Privacy and Compliance Reader

Blog Posts & Video

This is a small sample of relevant blog posts.

This document provides some background on the threats to users' privacy that Javascript APIs help createon the Web, and provides some patterns to mitigate such threats at the API design level. Its primaryaudience is therefore people involved in the definition and implementation inside user agents of such APIs.

ReadArchived

A presentation on our responsibility as technologists to change the world which is well worth watching.

presentations, EthicsReadArchived

There has been ample debate in some tech circles as to just how much of a privacy war is really being waged. My personal sense is that it's not so much of a war as it is a reality check. It has become very painfully obvious that the same old simple solutions don't work — and some people are up in arms that reality is being inconvenient to them.

ArchivedRead

If you've spent any amount of time discussing reforms to improve privacy online, you've likely encountered the Big Knob Theory. Like Covid it comes in variants, but its core tenet can be summarised thus: there exists (metaphorically) a Big Knob that can either be turned towards "privacy" or towards "competition" — but it's very much a zero-sum game and you can't have both. It's a popular position; but is it true?

ArchivedRead

The New York Times has made substantial changes to how we handle reader data, with an eye towards increased reader privacy. This includes better privacy practices around marketing, advertising and a more readable privacy policy.

ReadArchived

Should we maintain pervasive data collection on the web under the guise of preserving competition? 

ArchivedRead

Programmatic technology continues to be used by parties on both sides of the Russia/Ukraine conflict as a platform to conduct psychological warfare.

Adalytics, Adverif.AI, Alisha Rosen, Amy Williams, Brand Safety Institute, David Murnick, facebook, featured, GeoEdge, Good Loop, google, Institute of Practitioners in Advertising, International Fact-Checking Network, MGID, Odnoklassniki, Or Levi, Rob Blackie, RT, russia ukraine war, Sergey Denisenko, Signal, Sputnik, Telegram, the trade desk, VK, WhatsApp, Online AdvertisingArchivedRead

In this digital hellscape of ours, what is it that we talk about when we talk about privacy? We talk about power. Concentrations of data are concentrations of power, or, as the freshly-minted first public draft of the W3C’s Privacy Principles states, “asymmetries of information and of automation create commanding asymmetries of power.” That’s the problem to which privacy is the solution.

ArchivedRead

Compliance APIs

APIs Privacy Engineers will have to deal with regularly.

IAB Europe, in partnership with IAB Tech Lab, announced on 21 August 2019 the launch of the second iteration of Transparency and Consent Framework (TCF) v2.0.

ReadArchived

Technical specifications to support US Privacy initiatives, starting with CCPA (California Consumer Privacy Act) - USPrivacy/USP API.md at master · InteractiveAdvertisingBureau/USPrivacy

ReadArchived

Exercise your privacy rights in one step via the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.

ReadArchived

The Site Engagement Service provides information about how engaged a user iswith a site. The primary signal is the amount of active time the user spends onthe site but various other signals may be incorporated (e.g whether a site isadded to the homescreen).

ReadArchived

This article covered feature detection in a reasonable amount of detail, going through the main concepts and showing you how to both implement your own feature detection tests and use the Modernizr library to implement tests more easily.

ReadArchived

In-Progress Standards

Privacy relevant standards.

Our latest news, updates, and stories about Privacy.

ReadArchived

Our latest news, updates, and stories about Security.

ReadArchived

Client Hints

Wouldn't it be nice if `User-Agent` was a (set of) client hints? - GitHub - WICG/ua-client-hints: Wouldn't it be nice if `User-Agent` was a (set of) client hints?

ReadArchived

Client Hints is collection of HTTP and user-agent features that enablesprivacy-preserving, proactive content negotiation with an explicit third-partydelegation mechanism:

ReadArchived

(slides)

ArchivedRead

Client Hint Reliability (Internet-Draft, 2020)

ReadArchived

Request for Mozilla Position on an Emerging Web Specification Specification Title: User Agent Client Hints Specification or proposal URL: https://tools.ietf.org/html/draft-west-ua-client-hints-00 M...

ReadArchived

IP Blindness

Contribute to bslassey/ip-blindness development by creating an account on GitHub.

ReadArchived

This research presents VPN⁰, the first distributed virtual private network offering a privacy preserving traffic authorization and validation mechanism.

ReadArchived

A technical explanation of how Analytics anonymizes IP addressesAt a glanceWhen a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically fea

ReadArchived

IsLoggedIn

Explainers from WebKit contributors. Contribute to WebKit/explainers development by creating an account on GitHub.

ReadArchived

Privacy Budget

Contribute to bslassey/privacy-budget development by creating an account on GitHub.

ReadArchived

Privacy Sandbox

A collection of proposed standards by Google intended to move the web away from third party cookies.

Privacy Sandbox is developing privacy-preserving technologies to protect your online privacy so you can browse the web without invasive tracking.

ReadArchived

Today on The Keyword, we outlined our vision for an initiative aimed at evolving the web with architecture that advances privacy, while co...

ReadArchived

A year ago we announced our intention to phase out third-party cookies and replace them with new browser features that are fundamentally mo...

ReadArchived

Private Attribution

Safari proposal

A typical website is made of numerous components coming from a wide variety of sources.

PrivacyReadArchived

When it comes to ad tracking in Safari, Apple usually taketh away. But sometimes Apple giveth advertisers a little something. Meet privacy-preserving ad click attribution for the web. Think of it as Apple throwing a bone to advertisers who need a way to measure the effectiveness of their ads in Safari, which is where tracking... Continue reading »

apple, attribution, Conversion Tracking, featured, Safari ITP, web browsers, Online AdvertisingReadArchived

This section is non-normative.

ReadArchived

Chrome proposal

Build the next generation of web experiences.

ReadArchived

Conversion Measurement API. Contribute to WICG/conversion-measurement-api development by creating an account on GitHub.

ArchivedRead

Build the next generation of web experiences.

ReadArchived

[public] Experiment with Attribution Reporting: Handbook Published on March 31st, 2022 This document is part of a collection of developer guides to experiment with the Attribution Reporting API. See all resources in this collection. Any questions? Please ask. We strongly recommend you...

ArchivedRead

Mozilla / Facebook proposal

Interoperable Private Attribution (IPA) Date Published: Jan 5th, 2022 Authors: Erik Taubeneck (Meta), Ben Savage (Meta), Martin Thomson (Mozilla) Purpose of this document: 1. Introduction 1.1 Major design choices 1.2 Acknowledgements 2. Components of the IPA proposal 2.1 Setting Match Keys 2.2 ...

ReadArchived

Android Proposal

Provide feedback

ArchivedRead

Storage Partitioning

Client-Side Storage Partitioning. Contribute to privacycg/storage-partitioning development by creating an account on GitHub.

ReadArchived

Trust Tokens

Potential alternative for anti-fraud/reCaptcha issues

Trust Tokens is a new API to enable a website to convey a limited amount of information from one browsing context to another (for example, across sites) to help combat fraud, without passive tracking.

ReadArchived

Public chromium.org document // davidvc@chromium.org, July 2021 What’s TrustTokenV3? “TrustTokenV3” is a collection of backwards-incompatible changes to Chromium’s Trust Tokens implementation arriving starting in Chrome 92, which will reach Beta (small number of users) in early June and Stable t...

ReadArchived

Chrome origin trials allow developers to safely experiment with web platform features

ReadArchived

This document describes a mechanism which allows HTTP servers to maintain stateful sessions with HTTP user agents. It aims to address some of the security and privacy considerations which have been identified in existing state management mechanisms, providing developers with a well-lit path towards our current understanding of best practice.

ReadArchived

WebID / FedID

A privacy preserving federated identity Web API. Contribute to fedidcg/FedCM development by creating an account on GitHub.

ArchivedRead

WebID TPAC 2020 Ken Buchanan (kenrb@google.com) Majid Valipour (majidvp@google.com) Sam Goto (goto@google.com)

ArchivedRead

DID

Decentralized identifiers (DIDs) are a new type of identifier thatenables verifiable, decentralized digital identity. A DID refers to anysubject (e.g., a person, organization, thing, data model, abstract entity, etc.)as determined by the controller of the DID. In contrast totypical, federated identifiers, DIDs have been designed so that they maybe decoupled from centralized registries, identity providers, and certificateauthorities. Specifically, while other parties might be used to help enable thediscovery of information related to a DID, the design enables thecontroller of a DID to prove control over it without requiring permissionfrom any other party. DIDs are URIs that associate a DIDsubject with a DID document allowing trustable interactionsassociated with that subject.

ReadArchived

Engineering-relevant laws

After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center tracks proposed comprehensive state privacy bills from across the country to aid our members' efforts to stay abreast of the...

ReadArchived

GDPR

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...

GDPR OverviewReadArchived

General Data Protection Regulation, or GDPR, became law in May 2018. Our need-to-know GDPR summary explains what the changes mean for you

security, privacy, data, web, tagsReadArchived

How to conduct a Data Protection Impact Assessment (template included) A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that...

