC is telling Walgreens things Walgreens has no business knowing about my prior browsing behavior (plain privacy harm), but even worse, its also revealing to all the following parties that Pete Snyder likes X Y Z:

3) Even if a site doesn't know about me as Peter Snyder, the feature is designed to tell a site (and all the third parties executing script on the site) information about me (whether thats a pseudonymous me, a pseudonymous me that might become an account later, or a pseudonymous me thats linkable to my identity through some other means). All three of those are sharing information about me (whether or not the other party knows who I am) that they otherwise wouldn't have, that i didn't decide to share with them, and that is likely unrelated to why i wanted to interact with the site).

npdoty commented 3 years ago

The issue title seems open to confusion. Is the concern (that @pes10k has but @kdeqc doesn't) that a user could be shown targeted ads based on a cluster of some group of people with similar browsing histories (or some other browser-generated characteristic)? Or that by revealing the cohort identifier to web sites (and embedded third parties) that information about the user's interests is revealed to the site/third-parties? The latter is described in the explainer as the threat of "Revealing People’s Interests to the Web".

Neither of these seems an unreasonable concern! But "the use case being a privacy harm" could potentially refer to different things and we might be able to enumerate the concerns more precisely as part of the review.

It sounds like @kdeqc is saying she doesn't mind the aggregated collection of data and use of aggregated data to provide personalized recommendations/ads, because it might be a benefit to the user. There could be disagreement about that (or it could be left to a user's choice) but it seems separate from what information is revealed about the user's interests/behavior.