(Edit: sending this again because it didn't seem to make it to the archives)
> The objection is not to DP's privacy guarantees, but to the fact that FF
> will phone home with every website we visit. A neat list of all the
> I visit will be sent to a central location, in chronological order.
I think this is misleading. What we would be sending is a neat list of
garbage that is almost indistinguishable from random noise. No
be made about what websites you visit from this. With many records, we could
tell that a given site was probably visited X number of times by various
people, but at no point in time will anyone be able to say that you
particular website. Apologies if you already understood this, but I
make it clear to anyone else reading your comment that it's not as if we're
" back to a central location.
> RAPPOR is kind of like the protection of farting in a crowded elevator.
> Somebody in that group did it, but we don't know who for sure. Yes,
> better privacy for sure, but is it total privacy? Not to me. Because you
> still know that somebody in that elevator did it very likely. Not a
> analogy, but hopefully demonstrates the cracks.
Sticking to the farting analogy, it would be more like a methane
detector in a
large building. If one person farts, really we couldn't tell since we
distinguish between one fart and regular fluctuations in the methane content
of the air. However, if lots of people are farting, we should be able to
estimate roughly how many farts are happening in a given time period. I
it's important to make this distinction, because it means that we can only
observe _common_ behaviors of the crowd, while deviant behaviors of an
individual can _never_ be observed.
> Offering to send anonymous info on one of these events, through a
> dropdown hanger (similar to the password manager, security certificates,
> etc), would fulfill the same objective. A user is inclined to help when
> his/her favorite website suddenly starts slowing down, or throwing
> At this point it's also easy to check a box to "always do this from
We don't want to annoy users _more_ by asking them to tell us about their
performance issue. Crashes are severe enough and can require detailed enough
information to diagnose that it's worth it in this case, but we would
be able to observe information about more minor events without pestering
people. This doesn't justify sacrificing their privacy, but the claim is
RAPPOR allows us to do this without degrading anyone's privacy, since no
conclusions can be made about individual users or highly uncommon behavior.
> Exactly. Because the data is more sensitive the idea of opt-out comes
> question before the question of the technology. If a person thinks
> out data collection is wrong it does not matter how effective the privacy
> technology is.
> This definitely has the potential to hurt the Firefox brand as a product
> that respects choice and does not try to trick you.
> Anyway since you wish a greater discussion on the actual technology i
> stop here. Thank you for the replies.
We're focusing on the technology because the claim is that the technology
means that this data is not _actually_ more sensitive than the data we're
already collecting in an opt-out manner. We're not trying to hush users who
can't talk about the technical aspects of RAPPOR, but rather trying to
on the topic of whether RAPPOR satisfies your definition of privacy or
understanding of privacy is that if no one at all (malicious or not) is
capable of making conclusions about me in particular, then my privacy is
protected. Differential privacy satisfies that definition, but privacy can
mean different things to different people.