Blog Posts & Video
This is a small sample of relevant blog posts.
This document provides some background on the threats to users' privacy that Javascript APIs help createon the Web, and provides some patterns to mitigate such threats at the API design level. Its primaryaudience is therefore people involved in the definition and implementation inside user agents of such APIs.
A presentation on our responsibility as technologists to change the world which is well worth watching.
There has been ample debate in some tech circles as to just how much of a privacy war is really being waged. My personal sense is that it's not so much of a war as it is a reality check. It has become very painfully obvious that the same old simple solutions don't work — and some people are up in arms that reality is being inconvenient to them.
If you've spent any amount of time discussing reforms to improve privacy online, you've likely encountered the Big Knob Theory. Like Covid it comes in variants, but its core tenet can be summarised thus: there exists (metaphorically) a Big Knob that can either be turned towards "privacy" or towards "competition" — but it's very much a zero-sum game and you can't have both. It's a popular position; but is it true?
The New York Times has made substantial changes to how we handle reader data, with an eye towards increased reader privacy. This includes better privacy practices around marketing, advertising and a more readable privacy policy.
Should we maintain pervasive data collection on the web under the guise of preserving competition?
Programmatic technology continues to be used by parties on both sides of the Russia/Ukraine conflict as a platform to conduct psychological warfare.
In this digital hellscape of ours, what is it that we talk about when we talk about privacy? We talk about power. Concentrations of data are concentrations of power, or, as the freshly-minted first public draft of the W3C’s Privacy Principles states, “asymmetries of information and of automation create commanding asymmetries of power.” That’s the problem to which privacy is the solution.
Compliance APIs
APIs Privacy Engineers will have to deal with regularly.
IAB Europe, in partnership with IAB Tech Lab, announced on 21 August 2019 the launch of the second iteration of Transparency and Consent Framework (TCF) v2.0.
Technical specifications to support US Privacy initiatives, starting with CCPA (California Consumer Privacy Act) - USPrivacy/USP API.md at master · InteractiveAdvertisingBureau/USPrivacy
Exercise your privacy rights in one step via the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.
The Site Engagement Service provides information about how engaged a user iswith a site. The primary signal is the amount of active time the user spends onthe site but various other signals may be incorporated (e.g whether a site isadded to the homescreen).
This article covered feature detection in a reasonable amount of detail, going through the main concepts and showing you how to both implement your own feature detection tests and use the Modernizr library to implement tests more easily.
The Global Privacy Control is making steady progress towards adoption. As a global signal supported by browsers, it's a natural question to ask what it means under regimes such as the GDPR. Here's my personal take.
Helping publishers comply with U.S. privacy laws through a standardized frameworkDeveloped by the IAB’s Tech Lab, the Global Privacy Platform (GPP) is a standardized framework for storing and passing
The Berlin Regional Court found LinkedIn's ignoring of "Do Not Track" signals and publishing of profiles without permission to be illegal. The ruling supported consumer control over personal data.
Understanding Third Party Cookies
Learn about how cookies work and what are first-party and third-party cookies.
Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection against CSRF attacks. Specifying the new None attribute allows you to explicitly mark your cookies for cross-site usage.
The technology that shaped digital advertising and media is going away. What will replace it?
But he's also not convinced that any of the alternatives will be much better.
To replace the cookie in Chrome and Android, Google has an offering for the world called “Privacy Sandbox." Here's an exclusive peek into how it will work.
▶️ Listen now on Apple, Spotify, and YouTubeBig Martech is back with Season 2! We are doing things a bit differently this time around. Instead of doing a single topic per show, we’re doing deeper dives into the most pressing themes of Martech with three episodes at a time. Our first theme is about how our shift away from third party cookies is changing the Martech landscape. This week we’ll look at the history of the cookie, next week will be about how marketers are responding, and the third l
We asked the engineer who invented cookies what they mean and how to handle them.
For the last decade, marketers have been sold the idea that microtargeting would help them improve digital marketing. I realize that it will be hard for you to accept that it didn't work -- at.
I can make an HTML page with image tags that point at other people’s images: a page of Rembrandts from different art museums. If those images are open then it doesn’t matter whether my browser sends…
Browsers ending 3p
Learn how to audit your code to look for third-party cookies and what action you can take to ensure you're all set for the end of third-party cookies.
Take back your privacy Firefox is rolling out Total Cookie Protection by default to more Firefox users worldwide, making Firefox the most private and secur
Apple has an update out for Safari’s Intelligent Tracking Prevention tool set that makes its web browser even more secure. Now, Safari blocks all third-party cookies by default, with no exceptions, thanks to fundamental changes to the way traffic is handled.
While we are all getting ‘ready’ for a cookieless future, there are two major considerations that just aren’t being discussed enough.
In-Progress Standards
Privacy relevant standards.
Our latest news, updates, and stories about Privacy.
Our latest news, updates, and stories about Security.
Client Hints
Wouldn't it be nice if `User-Agent` was a (set of) client hints? - GitHub - WICG/ua-client-hints: Wouldn't it be nice if `User-Agent` was a (set of) client hints?
Client Hints is collection of HTTP and user-agent features that enablesprivacy-preserving, proactive content negotiation with an explicit third-partydelegation mechanism:
(slides)
Client Hint Reliability (Internet-Draft, 2020)
Request for Mozilla Position on an Emerging Web Specification Specification Title: User Agent Client Hints Specification or proposal URL: https://tools.ietf.org/html/draft-west-ua-client-hints-00 M...
IP Blindness
Contribute to bslassey/ip-blindness development by creating an account on GitHub.
This research presents VPN⁰, the first distributed virtual private network offering a privacy preserving traffic authorization and validation mechanism.
A technical explanation of how Analytics anonymizes IP addressesAt a glanceWhen a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically fea
IsLoggedIn
Explainers from WebKit contributors. Contribute to WebKit/explainers development by creating an account on GitHub.
Privacy Budget
Contribute to bslassey/privacy-budget development by creating an account on GitHub.
Privacy Sandbox
A collection of proposed standards by Google intended to move the web away from third party cookies.
Privacy Sandbox is developing privacy-preserving technologies to protect your online privacy so you can browse the web without invasive tracking.
2023 will be a critical year to prepare for a world without third-party cookies. Let’s take a closer look at how the advertising ecosystem might think about ad relevance in a cookieless future.
Today on The Keyword, we outlined our vision for an initiative aimed at evolving the web with architecture that advances privacy, while co...
A year ago we announced our intention to phase out third-party cookies and replace them with new browser features that are fundamentally mo...
For its Chrome browser, Google wants to replace cookies with APIs developed according to its Privacy Sandbox. Here's a primer explaining what's entailed and at stake for the long term.
What lessons can be learned after FLoC had its wings clipped?
Private Attribution
Safari proposal
A typical website is made of numerous components coming from a wide variety of sources.
When it comes to ad tracking in Safari, Apple usually taketh away. But sometimes Apple giveth advertisers a little something. Meet privacy-preserving ad click attribution for the web. Think of it as Apple throwing a bone to advertisers who need a way to measure the effectiveness of their ads in Safari, which is where tracking... Continue reading »
This section is non-normative.
Chrome proposal
Build the next generation of web experiences.
Conversion Measurement API. Contribute to WICG/conversion-measurement-api development by creating an account on GitHub.
Build the next generation of web experiences.
[public] Experiment with Attribution Reporting: Handbook Published on March 31st, 2022 This document is part of a collection of developer guides to experiment with the Attribution Reporting API. See all resources in this collection. Any questions? Please ask. We strongly recommend you...
Mozilla / Facebook proposal
Interoperable Private Attribution (IPA) Date Published: Jan 5th, 2022 Authors: Erik Taubeneck (Meta), Ben Savage (Meta), Martin Thomson (Mozilla) Purpose of this document: 1. Introduction 1.1 Major design choices 1.2 Acknowledgements 2. Components of the IPA proposal 2.1 Setting Match Keys 2.2 ...