UncategorizedArchivedRead

The ruling will require companies to protect data that indirectly relates to sensitive information such as health or sexual orientation.

Corporate Crime/Legal Action, Regulation/Government Policy, Corporate/Industrial News, Political/General News, Crime/Legal Action, Privacy Issues/Information Security, Content Types, Factiva Filters, C&E Executive News Filter, C&E Industry News Filter, PRO, WSJ-PRO-NP, WSJ-PRO-CYBER, WSJ-PRO-WSJ.com, corporate crime, legal action, regulation, government policy, corporate, industrial news, political, general news, crime, privacy issues, information security, content types, factiva filters, c&e executive news filter, c&e industry news filterArchivedRead

CCPA

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

ReadArchived

Colorado

IAPP Westin Research Fellow Sarah Rippy breaks down the newly passed Colorado Privacy Act.

ArchivedRead

Japan

Understand how data breaches led to Japan’s Act on the Protection of Personal Information (APPI), and how businesses must adapt to comply...

ArchivedRead

White Papers and Non-technical Standards

This includes conversations about the mechanism and philosophy around privacy as well as useful documents–including privacy models–used by standard setting orgs as part of their process.

Models and Definitions of Privacy

A Potential Privacy Model for the Web: Sharding Web Identity - GitHub - michaelkleber/privacy-model: A Potential Privacy Model for the Web: Sharding Web Identity

ReadArchived

This document is at a very early stage. Many things in it are wrongand/or incomplete. Please take it as a rough shape for how we might document thetarget threat model, rather than as definite statements about what should be inthe target threat model.

ReadArchived

Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.

ReadArchived

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers.

ReadArchived

This document describes the online tracking practices that Mozilla believes, as a matter of policy, should be blocked by default by web browsers. These practices are potentially harmful to users and cannot be meaningfully understood or controlled by users.

ReadArchived

Setting the standard for a robust, policy-ready understanding of privacy.

ReadArchived

A tool to help organizations improve individuals’ privacy through enterprise risk management

ReadArchived

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995.[1][2] The privacy by design framework was published in 2009[3] and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.[4] Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.[5][6]

ReadArchived

Principles and Documents

The Design Principles are directly informed by the ethical frameworkset out in the Ethical Web Principles [ETHICAL-WEB].These principles provide concrete practical advicein response to the higher level ethical responsibilitiesthat come with developing the web platform.

ReadArchived

When designing new features for the Web platform,we must always consider the security and privacy implications of our work.New Web features should alwaysmaintain or enhancethe overall security and privacy of the Web.

ReadArchived

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

ReadArchived

The Web suffers from large scale, frequent, and often invisible privacy violations. These pervasive privacy problems threaten the Web’s ability to serve as a preeminent application platform and information distribution system.

ReadArchived

When we are adding new web technologies and platforms,we will build them to cross regional and national boundaries.People in one location should be able to view web pagesfrom anywhere that is connected to the web.

ReadArchived

7 Foundational Principles

This document explains why the IAB believes that, when there is aconflict between the interests of end users of the Internet and otherparties, IETF decisions should favor end users. It also explores howthe IETF can more effectively achieve this.

ReadArchived

Pervasive Monitoring Is an Attack (RFC )

ReadArchived

Tracking user activity on the Web using methods other than those defined for the purpose by the Web platform (“unsanctioned tracking”) is harmful to the Web, for a variety of reasons. This Finding details the TAG's stance on different forms of tracking, and how they should be addressed.

ReadArchived

Web Advertising BG - https://www.w3.org/community/web-adv/ - web-advertising/support_for_advertising_use_cases.md at main · w3c/web-advertising

ReadArchived

AI & Advertising, a consumer perspective

ReadArchived

Weaponizing the Digital Influence Machine: The Political Perils of Online Ad Tech identifies the technologies, conditions, and tactics that enable today’s digital advertising infrastructure to be weaponized by political and anti-democratic actors.

ReadArchived

In scope, ambition, and animating philosophy, American privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s am

SSRN, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, Lindsey BarrettReadArchived

User agents are pieces of software that represent the user, a natural person, in their digital interactions. Examples include Web browsers, operating systems, s

SSRN, The Fiduciary Duties of User Agents, Robin BerjonReadArchived

Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and v

SSRN, Taking Trust Seriously in Privacy Law, Neil M. Richards, Woodrow HartzogReadArchived

This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering De-identification.

