fenced-frame icon indicating copy to clipboard operation
fenced-frame copied to clipboard
verified publisher icon WICG

Fenced content to render in a reproducible and deterministic way

Open piwanczak opened this issue 5 years ago • 4 comments

It’s great to read through the detailed privacy considerations, thank you!

In some applications of Fenced Frames, like Turtledove, it is important to ensure that the content renders in a deterministic and reproducible way.

The proposal could benefit if, we could disallow Fenced Frames from accessing time related javascript API’s like Date, for use cases related to interest based advertising. Both the original Turtledove proposal as well as extensions like our own OBTD could protect the user better with deterministic and reproducible outcomes

What do you think?

piwanczak avatar Sep 16 '20 14:09 piwanczak

Thanks for opening the issue! Could you elaborate a bit on the threat you are envisioning with either the OBTD (or the TD) proposal by the rendering fenced frame having access to date/time.

shivanigithub avatar Sep 16 '20 21:09 shivanigithub

Thanks for a quick response! Please consider the following scenario: Assumptions:

  • aim: 1:1 targeting mitigation
  • User's 1st party identity is known on Advertiser's page
  • User's browsing habits [ie - times of web browsing] are roughly known to 1st party
  • Ad rendering happens with an access to Date - and specifically - time

Scenario: a) Advertiser adds targeted User EarlyBird123 into an interest group b) Advertiser adds N other users to the group, to pass minimal membership threshold. Such users could be from a different time zone, in order to provide little overlap c) Creative is prepared so it renders differently based on time, ie: (new Date()).getHours() > 8 ? "Hello, EarlyBird123!" : "Please buy our products!"

piwanczak avatar Sep 17 '20 07:09 piwanczak

Thanks for the helpful description! So to summarize, the goal is to not have ads displayed based on user's identity on the advertiser's site, and that a combination of interest group and time can be used to detect the user identity. Here date/time is being used for fingerprinting the user and it seems that there will be other characteristics like device type etc. that might also be used in a similar way. So not sure if not giving access to date/time is going to mitigate this threat completely.
Also to point out, the primary threat model for TD from the advertiser's perspective is that the advertiser should not be able to know the user's identity on the publisher page and the user's browsing history but the scenario that you mention is the advertiser detecting the user identity on the advertiser's site (and not on the publisher site). I would be interested to understand the seriousness of this threat and whether there are other ways that the privacy aspect of the interest group can be maintained e.g. making sure there are N users of overlapping time zones or same device etc.

shivanigithub avatar Sep 21 '20 16:09 shivanigithub

Right, thank you! Other characteristics could be used in a similar manner as well.

The proposals as they are today definetely are not fixed yet, and it's not clear what features will be implemented by the browsers.

We wanted to point out that should the OBTD be implemented - there is a mathematical guarantee for microtargeting prevention to be had, if the time related features are inaccessible

piwanczak avatar Sep 25 '20 09:09 piwanczak