121
Discussion
Right. I'm getting tired of seeing people dump on Firefox and Mozilla about this thing in the release notes:
Firefox now supports the experimental Privacy Preserving Attribution API, which provides an alternative to user tracking for ad attribution. This experiment is only enabled via origin trial and can be disabled in the new Website Advertising Preferences section in the Privacy and Security settings.
What is this? And why is it not something to get heated about?
Attribution is how advertisers know how to pay the right site owner when someone clicks on their ad. It's important for ad-supported sites that clicks get attributed.
Right now, attribution is basically incompatible with protecting privacy. Advertisers use every method of tracking you can name, and some you can't, to provide accurate attribution.
The Privacy Preserving Attribution API is an experimental way of informing an advertiser that someone clicked on an ad on a given site without leaking that it was you, specifically, who did that. Specifically, ads using the API ask Firefox to remember that they were seen, on what sites, and to what sites they lead. Then, when the user visits the destination site, the destination site asks Firefox to generate a report and submit it via a separate service that mixes your report with reports from other people and forwards these aggregated reports in large batches. Any traces that might be unique to you are lost in the crowd.
This is still experimental, being enabled by Mozilla on a site-by-site basis as developers request it. It's not a free-for-all yet, and I can only find one entry on Bugzilla of a site who's requested it.
what I’ve seen so far is that the heat isn’t against the API, it’s against it being shipped enabled by default (opt-out rather than opt-in)
That's a requirement of being usable however. It has to be the default.
@Carighan @cerement personal data slurping has to be opt in the EU however. So not sure how #noyb etc will feel.
it's not personal, though. that's the point
@kuneho Meta is not inventing this out of the goodness of it's heart. Just like how Google privacy sandbox is a fruit of a poisoned tree, the idea should be treated with extreme caution. If not, well, the NSA have a great new encryption standard they'd love you to use too.
#paranoid
This would very likely be considered anonymized data, which means it is not personal data and the GDPR does not apply.
From my understanding this is only a value add in terms of privacy? It's basically just asking every site to use this more private form of attribution, so I don't believe there's any more personal data being collected, it's just trying to send it in a more anonymized way if a given site supports it.
Itd be useless opt-in though, why would companies adopt somehting that only a small minority
You're just supporting the point.