ReadArchived

This post first summarizes what browser fingerprinting is, and common defenses. Second, the post presents problems with “dynamic privacy approaches”, and why Brave is skeptical they are effective for protecting against fingerprinting. Third, the post presents Brave’s fingerprinting protections, current, upcoming and longer-term.

ReadArchived

F. Wang, R. Ko, and J. Mickens, “Riverbed: Enforcing User-defined Privacy Constraints in Distributed Web Services,” in NSDI, Boston, MA, 2019.

ReadArchived

Amplification by Shuffling:
From Local to Central Differential Privacy via Anonymity

Context-Aware Local Differential Privacy

At The Times, we aim to create the best possible reader experience across every medium. This involves knowing certain things about our readership. For example, knowing which articles you read helps us understand your interests. That information lets us select the types of articles we show you in certain parts of the app or site. (This article selection process is still guided by our journalistic judgment, and doesn’t impact large portions of the app or site.)

ReadArchived

Merkle used Amazon Redshift and other AWS services to build a solution that enables companies to create targeted marketing campaigns while maintaining compliance with data privacy regulations.

ReadArchived

Since the COVID-19 pandemic we’ve seen a seismic shift around the world to online shopping and direct-to-consumer sales. Arguably, the consumer packaged goods (CPG) industry felt this shift more than any other industry. According to Statista, “Retail websites generated almost 22 billion visits in June 2020, up from 16.07 billion global visits in January 2020.” […]

AWS Glue, AWS Lake Formation, CPG, Industries, analytics, data lakes, Data Mesh, Machine Learning (ML)ReadArchived

"same-site" and "same-origin" are frequently cited but often misunderstood terms. This article helps you understand what they are and how they are different.

ReadArchived

As a guide for beginners, we have compiled all of the need-to-know terms, metrics, and stakeholder acronyms in an adtech glossary.,Applift’s Compendium of Adtech Abbreviation

ReadArchived

When I first started working on the Data Governance team at The New York Times in 2017, I would often be met by blank stares when I tried to explain my job. Over time, I perfected my elevator pitch…

ReadArchived

Exposure Notification Privacy Preserving Analytics

Opinion 03/2013 on purpose limitation

Privacy is an essential part of the Web ([ETHICAL-WEB]). This document provides definitionsfor privacy and related concepts that are applicable worldwide. It also provides a set of privacyprinciples that should guide the development of the Web as a trustworthy platform. People usingthe Web would benefit from a stronger relationship between technology and policy, and thisdocument is written to work with both.

ArchivedRead

User Perception

"I need a better description": An Investigation Into User Expectations For Differential Privacy

For folks trying to get a grip on their digital privacy—whether you’re an activist or not.

Digital privacy, Software, Google, Facebook, Computing, Privacy law, Terms of service, Internet privacy, Articles, Ghostery, Tim Cook, Privacy, Identity management, Personal, Inc., app annie, Technology, Internet, GizmodoArchivedRead

Data Protection

A research paper from the ICO

ArchivedRead

Trust

https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/

Journalism

Relevant articles and reports on issues and successes

Trackers piggybacking on website tools leave some site operators in the dark about who is watching or what marketers do with the data

BlacklightReadArchived

Blacklight catalogs the many ways any website tracks visitors: from cookies to capturing every user keystroke and mouse movement

BlacklightReadArchived

Unique IDs linked to phones are supposed to be anonymous. But there’s an entire industry that links them to real people and their address.

ReadArchived

Searching Google’s ad buying portal for “Black girls” returned hundreds of terms leading to “adult content”

Google the GiantReadArchived

While vowing to police COVID-19 misinformation on its platform, Facebook let advertisers target users interested in “pseudoscience”

CoronavirusReadArchived

When Microsoft officially emerged as the frontrunner for a potential acquisition of the teen-fave-turned-national-security-concern TikTok earlier this week, tech critics ‘round the globe found themselves with an endless set of questions that seemingly nobody could answer. Why would a company as corporate as Microsoft…

flowcharts, tiktok, GizmodoReadArchived

Anyone who’s covered the wacky world of tech policy for any time at all probably has some ideas about how today’s major antitrust hearing will go down. Some think Jeff Bezos’s overall net worth will become part of the debate. Tim Cook will be grilled over Apple’s firm chokehold over the mobile app ecosystem. And no…

saying the quiet part out loud, facebook, antitrust, national security, GizmodoReadArchived

Seemingly simple mobile games made us all way too comfortable with giving away our personal information.

