Re: [w3ctag/design-reviews] Probabilistic Reveal Tokens (for IP Protection) (Issue #1125) from Martin Thomson on 2025-08-20 (public-webapps-github@w3.org from August 2025)

From: Martin Thomson <notifications@github.com>
Date: Tue, 19 Aug 2025 18:51:59 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1125/3203863799@github.com>

martinthomson left a comment (w3ctag/design-reviews#1125)

That the "limits the availability" condition is not one that I would have used. The goal that this might work towards is denying trackers the ability to track... in this case, using IP addresses.

I personally find this "privacy at scale" argument pretty unconvincing. It's not the first time I've heard it used to justify degrading what might otherwise be a pretty significant privacy advance.

The fact that these are leaked in Incognito makes the problem worse. Because cookies are not useful for tracking, the IP addresses are already the only hook that many trackers have. So those 10% *will* be gathered and used. It's not the Incognito sessions that matter there, but the non-Incognito sessions, to which the trackers will be able to add all the information about "engagement ring shopping" sessions they are able to obtain IP addresses for.

The duration of sessions and delays are irrelevant if your goal is to assemble a profile. Sure, you can be reasonably sure that the session is not live when the IP address is revealed, but the IP address is.

---

To elevate the discourse to a higher level, my reason for pushing back was not to fixate on the particulars of the design. I hope that it's clear that I think it's unacceptable in the general case. However, if this is about what you promise Chrome users, that's a different story. You already let people track them with cookies, so this would not be inconsistent with that. And ultimately, what you promise people from your Incognito mode seems like a pure product decision. But you decided to ask the TAG what we think, so I have to assume the question is: is this design good for the web?

To answer that question, we need get at the actual needs that underlie the design. I do not accept that the actual requirement is access to IP addresses. Not without significantly more evidence to support the claim. I understand that IP is a cornerstone of a lot of fraud and abuse mitigation, to the point that it could genuinely be too hard to shift the ecosystem onto something else. However, that still requires that you present far more evidence than you have done so far.

That means establishing alternatives as being truly non-viable. I can think of about 3 or 4 alternatives that don't involve leaking IP addresses, or that only involve leaking IP addresses in specific narrow conditions (like establishing the existence of abuse). To get to those, you need a clearer articulation of the threat and trust models that apply.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1125#issuecomment-3203863799
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1125/3203863799@github.com>

Received on Wednesday, 20 August 2025 01:52:07 UTC