Re: I-D Action: draft-pauly-httpbis-geoip-hint-01.txt from Watson Ladd on 2024-10-29 (ietf-http-wg@w3.org from October to December 2024)

From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 29 Oct 2024 12:11:36 -0700
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, Dustin Mitchell <djmitche@google.com>, Ted Hardie <ted.ietf@gmail.com>, Ben Schwartz <bemasc@meta.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CACsn0ckdtfOGN9PLBXcgu5-FBfgFYd0+d1MjT9GxjwfQEZxS8Q@mail.gmail.com>

On Mon, Oct 28, 2024 at 6:50 PM Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> Hiya,
>
> On 29/10/2024 01:05, David Schinazi wrote:
> > However, we can't commit to changing our employers'
> > business practices - as you can imagine, that is beyond our paygrades. So
> > we have to solve the technical problem at hand within the confines of what
> > we have control over as engineers. So Stephen, while fixing all abuses of
> > user location on the Internet is a worthwhile goal, it's not something that
> > we can achieve with an RFC.
>
> I mostly agree (other than the "we have to", since we don't have
> to:-), but while people are facing a storm of abuse of location
> data, I'd argue the better engineering approach is to start from
> an analysis of whether or not defining a new HTTP header is likely
> to improve or worsen the overall situation. A handy small fold-up
> umbrella is good in a drizzle, but not a thing to widely distribute
> in a storm;-)

Location data is only shared by user agents or obtained by
applications on mobile with an interactive permission. GeoIP data is
everywhere because IP addresses are revealed by connecting to servers.
These have fundamentally different privacy impacts. Preserving IP
across connections is a major tracking vector, so we need to enable
technologies to avoid it.

Adding a header as a signaling means solves the search personalization
case which really does matter, especially on mobile. It's a major
barrier to enabling privacy enhancing technologies that break the IP
tracking vector as a worse user experience leads to people turning
things off.

Yes, this doesn't solve Grindr selling location data that outs a
priest (https://www.pillarcatholic.com/p/pillar-investigates-usccb-gen-sec).
There really is not a technical solution I can think of to solve that
problem, but this work does enable solving the IP tracking vector that
is increasingly used as third party cookies go away.

Sincerely,
Watson
>
> Cheers,
> S.
>

-- 
Astra mortemque praestare gradatim

Received on Tuesday, 29 October 2024 19:11:52 UTC