- From: Charlie Harrison via GitHub <sysbot+gh@w3.org>
- Date: Wed, 27 Apr 2022 21:32:07 +0000
- To: public-patcg@w3.org
I reread the privacy budgeting section of IPA and I have a small concern. It seems like the proposed privacy "grain" / unit is advertiser x user but we implement that via a grain of advertiser x match key. However, match keys and users are not the same and this seems like it is possibly abusable. For a simple example say you are targeting a single sensitive user across 3 devices. The identity provider could intentionally use a separate match key for each device, and send separate queries for each match key that consume budgets independently for each query, with the intention of leaking as much about this user as possible. Note that by doing this we sort of eliminate the possibility of true cross-device attribution though. Making match keys easy to swap out on a single device (possibly across apps) makes this attack worse, but that seems fixable with OS-level support. Best case I can see is that this proposal would achieve (in the worst case) is site x user x device privacy. LMK if I am missing something here though. -- GitHub Notification of comment by csharrison Please view or discuss this issue at https://github.com/patcg/private-measurement/issues/9#issuecomment-1111504017 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 April 2022 21:32:08 UTC