-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FLEDGE publisher data leakage risk in leaveAdInterestGroup() #97
Labels
Comments
Hm quite right. We surely need to support the "Stop seeing this ad" flow, where a person can interact with an ad they're looking at to get out of the interest group. I suppose we can do that with a dedicated API that you can use inside the Fenced Frame. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The FLEDGE proposal explains how ATPs can leverage browser APIs to join users to, and remove users from, interest groups.
Protection is provided for the publisher to control who can add users of their site to an interest group. However, removing users from an interest group is indicated to be possible without permission of the site owner:
I believe this could be abused by an interest group owner to negatively tag users into an interest group and remove them when a positive signal is seen. For example, imagine I would like to collect users who read a popular news site
popularNews.com
but this news site chooses not to allow me to tag their users. I could tag all users I see for a couple days with interest groupsI-have-seen-this-user
andnot-popular-news-reader
across any webpage (exceptpopularNews.com
). I could then serve an ad targeted only topopularNews.com
with a creative that includes thenavigator.leaveAdInterestGroup('not-popular-news-reader')
. I would then be able to infer that any user inI-have-seen-this-user
and not innot-popular-news-reader
interest groups is a reader ofpopularNews.com
.The text was updated successfully, but these errors were encountered: