Add HTTP header to opt out of "interest cohort" training #3159
Comments
|
Hi Don! Thanks for filing. @escattone @chrisdavidmills @fiji-flo This one's non-trivial. I haven't had a chance to read those lengthy articles yet. |
@englehardt is very knowlegeable in this area. Hi Steven! We are looking for expert advice on MDN opting out of "interest cohort" training. Do you have a little time to share your knowledge and ideas here? |
|
Thank you for looking into this. @arthuredelstein is also knowledgeable about browser privacy and may be able to help advise. |
|
Since FLoC is only going through origin trials in Chrome, I think it's premature to add a header that interacts with the feature to our web properties. We should definitely revisit this if Chrome decides to move FLoC beyond an experiment. |
|
The FLoC origin trial in Google Chrome has started. Only sites that are enrolled in the origin trial will be able to call the FLoC API. All sites that are detected to have "ad-related resources" (items that would be blocked by EasyList) will be included in the training, unless explicitly opted out. If MDN does not have any third-party resource that would be blocked by EasyList, it should not be included in training during the origin trial. However, if it turns out that an ad injected into a page by a (malicious) Chrome extension can result in the page being detected as an "ad-related" page, those ads might also expose users to FLoC training on MDN. |
|
@englehardt @dmarti Has this gone beyond origin trials? Should we revisit this issue and possibly implement the permission policy header? Thank you |
schalkneethling
added
🚉 platform
|
@schalkneethling The first origin trial in Google Chrome has come to an end. There may be a second trial coming soon, but so far we don't know much about how FLoC will be changed. It is likely that FLoC training will only happen on pages on which the FLoC API is called, which might make the opt-out header unnecessary, but I still don't know how a script injected into a page by a browser extension might affect this. ( WICG/floc#33 (comment) ) More info: https://digiday.com/marketing/google-switch-floc-cookie-replacement-fingerprinting-potential/ |
|
Thank you for the feedback @dmarti, much appreciated. |
github-actions
bot
added
the
🐌 idle
schalkneethling
added
the
🧑🤝🧑 community
|
FLoC seems to have been replaced by the Topics API, but I don't think it makes sense to keep tracking this here in an open yari issue. Once this becomes significantly more prominent and therefore relevant again, we should discuss this. |
At least one commonly used web browser is planning to deploy a system in which users are classified into "interest cohorts" based on web history. (Federated Learning of Cohorts, or FLoC). This is widely considered a risk to user privacy. Background information is available from
EFF
Gizmodo
If MDN visits are used to classify users into a "web developer" cohort, then unpredictable and possibly adverse effects will ensue. Some MDN users might be classified as web developers, and therefore good possible tenants, by landlords. Others might be classified by their current employers as people seeking new jobs as web developers, and suffer consequences at work. Still other users might be classified as web people and placed at risk for "spear phishing" attacks against web sites.
Because the training of cohorts has not been independently evaluated for privacy or security, and because cohort training is currently opt-out rather than opt-in, please add the opt-out HTTP header to MDN.
More info on opting out: https://github.com/WICG/floc#opting-out-of-computation
The text was updated successfully, but these errors were encountered: