Blog Posts & Video
This is a small sample of relevant blog posts.
This document provides some background on the threats to users' privacy that Javascript APIs help createon the Web, and provides some patterns to mitigate such threats at the API design level. Its primaryaudience is therefore people involved in the definition and implementation inside user agents of such APIs.
A presentation on our responsibility as technologists to change the world which is well worth watching.
There has been ample debate in some tech circles as to just how much of a privacy war is really being waged. My personal sense is that it's not so much of a war as it is a reality check. It has become very painfully obvious that the same old simple solutions don't work — and some people are up in arms that reality is being inconvenient to them.
If you've spent any amount of time discussing reforms to improve privacy online, you've likely encountered the Big Knob Theory. Like Covid it comes in variants, but its core tenet can be summarised thus: there exists (metaphorically) a Big Knob that can either be turned towards "privacy" or towards "competition" — but it's very much a zero-sum game and you can't have both. It's a popular position; but is it true?

The New York Times has made substantial changes to how we handle reader data, with an eye towards increased reader privacy. This includes better privacy practices around marketing, advertising and a more readable privacy policy.
Should we maintain pervasive data collection on the web under the guise of preserving competition?
Programmatic technology continues to be used by parties on both sides of the Russia/Ukraine conflict as a platform to conduct psychological warfare.
In this digital hellscape of ours, what is it that we talk about when we talk about privacy? We talk about power. Concentrations of data are concentrations of power, or, as the freshly-minted first public draft of the W3C’s Privacy Principles states, “asymmetries of information and of automation create commanding asymmetries of power.” That’s the problem to which privacy is the solution.
Compliance APIs
APIs Privacy Engineers will have to deal with regularly.
IAB Europe, in partnership with IAB Tech Lab, announced on 21 August 2019 the launch of the second iteration of Transparency and Consent Framework (TCF) v2.0.
Technical specifications to support US Privacy initiatives, starting with CCPA (California Consumer Privacy Act) - USPrivacy/USP API.md at master · InteractiveAdvertisingBureau/USPrivacy
Exercise your privacy rights in one step via the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.
The Site Engagement Service provides information about how engaged a user iswith a site. The primary signal is the amount of active time the user spends onthe site but various other signals may be incorporated (e.g whether a site isadded to the homescreen).
This article covered feature detection in a reasonable amount of detail, going through the main concepts and showing you how to both implement your own feature detection tests and use the Modernizr library to implement tests more easily.
In-Progress Standards
Privacy relevant standards.
Our latest news, updates, and stories about Privacy.
Our latest news, updates, and stories about Security.
Client Hints
Wouldn't it be nice if `User-Agent` was a (set of) client hints? - GitHub - WICG/ua-client-hints: Wouldn't it be nice if `User-Agent` was a (set of) client hints?
Client Hints is collection of HTTP and user-agent features that enablesprivacy-preserving, proactive content negotiation with an explicit third-partydelegation mechanism:
(slides)
Client Hint Reliability (Internet-Draft, 2020)
Request for Mozilla Position on an Emerging Web Specification Specification Title: User Agent Client Hints Specification or proposal URL: https://tools.ietf.org/html/draft-west-ua-client-hints-00 M...
IP Blindness
Contribute to bslassey/ip-blindness development by creating an account on GitHub.

This research presents VPN⁰, the first distributed virtual private network offering a privacy preserving traffic authorization and validation mechanism.
A technical explanation of how Analytics anonymizes IP addressesAt a glanceWhen a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically fea
IsLoggedIn
Explainers from WebKit contributors. Contribute to WebKit/explainers development by creating an account on GitHub.
Privacy Budget
Contribute to bslassey/privacy-budget development by creating an account on GitHub.
Privacy Sandbox
A collection of proposed standards by Google intended to move the web away from third party cookies.
Privacy Sandbox is developing privacy-preserving technologies to protect your online privacy so you can browse the web without invasive tracking.
Today on The Keyword, we outlined our vision for an initiative aimed at evolving the web with architecture that advances privacy, while co...
A year ago we announced our intention to phase out third-party cookies and replace them with new browser features that are fundamentally mo...
