ipa VS Web-Environment-Integrity

It's all other parties, actually. I'm assuming Mozilla and friends are trusted and that the cryptography is perfect.

I've filed an issue at https://github.com/patcg-individual-drafts/ipa/issues/90 but I'm still not sure if that's the right repo.

> you don't need to worry that toggle will get mysteriously turn back on.

I will be caustious with such statement.

https://github.com/patcg-individual-drafts/ipa/

IPA now allows these companies to track users across multiple IP addresses, and regardless of the user's cookie settings, via a unique tracking identifier. It is also proposed that the operating system provides the unique tracking identifier which can then be used by all applications or browsers on a device, allowing different devices behind a single IP address to be distinguished.

Mozilla is one of the authors.

Mozilla are proposing IPA[1] which is designed to track user interaction with ads and product marketing, and track any conversion that occurs (e.g. users end up purchasing something).

If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.

[1] https://github.com/patcg-individual-drafts/ipa/

The problem is that any solution so far proposed to this is very privacy-unfriendly.

For example, Google proposed https://github.com/explainers-by-googlers/Web-Environment-In... and this was shot down by privacy advocates (for very good reasons).

So basically the choice for website operators is either to fight the bots and accept that their service will be unusable for some subset of their users or not fight the bots, which will lead to their service becoming unusable for everyone.

More and more, you see services pushing you very hard towards using their app and the reason is that with the app, they are able to actually verify that you are likely not a bot (or rather, in reality, that at least the app is running on an actual physical device, mobile phone bot farms are unfortunately also a thing).

As for Cloudflare - they offer it as a service, so when the website operator has a choice between using them or allocating several engineers for bot-fighting, why would they not just go with Cloudflare? Doing it yourself can be slightly higher fidelity, as you know your customers better, but it is also a lot of effort which could be better spent elsewhere.

[2]: https://github.com/explainers-by-googlers/Web-Environment-In...