If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your Mozilla browser will send all of these events to one or more aggregation services that allows shop.example to understand (at least in aggregate, assuming you trust the cartels running the aggregation services) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
Where previously an ad tech company was ultimately able to track users based on source IP address (even if cookies had been disabled by a user), IPA now allows these companies to track users across multiple IP addresses, and regardless of the user's cookie settings, via a unique tracking identifier. It is also proposed that the operating system provides the unique tracking identifier which can then be used by all applications or browsers on a device, allowing different devices behind a single IP address to be distinguished.
Most of these private attribution systems are specifically designed so that the people running the ad can count how many people clicked their ads, but not who clicked them or what other things they did. Safari had a proposal in which you could only have a certain number of campaigns running per domain, so you couldn't set up a separate """campaign""" for each user and fingerprint them all at once. I don't know how the Mozilla proposal differs.
Whether or not user-agents should care about this sort of thing is an orthogonal question.
[0] https://www.theregister.com/2023/06/29/google_trueview_skept...
[1] Remarketing in particular is responsible for the "feeling of being seen" from modern ads where you search for one thing and get 10,000 ads for the thing for the next week
No, attribution is what advertisers want, to do the least amount of work possible to blast you with ads that attack your deepest weaknesses, all under the pretense of "personalization".
> then the ad platform will defraud you[0]
Cool. How is that my problem as a user ? Grow a set of balls and sue the ad platform.
"blast you with ads that attack your deepest weaknesses, all under the pretense of "personalization"."
Instead it will tell advertisers how effective their blast was, and help argue that Google isn't defrauding them.
Okay. So this is about validating ad effectiveness and minimizing ad fraud, right?
Assuming that's your point (apologies if I'm missing something important), what does that have to do with me or my private property?
Advertisers have business relationships with advertising platforms. Advertisers might also have a business relationship with me, assuming I choose to purchase their product(s).
But the advertising platform has no business relationship with me (assuming I'm not buying ads on that platform). As such, why do I have to give data, CPU cycles and privacy so the advertising platform can provide metrics about ad effectiveness and fraud?
None of that has anything to do with me, and I don't wish to give up those things (especially my privacy) on the devices I own.
It's unethical for these rapacious scumbags to limit what I can do on my devices (which are my private property) If I refuse to provide third (the ad platform) and fourth (the advertisers) parties specific information about who I am and what I see or don't see (which is what a permanent identifier in secure storage would do) when I visit a site of my choosing.
I'll say it again to make sure I'm clear: I don't care about advertisers or ad platforms. They can go an play with each other all they want -- but don't limit what I can do on my devices because it will make you more money. Fuck. That. Noise.
Edit: Clarified prose.
Indeed
> what does that have to do with me or my private property? ... But the advertising platform has no business relationship with me
I am not convinced that you owe the advertising platform attribution. My original point was just that attribution is not about dragnet surveillance for personalizing ads. But I can try to argue why browsers should do attribution, just to interrogate the question.
Specifically, you have a business relation with whatever website you are going to that serves you ads. That website has a clear interest in helping their ad-platform attribute ads on their website. After all, that website depends on those ads for your income.
It is then within the perogative of that website to effectively say I only want to serve my website to users who will cooperate with attribution. This request is not a request for mass surveillance, because attribution is limited in what it reveals about a person. So this request could be construed as reasonable.
Given that websites have a reasonable standing to make these demands, it is reasonable for a user-agent to be able to accept these demands. Since otherwise the user for which the user-agent is acting cannot visit the website they requested the user-agent display. Of course a user-agent should let you opt out, but then websites are within their rights of refusing you access.
So far, so reasonable (or at least not completely unreasonable).
The sticking point is of-course that most website do want attribution, but don't want to block people with older browsers. So they want users to agree to give them the attribution data without giving the users anything in return. At which point a user-agent has no more business cooperating with attribution on behalf of the user.
In that case, there remains an argument of "if we don't do attribution the entire web is worse off, so we solve the tragedy of the commons by 'making the right decision' in the defaults for the user-agent". But that argument is clearly unreasonable to me.
Just a nit, "...that website depends on those ads for their income," not mine.
But yes, you're correct. And I do, in fact, aggressively block ads and the trackers/spyware/malware that goes with them.
And website owners are well within their rights to block me from viewing their site if (when, actually) I refuse to view their ads -- a point I've made in perhaps a half-dozen comments here on HN just in the past 12 months or so.
And I'm fine with that. For exactly the same reasons I gave for not wanting anything to do with ads/trackers/spyware running on my private property -- a site is the website owner's private property and they should be able to "charge a cover fee" (i.e., require that I view ads) to view the content of that site.
But WEI doesn't change that dynamic even a little. Rather, it forces me to give up control of my private property and privacy whether I want to do so or not.
I'd add that the "benefit" here isn't giving website owners the option to block me if I don't wish to view the ads run on their site -- they can already do that without WEI. In fact, some sites already do so. The only "benefit" AFAICT is that the ad platforms would now have enormously more information (in that they can now track me everywhere with a cryptographic signature regardless of any steps I might take to protect my privacy) to validate ad impressions and reporting metrics for the advertisers.
The result is that website owners have the same capability they've always had, but now I'm forced to subsidize some of the richest companies in the world with my electricity, CPU cycles, data, network bandwidth, browsing history, and likely my PII.
That's what I object to.
>In that case, there remains an argument of "if we don't do attribution the entire web is worse off, so we solve the tragedy of the commons by 'making the right decision' in the defaults for the user-agent". But that argument is clearly unreasonable to me.
Yes, it is unreasonable. I take great pains (I never log in/create accounts on any Google properties, block trackers and "analytics," self-host my email and content I wish to share in the Internet, etc., etc., etc.) to maintain at least a semblance of privacy, which is already a time/cost sink for me.
And these rapacious scumbags want me to jump through more hoops and run their code on my systems just so they can charge advertisers more for shit I don't want anyway? I'll say it again: Fuck. That. Noise.
tl;dr: Websites can already (and I support their ability to do so) block me (or anyone else) who runs an ad blocker from viewing their site. As such, the only folks that will have new capabiliities/benefits from WEI are ad platforms and advertisers. With whom I have no relationship whatsoever and don't want their spyware to execute on my private property.