Android Proposal
Provide feedback
Storage Partitioning
Client-Side Storage Partitioning. Contribute to privacycg/storage-partitioning development by creating an account on GitHub.
Trust Tokens
Potential alternative for anti-fraud/reCaptcha issues
Trust Tokens is a new API to enable a website to convey a limited amount of information from one browsing context to another (for example, across sites) to help combat fraud, without passive tracking.
Public chromium.org document // davidvc@chromium.org, July 2021 What’s TrustTokenV3? “TrustTokenV3” is a collection of backwards-incompatible changes to Chromium’s Trust Tokens implementation arriving starting in Chrome 92, which will reach Beta (small number of users) in early June and Stable t...
Chrome origin trials allow developers to safely experiment with web platform features
This document describes a mechanism which allows HTTP servers to maintain stateful sessions with HTTP user agents. It aims to address some of the security and privacy considerations which have been identified in existing state management mechanisms, providing developers with a well-lit path towards our current understanding of best practice.
IDs
The ad tech hordes are again congregating with the IAB Tech Lab's Annual Leadership Meeting taking place in New York City this week.
WebID / FedID
A privacy preserving federated identity Web API. Contribute to fedidcg/FedCM development by creating an account on GitHub.
WebID TPAC 2020 Ken Buchanan (kenrb@google.com) Majid Valipour (majidvp@google.com) Sam Goto (goto@google.com)
DID
Decentralized identifiers (DIDs) are a new type of identifier thatenables verifiable, decentralized digital identity. A DID refers to anysubject (e.g., a person, organization, thing, data model, abstract entity, etc.)as determined by the controller of the DID. In contrast totypical, federated identifiers, DIDs have been designed so that they maybe decoupled from centralized registries, identity providers, and certificateauthorities. Specifically, while other parties might be used to help enable thediscovery of information related to a DID, the design enables thecontroller of a DID to prove control over it without requiring permissionfrom any other party. DIDs are URIs that associate a DIDsubject with a DID document allowing trustable interactionsassociated with that subject.
KILT DID Driver for the Universal Resolver. Contribute to KILTprotocol/kilt-did-driver development by creating an account on GitHub.
Engineering-relevant laws
After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center tracks proposed comprehensive state privacy bills from across the country to aid our members' efforts to stay abreast of the...
GDPR
What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...
General Data Protection Regulation, or GDPR, became law in May 2018. Our need-to-know GDPR summary explains what the changes mean for you
How to conduct a Data Protection Impact Assessment (template included) A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that...
The ruling will require companies to protect data that indirectly relates to sensitive information such as health or sexual orientation.
CCPA
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
Colorado
IAPP Westin Research Fellow Sarah Rippy breaks down the newly passed Colorado Privacy Act.
Virginia's CDPA
Introduced by:David W. Marsden |all patrons... notes| add to my profiles
What Is the Virginia Consumer Data Protection Act (VCDPA)? Learn about the key components of the the state’s new comprehensive data privacy law.
Learn about the major provisions of the Virginia Consumer Data Protection Act (VCDPA) to prepare for compliance by the January 1, 2023 effective date.
March 2021 1. Governing Texts On 2 March 2021, the Virginia State Governor signed into law the Consumer Data Protection Act ('CDPA'), which is due to enter into effect on 1 January 2023. In addition to this, Virginia regulates privacy and data protection matters through the Personal Information Privacy Act, which restricts the sale of personal information of customers by merchants as well as the use of social security numbers.
Maryland
Synopsis
Synopsis
ADPPA
People are justifiably excited about the American Data Privacy and Protection Act.
Japan
Understand how data breaches led to Japan’s Act on the Protection of Personal Information (APPI), and how businesses must adapt to comply...
White Papers and Non-technical Standards
This includes conversations about the mechanism and philosophy around privacy as well as useful documents–including privacy models–used by standard setting orgs as part of their process.
