Re: [private-measurement] Strawman: Target privacy constraints (#17)

Thanks for the writeup Ben,

I note that your information leakage is linked to pairwise to sites.  One thing I liked about what we worked out for IPA is that it wasn't pairwise, which can ultimately provide a stronger privacy guarantee (which you might also be able to trade for better utility through larger $\varepsilon$).  I'm OK with what you have here but I want to note that this is a baseline.

About the "budget" notion more generally as opposed to simply stating that there is an upper bound on the amount of information that a site can gain about activity on other sites in each epoch.  Again, whether that is an upper bound for each site, or a global bound is something I am happy to leave open.

Friendly amendment, add "single" here under security constraints:

> If any *single* entity involved in operating a private measurement API 

That might have been implied, but I think it is important.  Again, we might offer stronger assurances, but this is a reasonable baseline.  No doubt some will object to this constraint (I note that any system that relies exclusively on TEE cannot pass the proposed test), but ... well, we can have that debate when it comes time.

Regarding open source requirement on client code, I think that most of the participating browsers will have no problem there, but I don't know if that is universally true.  But I don't know whether the requirement is necessary at this stage.  What steps a browser vendor takes to allow users to trust that their browser is good are out of scope for standardization.  However, if there are cases where code is run by browsers on behalf of others, then maybe this is a fine requirement.  It might be premature to add that now.

The server-side stuff probably needs a little more development.  The best we might reasonably say right now is that there will need to be a process by which server operators are authorized to operate the service.  That process probably involves browsers certifying particular operators, but we'll need to get into that more as we get further into this.



-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/patcg/private-measurement/issues/17#issuecomment-1162530556 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 22 June 2022 01:46:10 UTC