- From: Charlie Harrison <notifications@github.com>
- Date: Wed, 06 Nov 2019 16:37:48 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 November 2019 00:37:50 UTC
> So, by that logic, you don't believe your proposal gets meaningful privacy protection. Noted. I don't think that's a fair characterization. My statement was about the size of the impression id, i.e. the publisher-side identifier. An identifier on its own, even a high-entropy one, isn't necessarily bad for privacy even if it can be used to identify a user. For instance, the fetch() API can be used to send arbitrarily large identifiers to any site. The privacy sensitive aspect of this API is what information is allowed to be _joined_ with this publisher-side identifier that couldn't before (i.e. what this gives you over using the fetch API). In this case, we allow a noisy, very low entropy (e.g. 3 bit) cross site identifier to be joined, gated on a click and some action on the advertiser site (a conversion). Abstractly, the API introduces something like a rate-limited, low-entropy, noisy message channel from advertisers --> publishers, where messages can only be sent on clicks. The privacy of the API would be improved if the impression side ID were < 32 bits, but I still think the API has meaningful privacy protections. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/418#issuecomment-550566099
Received on Thursday, 7 November 2019 00:37:50 UTC