(Edit: sending this again because it didn't seem to make it to the archives)
> The objection is not to DP's privacy guarantees, but to the fact that FF
> will phone home with every website we visit. A neat list of all the
websites
> I visit will be sent to a central location, in chronological order.
I think this is misleading. What we would be sending is a neat list of
jumbled
garbage that is almost indistinguishable from random noise. No
conclusions can
be made about what websites you visit from this. With many records, we could
tell that a given site was probably visited X number of times by various
people, but at no point in time will anyone be able to say that you
visited a
particular website. Apologies if you already understood this, but I
wanted to
make it clear to anyone else reading your comment that it's not as if we're
sending "sketchywebsite.com" back to a central location.
> RAPPOR is kind of like the protection of farting in a crowded elevator.
> Somebody in that group did it, but we don't know who for sure. Yes,
that's
> better privacy for sure, but is it total privacy? Not to me. Because you
> still know that somebody in that elevator did it very likely. Not a
perfect
> analogy, but hopefully demonstrates the cracks.
Sticking to the farting analogy, it would be more like a methane
detector in a
large building. If one person farts, really we couldn't tell since we
couldn't
distinguish between one fart and regular fluctuations in the methane content
of the air. However, if lots of people are farting, we should be able to
estimate roughly how many farts are happening in a given time period. I
think
it's important to make this distinction, because it means that we can only
observe _common_ behaviors of the crowd, while deviant behaviors of an
individual can _never_ be observed.
> Offering to send anonymous info on one of these events, through a
popup or
> dropdown hanger (similar to the password manager, security certificates,
> etc), would fulfill the same objective. A user is inclined to help when
> his/her favorite website suddenly starts slowing down, or throwing
errors.
> At this point it's also easy to check a box to "always do this from
now on".
We don't want to annoy users _more_ by asking them to tell us about their
performance issue. Crashes are severe enough and can require detailed enough
information to diagnose that it's worth it in this case, but we would
like to
be able to observe information about more minor events without pestering
people. This doesn't justify sacrificing their privacy, but the claim is
that
RAPPOR allows us to do this without degrading anyone's privacy, since no
conclusions can be made about individual users or highly uncommon behavior.
> Exactly. Because the data is more sensitive the idea of opt-out comes
into
> question before the question of the technology. If a person thinks
that opt-
> out data collection is wrong it does not matter how effective the privacy
> technology is.
>
> This definitely has the potential to hurt the Firefox brand as a product
> that respects choice and does not try to trick you.
>
> Anyway since you wish a greater discussion on the actual technology i
will
> stop here. Thank you for the replies.
We're focusing on the technology because the claim is that the technology
means that this data is not _actually_ more sensitive than the data we're
already collecting in an opt-out manner. We're not trying to hush users who
can't talk about the technical aspects of RAPPOR, but rather trying to
keep it
on the topic of whether RAPPOR satisfies your definition of privacy or
not. My
understanding of privacy is that if no one at all (malicious or not) is
capable of making conclusions about me in particular, then my privacy is
being
protected. Differential privacy satisfies that definition, but privacy can
mean different things to different people.
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
