Open npdoty opened 3 months ago
Based on discussion at TPAC today, @csharrison or @michaelkleber are concerned that revealing personal data from a particular first-party is expected and acceptable. I'm still not clear on the implications of that, but comments on this PR or alternative language suggestions would be welcome.
The subsequent section "Measurement should not significantly enable cross-context recognition" already addresses the re-identification risk of the API.
Maybe the additional protection here is that an aggregate measurement API should not give a caller any new user-specific information? (Or that any new information needs appropriate DP protection?)
I think the point of the discussion at TPAC was that the API caller can surely already know some information, e.g. the URL of the page where they just called the API, and we want to avoid saying that the API needs to somehow hide that already-known information.
+1 to @michaelkleber . Maybe it would help to understand @npdoty what you were trying to achieve / protect against with this paragraph that isn't already covered, from the perspective of the API?
references to ancillary uses, controlled deidentified data and personal data from privacy principles