- From: Michael Kleber <notifications@github.com>
- Date: Thu, 07 Nov 2019 07:23:13 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 November 2019 15:23:16 UTC
@hober It's helpful to be more precise than just saying "privacy", and indeed the [list of high-level threats in the Target Privacy Threat Model](https://w3cping.github.io/privacy-threat-model/#high-level-threats) that PING is working on should give us the language to communicate better here. A lot of this proposal is focused on threat "Unexpected Recognition, cross-site" — that is, on preventing anyone from recognizing the same user across two different sites. We talked about why that was our primary focus in our [privacy model explainer](https://github.com/michaelkleber/privacy-model). Fixing that problem definitely is "meaningful privacy protection". The impression ID here is deliberately large enough to uniquely identify which ad impression it was that converted, so it also allows a small amount of what the Privacy Threat Model calls "information disclosure". That's the "rate-limited, low-entropy, noisy message channel" that @csharrison described. Putting the browser in control of the rate, entropy, and noise is _also_ a "meaningful privacy protection". And sure, blocking information flow altogether is of course "more private", it also doesn't solve the problem at hand. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/418#issuecomment-551125633
Received on Thursday, 7 November 2019 15:23:16 UTC