Re: [w3ctag/design-reviews] Early design review for the Topics API (Issue #726) from Josh Karlin on 2023-08-04 (public-webapps-github@w3.org from August 2023)

From: Josh Karlin <notifications@github.com>
Date: Fri, 04 Aug 2023 13:12:52 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/726/1666123373@github.com>

> So, I think a really important thing is that the spec match the explainer and the other assurances offered.

Ah, gotcha. I don't think the spec is going to perfectly match the explainer in that I think we'd provide some room for implementer flexibility where possible. That said, Chrome's parameters _do_ match the explainer, and if it would be helpful we could publish Chrome's parameters in a separate document. And note that the Topics API does return the version name of the implementation it's using, so we've tried to make it easy for you to choose what to do based on the specific implementation version if you are so inclined.

When developing the API we ran studies to understand the reidentification rates of users based on the entire set of parameters. There is quite a bit of [research](https://arxiv.org/abs/2304.07210) behind the values we've chosen. So in that sense, I can see wanting to put in some reasonable constraints around those parameters. I do want to be careful not to overconstrain though. As I said before, the taxonomy could be quite large and still meet the reidentification standards by adjusting the other privacy parameters (e.g., increase the noise). 

In order to not enter reidentification analysis into the spec itself, perhaps we could settle on something fairly general and simple in practice instead. Something like,  "Browsers SHOULD choose the noise probability and taxonomy size so that at least 50 people per million will report any given topic in the taxonomy on a particular site and epoch. (This corresponds to 5% noise with a taxonomy of at most 1000 topics, approximately 2-3x the size of Chrome's v1 and v2 taxonomies.)"


> If you think that increasing the taxonomy to a billion causes no privacy harm, please change the explainers and marketing so that you are ok living with the user expectations that you yourself are setting.

I think there was poor communication here on my part. I was just trying to illustrate that an implementation could increase the taxonomy size and make up for it in some other way (never returning a billion minus five of the topics).  I'm sure you can come up with a much more realistic example.  My purpose was to show that we need to be careful not to overconstrain the specification, to allow room for innovative good ideas.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/726#issuecomment-1666123373
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/726/1666123373@github.com>

Received on Friday, 4 August 2023 20:12:57 UTC