For its Chrome browser, Google wants to replace cookies with APIs developed according to its Privacy Sandbox. Here's a primer explaining what's entailed and at stake for the long term.
What lessons can be learned after FLoC had its wings clipped?
Private Attribution
Safari proposal
A typical website is made of numerous components coming from a wide variety of sources.
When it comes to ad tracking in Safari, Apple usually taketh away. But sometimes Apple giveth advertisers a little something. Meet privacy-preserving ad click attribution for the web. Think of it as Apple throwing a bone to advertisers who need a way to measure the effectiveness of their ads in Safari, which is where tracking... Continue reading »
This section is non-normative.
Chrome proposal
Build the next generation of web experiences.
Conversion Measurement API. Contribute to WICG/conversion-measurement-api development by creating an account on GitHub.
Build the next generation of web experiences.
[public] Experiment with Attribution Reporting: Handbook Published on March 31st, 2022 This document is part of a collection of developer guides to experiment with the Attribution Reporting API. See all resources in this collection. Any questions? Please ask. We strongly recommend you...
Mozilla / Facebook proposal
Interoperable Private Attribution (IPA) Date Published: Jan 5th, 2022 Authors: Erik Taubeneck (Meta), Ben Savage (Meta), Martin Thomson (Mozilla) Purpose of this document: 1. Introduction 1.1 Major design choices 1.2 Acknowledgements 2. Components of the IPA proposal 2.1 Setting Match Keys 2.2 ...
Android Proposal
Provide feedback
Storage Partitioning
Client-Side Storage Partitioning. Contribute to privacycg/storage-partitioning development by creating an account on GitHub.
Trust Tokens
Potential alternative for anti-fraud/reCaptcha issues
Trust Tokens is a new API to enable a website to convey a limited amount of information from one browsing context to another (for example, across sites) to help combat fraud, without passive tracking.
Public chromium.org document // davidvc@chromium.org, July 2021 What’s TrustTokenV3? “TrustTokenV3” is a collection of backwards-incompatible changes to Chromium’s Trust Tokens implementation arriving starting in Chrome 92, which will reach Beta (small number of users) in early June and Stable t...
Chrome origin trials allow developers to safely experiment with web platform features
This document describes a mechanism which allows HTTP servers to maintain stateful sessions with HTTP user agents. It aims to address some of the security and privacy considerations which have been identified in existing state management mechanisms, providing developers with a well-lit path towards our current understanding of best practice.
IDs
The ad tech hordes are again congregating with the IAB Tech Lab's Annual Leadership Meeting taking place in New York City this week.
WebID / FedID
A privacy preserving federated identity Web API. Contribute to fedidcg/FedCM development by creating an account on GitHub.
WebID TPAC 2020 Ken Buchanan (kenrb@google.com) Majid Valipour (majidvp@google.com) Sam Goto (goto@google.com)
DID
Decentralized identifiers (DIDs) are a new type of identifier thatenables verifiable, decentralized digital identity. A DID refers to anysubject (e.g., a person, organization, thing, data model, abstract entity, etc.)as determined by the controller of the DID. In contrast totypical, federated identifiers, DIDs have been designed so that they maybe decoupled from centralized registries, identity providers, and certificateauthorities. Specifically, while other parties might be used to help enable thediscovery of information related to a DID, the design enables thecontroller of a DID to prove control over it without requiring permissionfrom any other party. DIDs are URIs that associate a DIDsubject with a DID document allowing trustable interactionsassociated with that subject.
KILT DID Driver for the Universal Resolver. Contribute to KILTprotocol/kilt-did-driver development by creating an account on GitHub.
Engineering-relevant laws
After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center tracks proposed comprehensive state privacy bills from across the country to aid our members' efforts to stay abreast of the...
GDPR
What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...

General Data Protection Regulation, or GDPR, became law in May 2018. Our need-to-know GDPR summary explains what the changes mean for you
How to conduct a Data Protection Impact Assessment (template included) A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that...
The ruling will require companies to protect data that indirectly relates to sensitive information such as health or sexual orientation.
CCPA
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
Colorado
IAPP Westin Research Fellow Sarah Rippy breaks down the newly passed Colorado Privacy Act.