Front Page, Explainers, Technology, Social Media, The Goods, The HighlightArchivedRead

Yesterday, Verizon became the latest company to join a corporate chorus boycotting Facebook advertisements in July as part of a rallying cry to get Facebook’s corporate board to take action on the rampant racism and hate speech that many of us have come to associate with the platform. The “Stop Hate for Profit”…

Public Relations, Facebook, extremism, Advertising, black lives matter, stop hate for profit, GizmodoReadArchived

With the abysmal state of healthcare in this country, it shouldn’t be surprising that tech companies—specifically those in the app space—have swooped in left and right to solve the ills that the federal government can’t or won’t. Want to monitor your blood pressure? There’s an app for that. Mental health got you down? …

Pharma Farming, data, healthcare, GizmodoReadArchived

The thousands of “Trumpcare” ads Facebook and Google have published show that the shadowy “lead generation” economy has a happy home on the platforms — and even big names like UnitedHealthcare take part.

ReadArchived

Millions of dollars worth of retirement-themed ads from pages like “Retired Republicans” and “Fox News Insiders” ran on Facebook throughout the past two years.

ReadArchived

The Trump administration has been using a database that maps the movements of millions of cellphones to monitor the Mexican border and make immigration arrests, according to people familiar with the matter.

kwexclusive, Computers/Consumer Electronics, Software, Applications Software, Telecommunications Equipment, Mobile Communications Devices, Personal Electronics, Cell/Mobile/Smart Phones, Computing, Consumer Electronics, Handheld Electronic Devices, Security/Privacy Software, Technology, Political/General News, National/Public Security, Privacy Issues/Information Security, Human Migration, Politics/International Relations, Domestic Politics, State Security Measures/Policies, Government Bodies, Department of Homeland/National Security, Executive Branch, SYND, WSJ-PRO-WSJ.com, Politics & Policy, U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, Department of Homeland Security, Trump administration, political, general news, national, public security, privacy issues, information security, human migration, politics, international relations, domestic politics, state security measures, policies, government bodies, department of homeland, national security, executive branch, politics & policy, computers, consumer electronics, software, applications software, telecommunications equipment, mobile communications devices, personal electronics, cell, mobile, smart phones, computing, handheld electronic devices, security, privacy software, technologyReadArchived

Session monitoring scripts prompt dozens of privacy lawsuits against Big Biz, mainly in California and Florida

ReadArchived

While cookie banners are annoying and often dishonest, we need to consider the broader implications of an online ecosystem that is increasingly manipulative by design.

ReadArchived

For the past few months, a lot of folks—this reporter included—have watched their favorite local bookstores, pizza joints, and coffeeshops get systematically gutted by the economic tumult that came with the current pandemic. Back in April, academics predicted that this economic carnage would result in over 100,000 of…

e-crimes, Ad Fraud, cybersecurity, small business, covid-19, GizmodoArchivedRead

For the thousands of people protesting and reporting on George Floyd’s death at the hands of the Minneapolis Police Department—or even for bystanders caught up in the demonstrations—arrests, injuries, and even death are becoming commonplace in this moment. And just like protests we’ve experienced within the past decade

privacy, adtech, Protests, GizmodoArchivedRead

We know targeted political adverts contribute to polarisation, but commerical ones leave us fragmented too.

ReadArchived

The technology that shaped digital advertising and media is going away. What will replace it?

ArchivedRead

Check My Ads' Claire Atkin spoke with Adweek about how activist investors could change ideas of brand safety.

Programmatic, Ad TechReadArchived

If passed, the bill would give citizens in the state far greater control over their online personal information.

ReadArchived

The case suggests this loosely regulated industry can’t deliver on its promises of privacy

PrivacyArchivedRead

Conversations about weblining and digital redlining, which relate to how personalization can lead to discrimination and bias.

ArchivedRead

The EU's landmark privacy law, GDPR, was supposed to change the world of tech privacy forever. What the hell happened?

Privacy law, Privacy, General Data Protection Regulation, Devin, HTTP cookie, Google, Politics, Social issues, Interactive Advertising Bureau, Internet privacy, Articles, INTERACTIVE ADVERTISING BUREAU, Information privacy, Personal data, Data protection, GizmodoArchivedRead

Advertisers—and shady ad middlemen—are paying to violate your privacy hundreds of times every day you're online.

World Wide Web, Online advertising, Google, Facebook, Marketing, Internet privacy, Technology, Internet, Real-time bidding, Digital marketing, Adtech, GizmodoArchivedRead