Re: [w3ctag/design-reviews] Early design review request: IPA (Issue #823)

Sorry for the late response, you know how IETF weeks are...

> but we'll note that the priority is necessarily loose, so there are a few ways that I think you can justify doing something like attribution.

I don’t think the Priority of Constituencies is “loose”; it’s plain, and the exceptions that are listed in the “Web Platform Design Principles” document are unrelated to what’s being proposed here.

> The IPA design deliberately imposes a very low cost on users. Leaving aside trivial amounts of bandwidth and compute, the primary cost is the privacy loss (in the formal DP sense) that accrues through providing sites with the ability to perform aggregated attribution.

While the (formal, DP) privacy loss for users in IPA is definitely something we should reason about, I suspect that it is also the more attractive one to solve for us as engineers; the more important user concerns here are i. around transparency and trust, and ii. piercing the privacy boundary of the browser by intentionally linking events that happen outside the browser with events that happen within the browser.

The proposed governance model is especially concerning to me: it looks like we’re building complicated and expensive new Web infrastructure/governance structures here, similar to the CA/Browser forum like you mentioned, except that with IPA, there is not even a security or any other similar benefit to users. I really don’t think CAB is the model to be emulating. This is the first W3C proposal (we’re aware of) that requires the use of trusted, non-user auditable centralized servers for privacy protections. Beyond the clear privacy risk for catastrophic harm here (e.g., misconfigured server), this approach seems incompatible with several TAG findings / W3C principles, including “[enhancing individuals control and power](https://w3ctag.github.io/ethical-web-principles/#control)”, “[the web is transparent](https://w3ctag.github.io/ethical-web-principles/#transparent)” and “[the web must make it possible for people to verify the information they see](https://w3ctag.github.io/ethical-web-principles/#verify)”.

This proposal has the goal of intentionally linking behaviors in the browser with behaviors outside the browser. This is a new category of privacy harm that the proposal would enable, and the first time we’ve seen it as an explicit goal in a proposal. This has already resulted in attacks like https://github.com/patcg-individual-drafts/ipa/issues/57.  

As best we can tell, this technology is being proposed to benefit sites and browser vendors, and at the risk to users and the openness and transparency of the platform as a whole.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/823#issuecomment-1491146509
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/823/1491146509@github.com>

Received on Friday, 31 March 2023 00:58:14 UTC