Missing transparency to user #17
Description
Hi @michaelkleber ,
Following some of our previous discussions, I went back to your "privacy model" explainer, which I believe to be the most representative definition of "privacy" used to establish the Privacy Sandbox proposals.
It became clear to me through some of issues that were opened in the past few months that there was some disagreements around that privacy definition and that here may be the best place to address them.
For example, it seems to me that your current definition of privacy doesn't include anything with regards to transparency and control to the user, which eventually is causing some disagreement with regards to some propositions (FLoC, FLEDGE, etc.).
Could we add as part of that privacy definition that users should remain aware of the information web actors may have on them, as well as control access to it? For example, in its current version, FLoC makes the user's profile obfuscated to the user himself, while web actors will be able to derive interests from a given cohort ID. As well, under FLoC's current version, the user doesn't have control over the profile the browser builds for him (the cohort he is assigned to).
Making those two principle (transparency and control) part of the core definition of your privacy model for the web would help prevent such use cases not to be supported.
Arguably, I think those two components are more valuable to the user than the ones currently defined (preventing first party identity from being shared).