Virginia's CDPA
Introduced by:David W. Marsden |all patrons... notes| add to my profiles
What Is the Virginia Consumer Data Protection Act (VCDPA)? Learn about the key components of the the state’s new comprehensive data privacy law.
Learn about the major provisions of the Virginia Consumer Data Protection Act (VCDPA) to prepare for compliance by the January 1, 2023 effective date.
March 2021 1. Governing Texts On 2 March 2021, the Virginia State Governor signed into law the Consumer Data Protection Act ('CDPA'), which is due to enter into effect on 1 January 2023. In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers.
ADPPA
People are justifiably excited about the American Data Privacy and Protection Act.
Japan
Understand how data breaches led to Japan’s Act on the Protection of Personal Information (APPI), and how businesses must adapt to comply...
White Papers and Non-technical Standards
This includes conversations about the mechanism and philosophy around privacy as well as useful documents–including privacy models–used by standard setting orgs as part of their process.
Models and Definitions of Privacy
A Potential Privacy Model for the Web: Sharding Web Identity - GitHub - michaelkleber/privacy-model: A Potential Privacy Model for the Web: Sharding Web Identity
This document is at a very early stage. Many things in it are wrongand/or incomplete. Please take it as a rough shape for how we might document thetarget threat model, rather than as definite statements about what should be inthe target threat model.
Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.
This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers.
This document describes the online tracking practices that Mozilla believes, as a matter of policy, should be blocked by default by web browsers. These practices are potentially harmful to users and cannot be meaningfully understood or controlled by users.
Setting the standard for a robust, policy-ready understanding of privacy.
A tool to help organizations improve individuals’ privacy through enterprise risk management
Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995.[1][2] The privacy by design framework was published in 2009[3] and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.[4] Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.[5][6]
Privacy chapter of the 2022 Web Almanac covers the adoption and impact of online tracking, privacy preference signals, and browser initiatives for a privacy-friendlier web.
Contents
Principles and Documents
The Design Principles are directly informed by the ethical frameworkset out in the Ethical Web Principles [ETHICAL-WEB].These principles provide concrete practical advicein response to the higher level ethical responsibilitiesthat come with developing the web platform.
When designing new features for the Web platform,we must always consider the security and privacy implications of our work.New Web features should alwaysmaintain or enhancethe overall security and privacy of the Web.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The Web suffers from large scale, frequent, and often invisible privacy violations. These pervasive privacy problems threaten the Web’s ability to serve as a preeminent application platform and information distribution system.
When we are adding new web technologies and platforms,we will build them to cross regional and national boundaries.People in one location should be able to view web pagesfrom anywhere that is connected to the web.
This document explains why the IAB believes that, when there is aconflict between the interests of end users of the Internet and otherparties, IETF decisions should favor end users. It also explores howthe IETF can more effectively achieve this.
Pervasive Monitoring Is an Attack (RFC )
Tracking user activity on the Web using methods other than those defined for the purpose by the Web platform (“unsanctioned tracking”) is harmful to the Web, for a variety of reasons. This Finding details the TAG's stance on different forms of tracking, and how they should be addressed.
Web Advertising BG - https://www.w3.org/community/web-adv/ - web-advertising/support_for_advertising_use_cases.md at main · w3c/web-advertising
AI & Advertising, a consumer perspective
Weaponizing the Digital Influence Machine: The Political Perils of Online Ad Tech identifies the technologies, conditions, and tactics that enable today’s digital advertising infrastructure to be weaponized by political and anti-democratic actors.
In scope, ambition, and animating philosophy, American privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s am
User agents are pieces of software that represent the user, a natural person, in their digital interactions. Examples include Web browsers, operating systems, s
Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and v
This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering De-identification.
This post first summarizes what browser fingerprinting is, and common defenses. Second, the post presents problems with “dynamic privacy approaches”, and why Brave is skeptical they are effective for protecting against fingerprinting. Third, the post presents Brave’s fingerprinting protections, current, upcoming and longer-term.
F. Wang, R. Ko, and J. Mickens, “Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services,” in NSDI, Boston, MA, 2019.
