-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is "wbraid" tracking? #11
Comments
For practical purposes, yes. From the point of view of the user agent, it would have to be treated as a tracking identifier.
In order to handle |
Along the lines of #10, I think we should be careful to distinguish things that are/aren't "actually" tracking from things the user agent is "expected to believe" are/aren't tracking. I think we don't yet know enough about all the plausible mitigations to be confident about how The current definition limits "tracking" to things that "identify that a user on one site is the same person as a user on another site." I believe that definition says However, @johnwilander said it is "Important to not just talk about linking identity across two sites. If one site learns something new about its user that happened on another website, that should be included in the definition." I think If this distinction turns out to be too-persistently contentious, we could also define two different terms, like "identity tracking" vs "information tracking". |
The The idea of "identified navigational tracking" is also useful in the event that the two sites are tracking in some situations but not in others. For example, a destination site might discard or post-process the identifier if it detects that the user is in a jurisdiction with some kinds of regulations, and persist the identifier if the user is in another jurisdiction. |
@jyasskin - would you be willing to share some implementation details about "wbraid" to justify this claim that it is "ATT compliant"? From an outsider's perspective, "wbraid" is a high-entropy identifier, that appears to be different for every user. As far as I know, there exists no public documentation of exactly how this is computed and used, and even if such documentation were to exist, can a 3rd party validate that the current implementation matches that documentation? As such, the user-agent has nothing to go on to assure itself that this cannot be used to track unique users aside from a promise by Google: "trust us, it isn't used that way.". In practice, how would we productionize a user-agent based mitigation system based upon public commitments like this? That doesn't seem scalable. Would there be some kind of at-scale review and audit system to vet every param from every ad-tech vendor that they claim uses "aggregation techniques" and is "ATT compliant"? This seems unrealistic to me. Perhaps I'm mistaken. Maybe "wbraid" is documented somewhere, and an independent 3rd party can vet aspects of it without using advanced cryptographic techniques. I'd love to learn more. |
As someone who works on Chrome, I don't know the direct answer to Ben's question, but what I know is explained in this help center article. It’s a very interesting question about how browsers should engage with high-entropy values inside URLs. It's difficult to distinguish an encrypted and nonced identifier from, say, a CSRF token, or a value that has noise added to make it differentially private. I haven't seen a scalable proposal for dealing with values like this, but I hope this CG can come up with one. |
@jwrosewell I think that's more a question for the CG as a whole than me personally. |
Taken from this link.
"Q: How does this new parameter work?
A: Similar to GCLID, this new parameter is dropped in a 1st party cookie set by A Google Tag (including gTag.js, gtm.js, and analytics.js linked to an ads account) when a user lands on a page after clicking on an ad. This parameter helps attribute conversions back to ad campaigns but does not uniquely identify the user."
The text was updated successfully, but these errors were encountered: