michaelkleber / privacy-model

A Potential Privacy Model for the Web: Sharding Web Identity
Other
189 stars 31 forks source link

A Potential Privacy Model for the Web

Sharding Web Identity

The identity model of the web has included the implicit result of two interacting browser capabilities:

This combination has led to widely-shared cross-site identities, and so to an ability to perform web-wide tracking of a person's browsing activity. Global static identifiers (like device fingerprinting, or like PII provided by or covertly taken from the person browsing) also offer an independent path to global identity. Limitations on cookies, fingerprinting, and other browser state all aim to reduce this ability to create or access a global identity.

On the one hand, global identity gives rise to the capacity to weave together a record of much of a person's browsing history, a core privacy concern with today's web. Browsers are well-positioned to take action on this issue, by imposing limits on the underlying capabilities exposed to developers. On the other hand, global identity also plays a substantial role in today's web advertising ecosystem. Browsers that impose limitations on these technical capabilities can directly affect publishers' economic viability (more details!) and encourage work-arounds, if they haven't provided for the legitimate needs of the ecosystem.

This document describes a way the web could potentially work that would not require cross-site tracking, but would still let publishers support themselves with effective advertising. See this Chrome blog post for more.

We need a dialogue within the web platform community — including browsers and the many stakeholders that thrive in and contribute to the ecosystem — so that we can clearly describe a new identity end state that works for everyone. For browsers, this gives us a framework for evaluating proposed changes, standards, and APIs: what boundaries we need to enforce, and where we should innovate to improve the web. For developers, a clear long-term vision provides stability and predictability of the changes along the way.

Any discussion of a new identity model must answer two specific questions:

  1. Across what range of web activity does the browser let websites treat a person as having a single identity?
  2. In what ways can information move across identity boundaries without compromising that separation?

This document offers one possible answer to these questions. The goal is a balanced way forward, dramatically improving web privacy while allowing enough information flow to carefully support key needs of publishers and advertisers.

Identity is partitioned by First Party Site

Third Parties can be allowed access to a first-party identity

A per-first-party identity can only be associated with small amounts of cross-site information

We think a shared understanding of a privacy model for the web will be important to future standards discussions. We welcome feedback from the web development community and from members of the broader ecosystem.

Related Work

The Tor Browser design's "Privacy Requirements", particularly the clear emphasis on "Unlinkability".

Mozilla has published an anti-tracking policy: https://wiki.mozilla.org/Security/Anti_tracking_policy

WebKit published a related tracking prevention policy: https://webkit.org/tracking-prevention-policy/

Threat models and prevention policies are different parts of the same conversation.