Amplification by Shuffling:
From Local to Central Differential Privacy via Anonymity
Context-Aware Local Differential Privacy
At The Times, we aim to create the best possible reader experience across every medium. This involves knowing certain things about our readership. For example, knowing which articles you read helps us understand your interests. That information lets us select the types of articles we show you in certain parts of the app or site. (This article selection process is still guided by our journalistic judgment, and doesn’t impact large portions of the app or site.)
Merkle used Amazon Redshift and other AWS services to build a solution that enables companies to create targeted marketing campaigns while maintaining compliance with data privacy regulations.
Since the COVID-19 pandemic we’ve seen a seismic shift around the world to online shopping and direct-to-consumer sales. Arguably, the consumer packaged goods (CPG) industry felt this shift more than any other industry. According to Statista, “Retail websites generated almost 22 billion visits in June 2020, up from 16.07 billion global visits in January 2020.” […]
"same-site" and "same-origin" are frequently cited but often misunderstood terms. This article helps you understand what they are and how they are different.
As a guide for beginners, we have compiled all of the need-to-know terms, metrics, and stakeholder acronyms in an adtech glossary.,Applift’s Compendium of Adtech Abbreviation

When I first started working on the Data Governance team at The New York Times in 2017, I would often be met by blank stares when I tried to explain my job. Over time, I perfected my elevator pitch…
Exposure Notification Privacy Preserving Analytics
Opinion 03/2013 on purpose limitation
Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.
As the Web continues its evolution into a powerful application platform, an increasing number of its additional abilities risk compromising user privacy unless they are specifically created to promote it. Privacy has to become a core feature of the Web.
A proposed US law banning surveillance advertising emphasizes that marketers need to invest in non-cookie-based audience insights.
User Perception
"I need a better description": An Investigation Into User Expectations For Differential Privacy
For folks trying to get a grip on their digital privacy—whether you’re an activist or not.
Data Protection

A research paper from the ICO
Lawmakers looking to embolden privacy law have begun to consider imposing duties of loyalty on organizations trusted with people’s data and online experiences.
A duty of loyalty focusing on the relationships between data collectors and data subjects would reinvigorate American privacy law. The law should include a general duty not to act against users’ interests.
Trust
https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/
Journalism
Relevant articles and reports on issues and successes
Trackers piggybacking on website tools leave some site operators in the dark about who is watching or what marketers do with the data
Blacklight catalogs the many ways any website tracks visitors: from cookies to capturing every user keystroke and mouse movement
Unique IDs linked to phones are supposed to be anonymous. But there’s an entire industry that links them to real people and their address.
Searching Google’s ad buying portal for “Black girls” returned hundreds of terms leading to “adult content”
While vowing to police COVID-19 misinformation on its platform, Facebook let advertisers target users interested in “pseudoscience”
When Microsoft officially emerged as the frontrunner for a potential acquisition of the teen-fave-turned-national-security-concern TikTok earlier this week, tech critics ‘round the globe found themselves with an endless set of questions that seemingly nobody could answer. Why would a company as corporate as Microsoft…
Anyone who’s covered the wacky world of tech policy for any time at all probably has some ideas about how today’s major antitrust hearing will go down. Some think Jeff Bezos’s overall net worth will become part of the debate. Tim Cook will be grilled over Apple’s firm chokehold over the mobile app ecosystem. And no…
Seemingly simple mobile games made us all way too comfortable with giving away our personal information.
Yesterday, Verizon became the latest company to join a corporate chorus boycotting Facebook advertisements in July as part of a rallying cry to get Facebook’s corporate board to take action on the rampant racism and hate speech that many of us have come to associate with the platform. The “Stop Hate for Profit”…
With the abysmal state of healthcare in this country, it shouldn’t be surprising that tech companies—specifically those in the app space—have swooped in left and right to solve the ills that the federal government can’t or won’t. Want to monitor your blood pressure? There’s an app for that. Mental health got you down? …
The thousands of “Trumpcare” ads Facebook and Google have published show that the shadowy “lead generation” economy has a happy home on the platforms — and even big names like UnitedHealthcare take part.