wanderview
commented
1 year ago Related to privacycg/nav-tracking-mitigations#23.
Open wanderview opened 1 year ago
wanderview
commented
1 year ago Related to privacycg/nav-tracking-mitigations#23.
wanderview
commented
1 year ago Its possible that some fit-for-purpose API could support the unique visitors measurement use case. For example, some extension to:
https://github.com/patcg-individual-drafts/private-aggregation-api
AramZS
commented
1 year ago Hello, I cannot speak for link shorteners however, I'm unclear how users or landing sites benefit from the intermediary being able to track unique users who route through their system. Uniqueness of users is not a property required to route traffic from site A to site B and it carries privacy risk to users when they are generally not party to the shortener site or its privacy policies because the are only passing through. I don't think it is strange to consider operators in those positions to have a higher privacy risk and shorteners are generally seen as having a privacy risk, see:
Since this potentially exposes the user to another party to which they usually do not have a relationship directly; because users do not truly intend to navigate to the intermediary site but to the landing page; and because any additional information would increase the security and privacy risk involved vs a decreased risk in removing this capacity; I believe that this use case is not particularly worth preserving and, if we are trying to increase privacy, we would want to remove this capability from link shorteners.
wanderview
commented
1 year ago To play devil's advocate:
My thought was that identifying the number of unique visitors gave link shorteners a more accurate reach metric to report to their users. This is in the realm of something that a destination site could in theory do themselves as a first-party cookie.
With that in mind I could see the argument that allowing an external service to provide a similar feature without requiring 3P scripts to be loaded is a reasonable feature.
One possible way to do this would be for us to provide partitioned storage to the link shortener. The partition would be keyed on the destination site. If this feature could be built it would permit the reach metric to be computed without leaking information cross-site between different destination sites.
npdoty
commented
1 year ago I also would expect that navigation tracking mitigation would prevent link redirection services from storing data about the user, which is often used to recognize and correlate their activity across different contexts.
These services aren't identical to first-party sites tracking link clicks (though I'm also not convinced that's a use case that must be maintained forever): links may be authored by others (and data subsequently collected by others) unaffiliated with either the source or destination site.
Fit-for-purpose aggregate APIs to count visitors seems more promising.
Bounce tracking mitigations may adversely effect the ability of link shorteners to accurately count unique visitors. I believe these services typically store a cookie in order to identify different visitors to the same short link. With the proposed mitigations these cookies would be deleted because the user does not interact with the shortener site itself.
Link shorteners might be able to provide some idea of unique visitors with limited fidelity by use signals like IP address.
This use case seems a bit unclear in terms of privacy principles. It does not seem to violate the unwanted cross-site recognition. Users, however, might be surprised that a site they never saw in the URL bar and never interacted with has the ability to identify them.