- From: Peter Linss <notifications@github.com>
- Date: Wed, 14 Feb 2024 10:22:32 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/723/1944367149@github.com>
The TAG have discussed this at length, and the following represents our consensus review of the proposal. We understand that Protected Audience is a substitute mechanism to enable ad targeting, specifically where targeting is based on specific actions that someone took on other sites. This use case was previously supported by cross-site cookies. The TAG is supportive of efforts to improve web privacy, particularly the [withdrawal of cross-site cookies](https://www.w3.org/2001/tag/doc/web-without-3p-cookies/), which make the unwanted practices of tracking and profiling too easy. We consider the long-standing ability to track and profile web users without their informed consent a flaw in the web platform, so we do not generally support proposals that aim to restore or maintain this status quo, or to work around privacy measures that are introduced elsewhere. We recognize that the web is not perfect. There are lots of ways that cross-site information still leaks, especially when it comes to navigation. But we do insist that new work [leaves the web in a better state than it was found](https://www.w3.org/TR/design-principles/#leave-the-web-better) - our goal as web platform developers acting in good faith is to patch these vulnerabilities, and not create new means of cross-site recognition. If Protected Audience exists to support ad targeting based on cross-site information, it has to ensure that it does not enable cross-site recognition. The TAG notes several features in the design that [currently do not meet this standard](https://developers.google.com/privacy-sandbox/relevance/protected-audience-api/feature-status#feature_availability_timeline). For instance, Fenced Frames are not mandatory; using an iframe to render an ad makes it trivial to leak the ad that wins an auction; or, where buyers and sellers supply their own key-value servers, which are given detailed information about the set of interest groups that have been registered. We understand that those flaws are intended to be temporary, but that still means that there will be one to two years where Protected Audience exists with these vulnerabilities, which is not acceptable. If those are eventually fixed, we do not see a way to avoid the problems of [leaking information as a result of interactions with a malicious ad](https://github.com/WICG/turtledove/issues/990). We encourage the proponents of this feature to provide more convincing and rigorous analysis of the privacy properties of the proposed design. A number of claims are made about the privacy properties of the system, but no comprehensive analysis has been performed. We appreciate the argument that advertising can provide material support for the creation of content, which might have indirect benefits for web users, although we are not in agreement that "remarketing and custom audience advertising" are "fundamental" to the functioning of the web. We should aim to avoid entrenching specific business or economic models into the design of the web platform through technical standards. We encourage the proponents to dedicate efforts to finding alternative ways to materially support web content creators which do not have the privacy concerns of Protected Audience. Given the privacy harms and added complexity to address a narrow set of use cases, we do not support this feature being added to the web platform. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/723#issuecomment-1944367149 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/723/1944367149@github.com>
Received on Wednesday, 14 February 2024 18:22:38 UTC