Models and Definitions of Privacy
A Potential Privacy Model for the Web: Sharding Web Identity - GitHub - michaelkleber/privacy-model: A Potential Privacy Model for the Web: Sharding Web Identity
This document is at a very early stage. Many things in it are wrongand/or incomplete. Please take it as a rough shape for how we might document thetarget threat model, rather than as definite statements about what should be inthe target threat model.
Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.
This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers.
This document describes the online tracking practices that Mozilla believes, as a matter of policy, should be blocked by default by web browsers. These practices are potentially harmful to users and cannot be meaningfully understood or controlled by users.
Setting the standard for a robust, policy-ready understanding of privacy.
A tool to help organizations improve individuals’ privacy through enterprise risk management
Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995.[1][2] The privacy by design framework was published in 2009[3] and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.[4] Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.[5][6]
Privacy chapter of the 2022 Web Almanac covers the adoption and impact of online tracking, privacy preference signals, and browser initiatives for a privacy-friendlier web.
Contents
Principles and Documents
The Design Principles are directly informed by the ethical frameworkset out in the Ethical Web Principles [ETHICAL-WEB].These principles provide concrete practical advicein response to the higher level ethical responsibilitiesthat come with developing the web platform.
When designing new features for the Web platform,we must always consider the security and privacy implications of our work.New Web features should alwaysmaintain or enhancethe overall security and privacy of the Web.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The Web suffers from large scale, frequent, and often invisible privacy violations. These pervasive privacy problems threaten the Web’s ability to serve as a preeminent application platform and information distribution system.
When we are adding new web technologies and platforms,we will build them to cross regional and national boundaries.People in one location should be able to view web pagesfrom anywhere that is connected to the web.
This document explains why the IAB believes that, when there is aconflict between the interests of end users of the Internet and otherparties, IETF decisions should favor end users. It also explores howthe IETF can more effectively achieve this.
Pervasive Monitoring Is an Attack (RFC )
Tracking user activity on the Web using methods other than those defined for the purpose by the Web platform (“unsanctioned tracking”) is harmful to the Web, for a variety of reasons. This Finding details the TAG's stance on different forms of tracking, and how they should be addressed.
Web Advertising BG - https://www.w3.org/community/web-adv/ - web-advertising/support_for_advertising_use_cases.md at main · w3c/web-advertising
AI & Advertising, a consumer perspective
Weaponizing the Digital Influence Machine: The Political Perils of Online Ad Tech identifies the technologies, conditions, and tactics that enable today’s digital advertising infrastructure to be weaponized by political and anti-democratic actors.
In scope, ambition, and animating philosophy, American privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s am
User agents are pieces of software that represent the user, a natural person, in their digital interactions. Examples include Web browsers, operating systems, s
Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and v
This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering De-identification.
This post first summarizes what browser fingerprinting is, and common defenses. Second, the post presents problems with “dynamic privacy approaches”, and why Brave is skeptical they are effective for protecting against fingerprinting. Third, the post presents Brave’s fingerprinting protections, current, upcoming and longer-term.
F. Wang, R. Ko, and J. Mickens, “Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services,” in NSDI, Boston, MA, 2019.
From Wikipedia, the free encyclopedia
Amplification by Shuffling:
From Local to Central Differential Privacy via Anonymity
Context-Aware Local Differential Privacy
At The Times, we aim to create the best possible reader experience across every medium. This involves knowing certain things about our readership. For example, knowing which articles you read helps us understand your interests. That information lets us select the types of articles we show you in certain parts of the app or site. (This article selection process is still guided by our journalistic judgment, and doesn’t impact large portions of the app or site.)
Merkle used Amazon Redshift and other AWS services to build a solution that enables companies to create targeted marketing campaigns while maintaining compliance with data privacy regulations.
Since the COVID-19 pandemic we’ve seen a seismic shift around the world to online shopping and direct-to-consumer sales. Arguably, the consumer packaged goods (CPG) industry felt this shift more than any other industry. According to Statista, “Retail websites generated almost 22 billion visits in June 2020, up from 16.07 billion global visits in January 2020.” […]
"same-site" and "same-origin" are frequently cited but often misunderstood terms. This article helps you understand what they are and how they are different.