> The objection is not to DP's privacy guarantees, but to the fact that FF > will phone home with every website we visit. A neat list of all the websites > I visit will be sent to a central location, in chronological order.
I think this is misleading. What we would be sending is a neat list of jumbled garbage that is almost indistinguishable from random noise. No conclusions can be made about what websites you visit from this. With many records, we could tell that a given site was probably visited X number of times by various people, but at no point in time will anyone be able to say that you visited a particular website. Apologies if you already understood this, but I wanted to make it clear to anyone else reading your comment that it's not as if we're sending "sketchywebsite.com" back to a central location. > RAPPOR is kind of like the protection of farting in a crowded elevator. > Somebody in that group did it, but we don't know who for sure. Yes, that's > better privacy for sure, but is it total privacy? Not to me. Because you > still know that somebody in that elevator did it very likely. Not a perfect > analogy, but hopefully demonstrates the cracks. Sticking to the farting analogy, it would be more like a methane detector in a large building. If one person farts, really we couldn't tell since we couldn't distinguish between one fart and regular fluctuations in the methane content of the air. However, if lots of people are farting, we should be able to estimate roughly how many farts are happening in a given time period. I think it's important to make this distinction, because it means that we can only observe _common_ behaviors of the crowd, while deviant behaviors of an individual can _never_ be observed. > Offering to send anonymous info on one of these events, through a popup or > dropdown hanger (similar to the password manager, security certificates, > etc), would fulfill the same objective. A user is inclined to help when > his/her favorite website suddenly starts slowing down, or throwing errors. > At this point it's also easy to check a box to "always do this from now on". We don't want to annoy users _more_ by asking them to tell us about their performance issue. Crashes are severe enough and can require detailed enough information to diagnose that it's worth it in this case, but we would like to be able to observe information about more minor events without pestering people. This doesn't justify sacrificing their privacy, but the claim is that RAPPOR allows us to do this without degrading anyone's privacy, since no conclusions can be made about individual users or highly uncommon behavior. > Exactly. Because the data is more sensitive the idea of opt-out comes into > question before the question of the technology. If a person thinks that opt- > out data collection is wrong it does not matter how effective the privacy > technology is. > > This definitely has the potential to hurt the Firefox brand as a product that > respects choice and does not try to trick you. > > Anyway since you wish a greater discussion on the actual technology i will > stop here. Thank you for the replies. We're focusing on the technology because the claim is that the technology means that this data is not _actually_ more sensitive than the data we're already collecting in an opt-out manner. We're not trying to hush users who can't talk about the technical aspects of RAPPOR, but rather trying to keep it on the topic of whether RAPPOR satisfies your definition of privacy or not. My understanding of privacy is that if no one at all (malicious or not) is capable of making conclusions about me in particular, then my privacy is being protected. Differential privacy satisfies that definition, but privacy can mean different things to different people. _______________________________________________ governance mailing list governance@lists.mozilla.org https://lists.mozilla.org/listinfo/governance
