michaelkleber / privacy-model

A Potential Privacy Model for the Web: Sharding Web Identity
Other
188 stars 31 forks source link

Contextualizing "joined first party identities"? #3

Closed colinclerk closed 5 years ago

colinclerk commented 5 years ago

Let me start by sharing that the difference between "Per-site identities can become joined across first parties" vs "Third Parties can be allowed access to a first-party identity" was a bit hard for me to grasp on first read. This is how I understand it, but if this is wrong than my question may also be irrelevant:

If 1p includes Google Adsense on their site, then Google would gain access to the users 1p partition, but that partition access doesn't inherently provide Google with any identity information. This could still be coordinated by 1p directly sending Google PII server-side or client-side, but Google couldn't determine identity solely by having script access on 1p.

However, if 1p offers a "Sign in with Google" button, then that oauth flow is explicitly sharing identity between 1p and Google. That is, Google will learn that its user is also a user of 1p.

If my understanding is correct, I think it will be relatively straightforward for browsers to detect when identities are being shared. Webkit has already made some progress tracking link decoration and redirects that seems like it would be effective for this problem [1].

My question is, how can browsers contextualize to users the impact of sharing that identity?

For example, a "Pay with Paypal" link may be contextualized with "This will share your transaction information with Paypal and allow you to use payment methods stored with Paypal."

Or, a "Log In with Facebook" link may be contextualized with "This may lead to advertisements following you around."

Should such contextualization be a goal of these efforts?

[1] https://webkit.org/blog/8828/intelligent-tracking-prevention-2-2/

michaelkleber commented 5 years ago

Thank you! You are indeed understanding what I intended, and your question is very relevant.

If my understanding is correct, I think it will be relatively straightforward for browsers to detect when identities are being shared. Webkit has already made some progress tracking link decoration and redirects that seems like it would be effective for this problem [1].

I think you're referring to cross-site identities, and I think you're being too optimistic. As your reference to ITP shows, preventing information flow is an arms race.

One motivation for this proposal's openness to APIs that let publishers keep making money is that it decreases the need for that arms race, because sites can survive without it.

My question is, how can browsers contextualize to users the impact of sharing that identity?

How to give people a clear understanding of the implications of voluntary cross-site identity joining is basically a UX research question. I don't think this document could or even should offer opinions on the best way to do that. It seems to me that every browser would need to come to its own conclusions about how best to explain this.