- From: Martin Thomson via GitHub <sysbot+gh@w3.org>
- Date: Wed, 06 Dec 2023 01:01:50 +0000
- To: public-patcg@w3.org
martinthomson has just created a new issue for https://github.com/patcg/docs-and-reports: == Accountability Conclusions == The PATCG discussed systems for accountability in a meeting and reached some tentative conclusions that we should try to refine and document. This is my read-out from that discussion. We agree that systems that enable accountability of those participating in attribution is important. Websites and their delegates will receive information that - while aggregated - goes beyond what typical sites receive. Systems of accountability are part of the cost of access to that information. The need for good transparency and accountability needs to be balanced with privacy and utility. There are some ways in which seeking better accountability could be improved at the cost of either privacy or utility. I'm going to propose that while there is a baseline level of accountability we might not want to drop below, we should regard privacy especially and also utility as being generally more important. That is, like the priority of constituencies, we have a priority of considerations. There are two primary actors we identified: **end users** and **auditors**. End users want to be able to understand how their contributions to the system are (or might be) used. Auditors want to be able to investigate the actions of sites and how they use data either in the aggregate or for subsets of people. My suggestion is that for end users, we have a clear path toward explaining what their total privacy loss is for a given site. This will depend on how we define privacy budgets, which is still a pending discussion, but people should be able to discover what privacy budget has been spent. In AAAAA and ARA, this budget is spent locally. In IPA, this requires that the helper parties make this information available. In all cases, the value we'd be able to report is an upper bound on privacy loss only. That's better than under-reporting. Different proposals have slightly different error margins. We agreed that it was reasonable to ask helper parties to make some information about queries public, especially the amount of budget that was consumed, which they need to track anyway. This information would help end users learn what their potential privacy loss was. It would also help auditors examine overall expenditure of budgets. We discussed, but did not conclude, whether it would be possible or helpful to have sites make claims about the semantics they associated with histogram buckets. AAAAA and ARA both make the histogram buckets visible to browsers, which means that claims could be made visible to users. IPA does not make this information visible and these values are only known to report collectors (or sites, potentially). We did conclude that any claims about semantics would not be verifiable. @npdoty has also taken an action to document some of these. Please view or discuss this issue at https://github.com/patcg/docs-and-reports/issues/55 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 6 December 2023 01:01:52 UTC