PING Privacy Review: Determining "Sensitive Cohorts"

[kdeqc]

We had a lot of questions about how "sensitive cohorts" will be identified, and how this will be monitored. One concern is how this will be handled geographically, since what is considered sensitive can change from region to region. We also wondered if there were any considerations for user controls here too.

[jkarlin]

We're preparing a document that we'll place on this repo that describes how Chrome ensures that cohorts do not reveal sensitive information. Hopefully that will be published soon.

[skaurus]

I imagine that users could opt-in on each site to allow their visits to that site to participate in cohort discovery.
A browser could ask a user about that, say after the user visited that site a few times in some period of time.

Also in that case browser could show an icon near an URL, like a https icon or camera/mic permissions icon, so the user can revoke his permission.

[kuro68k]

It's not just that single categories are sensitive, it's also that combinations can be sensitive even if each single interest by itself is not. It will be interesting to see how such sensitive inferences are detected and handled by Chrome.

[dmarti]

Membership in a sensitive cohort of users is not necessarily correlated with visits to sensitive sites.

• Elementary school sites can be completely non-sensitive, but visits to school sites in a school district where segregation is a problem could reveal likely membership in a sensitive cohort.

• Sites that have content written in language A and local sites for residents of country B could both be non-sensitive, but the cohort made up of people who use language A in country B could be sensitive.

Related issue: This proposal should define what is meant by a "sensitive category"