[w3ctag/design-reviews] Review request for TURTLEDOVE (Issue #723) from Paul Jensen on 2022-03-21 (public-webapps-github@w3.org from March 2022)

From: Paul Jensen <notifications@github.com>
Date: Mon, 21 Mar 2022 06:37:14 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/723@github.com>

Braw mornin' TAG!

I'm requesting a TAG review of Two Uncorrelated Requests, Then Locally-Executed Decision On Victory ("TURTLEDOVE").

TURTLEDOVE provides a privacy advancing API to facilitate interest group based advertising. TURTLEDOVE shifts the interest data and the final ad decision browser-side instead of server-side, offering many advantages: strong privacy guarantees, as well as time limits on group membership, transparency into how the advertiser interest groups are built and used, and granular or global controls over this type of ad targeting.

- Explainer: [Two Uncorrelated Requests, Then Locally-Executed Decision On Victory ("TURTLEDOVE")](https://github.com/WICG/turtledove/blob/main/Original-TURTLEDOVE.md)
- Security and Privacy self-review: See below
- GitHub repo: [WICG/turtledove](https://github.com/WICG/turtledove)
- Primary contacts (and their relationship to the specification):
- Michael Kleber (@michaelkleber), Google
- Paul Jensen (@JensenPaul), Google
- Organization/project driving the design: Google
- External status/issue trackers for this feature: [Chrome Status](https://chromestatus.com/feature/5733583115255808)

Further details:

- [✓] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
- The group where the incubation/design work on this is being done: WICG
- The group where standardization of this work is intended to be done ("unknown" if not known): unknown
- Existing major pieces of multi-stakeholder review or discussion of this design:
- Issue trackers: https://github.com/WICG/turtledove/issues

- Major unresolved issues with or opposition to this design:
- There are many issues under discussion in the issue tracker but no major opposition.
- This work is being funded by: Google

You should also know that...

- For details of the first TURTLEDOVE experiment see [FLEDGE](https://github.com/WICG/turtledove/blob/main/FLEDGE.md).

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for **each point of feedback**

### Security/Privacy Questionnaire
This section contains answers to the [W3C TAG Security and Privacy](https://w3ctag.github.io/security-questionnaire/) [Questionnaire](https://w3ctag.github.io/security-questionnaire/).

**1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?**
TURTLEDOVE performs the auction using worklets that cannot access or communicate with the publisher page or the network to prevent exposing information to web sites.
TURTLEDOVE renders the ad in a fenced frame to prevent exposing information to web sites.
TURTLEDOVE keeps the interest-group ad request uncorrelated to prevent exposing information about the web page or about the person visiting it.
**2. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?**
Yes, see above answer for ways information exposure is minimized.
**3. How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?**
TURTLEDOVE should not deal with personal information, PII or information derived from them. Callers of the API may make choices (for example, which interest groups to add a browser to) based on this sort of information, so group membership is not exposed to sites, as in question 1.
**4. How do the features in your specification deal with sensitive information?**
Same answer as # 3.
**5. Do the features in your specification introduce a new state for an origin that persists across browsing sessions?**
Yes, but as discussed in question 1 the information is prevented from being exposed to sites.
**6. Do the features in your specification expose information about the underlying platform to origins?**
TURTLEDOVE may expose whether the user has enabled or disabled features like TURTLEDOVE.
**7. Does this specification allow an origin to send data to the underlying platform?**
No
**8 Do features in this specification allow an origin access to sensors on a user’s device**
No
**9. What data do the features in this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.**
As question 1 discusses, the data is prevented from being exposed to sites.
**10. Do features in this specification enable new script execution/loading mechanisms?**
Yes, running an auction will load and execute the bidding, scoring, and reporting worklets though these worklets are executed in separate JavaScript contexts without access to any web page, storage or the network.
**11. Do features in this specification allow an origin to access other devices?**
No
**12. Do features in this specification allow an origin some measure of control over a user agent’s native UI?**
No
**13. What temporary identifiers do the features in this specification create or expose to the web?**
None.
**14. How does this specification distinguish between behavior in first-party and third-party contexts?**
TURTLEDOVE defines various steps to control access to its APIs in third-party contexts. See the paragraph that starts with “The browser will only allow the” [here](https://github.com/WICG/turtledove/blob/main/FLEDGE.md#11-joining-interest-groups).
**15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?**
If FLEDGE is active, Incognito mode will use an in-memory interest group store that is separate from the one used by the default browsing mode. This mirrors the behavior of browsing history, cookies, and the HTTP cache, so the interest groups are forgotten once that incognito browsing profile terminates.
**16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?**
Yes.
**17. Do features in your specification enable origins to downgrade default security protections?**
No
**18. What should this questionnaire have asked?**
N/A

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/723

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/723@github.com>

Received on Monday, 21 March 2022 13:37:26 UTC