webpackage VS floc

Good stuff. Still, drives me a bit nuts that we package/HTTP Signed Exchanges, Message Signatures, and web archiving all have very similar but different versions of the same thing.

Webpackage has a lot of stuff that seems super cool to me. Alas it seemed mainly to be a small handful of engineers & most seemed to have moved on from the effort. https://github.com/WICG/webpackage/issues/713

Given the frosty response in the comments they got I guess I'm not shocked, but in general it feels like web standards could use better long term care, that they often don't get, alas.

Some of the navigating into a bundle stuff is indeed not presently happening.

But there's a bunch of specs for signed exchanges & subresources that underpin & allow resource exchange, and which do have recent drafts. Webpackage seems to be doing OK ish. But yeah we bundles specifically do seem to be all expired.

https://github.com/WICG/webpackage#specifications

Cool idea, but what I'm really hoping is that webpackage gets properly developed and integrated with browsers eventually. Unfortunately it probably won't happen, a tiny chunk of Google showed interest but that's about it.

With certificate transparency, I dont think SXG's expiration s a real barrier to adoption. The hardnosed shitty browser attitude aroumd right now: it will collapse in the face of onvious utility, other people will implememt more aspirational & liberal systems. This stance is untennable im the face of the obvious huge value of being able to lool at old signed content, particularly when coupled with certificate transparency systems. This conservative standard will is just a minimal & onvious agreeable starting place, but adoption will give way to expansion, given the immense user value of signed content. I say this as a core core protester against these pathetic loserly expiration timeouts[1].

I get maybe not putting all your chips in SXG basket. I disagree with a bunch of the protest: this seems like a sensible, basic, obvious layered enhancement to the existimg web. Safari & Mozia are as is the modd today being terrible shits as usual, the regressives.

Contrasting ADX versus SXG just feels so wild, because SXG is a small refinememt to a vast world spanning & complete ecosystem of technology that has already taken over the planet. And ADX is an standalone completely isolated alternate world, it's own reality. This tension, whether we need a baseline which is 100% new & novel & redefines the entire problem space on it's own terms, completely from scratch, or whether we can hack & improve & enhance what we have: I dont feel like there's any camp at all left to defend improvememt.

Tear it all down, start over... it's the mode. I agree, this debate needs more than HM comments. But this tension & conflict, this view of the world & how it evolves or revolts: it's been trying to make revutions & insist no bounds, nothing today can possibly be good enough for tomorrow. And two plus decades latter, it's made such tiny impact, is so niche.

I accept your snub, getting told im exasperated, but it's for a real reason, it's because these decades have failed to deliver & so few have willingly tried improving what is (Safari & Mozia being a quite vocal modern anchor keeling things in place, a modern astrpturfing shouting class against trying anything, especially). This effort does have the social capital to perhaps emerge & birth something new, but we could also just improve & greatly fix everything that ready is. With minor, layered, small, principled enhancements.

[1] https://github.com/WICG/webpackage/issues/597

signed web bundles [1] let you package up a page as a fixed resource, distributed with a signature to verify that the content of that page is what the author intended it to be, so a site like twitter that is embedding it can be sure that what they're embedding is always the original resource.

however, this is AMP, and so everybody hates it.

[1] https://github.com/WICG/webpackage/blob/main/explainers/sign...

A phyrric victory for a Web that is basically ChromeOS.

Ever heard of Web Bundles?

https://web.dev/web-bundles/

https://github.com/WICG/webpackage

I think advertising is positive [1] and the role of ads in funding freely-available sites is very important. My current work is primarily on how browsers can allow more private and secure advertising [2][3][4] which I think most people will agree is valuable even if they are less in favor of advertising in general.

At a lower level, I do this job because I'm paid, which allows me to donate. [5] But I wouldn't do this work if I thought it was harmful; there are lots of different kinds of jobs I could take.

[1] https://www.jefftk.com/p/effect-of-advertising

[2] https://github.com/google/fledge-shim

[3] https://github.com/WICG/turtledove/issues/161

[4] https://github.com/WICG/webpackage/issues/624

[5] https://www.jefftk.com/donations

data urls encode things in base64 format so bloat up the file. Also the user agent can't just seek over them, requiring it to parse the entire included base64 content. There are better ways, but sadly nothing cross platform:

* https://github.com/WICG/webpackage

* https://en.wikipedia.org/wiki/Webarchive

Draft: https://github.com/WICG/floc

"The browser uses machine learning algorithms to develop a cohort based on the sites that an individual visits. The algorithms might be based on the URLs of the visited sites, on the content of those pages, or other factors. The central idea is that these input features to the algorithm, including the web history, are kept local on the browser and are not uploaded elsewhere — the browser only exposes the generated cohort." Source: https://github.com/WICG/floc

Google (or other third-party tracking) is also not effected by VPN. These groups use cookie syncing to assign you a unique ID and then collect this ID again as you browse the internet. That buyerID can then be cross-referenced (even with other buyerIDs) to generate all sorts of different demographic/psychographic information and used to fingerprint your online life for audience targeting. Google actually is in the works to take this a step forward with the FloC experiment. FloC (Federated League of Cohorts) actually deprecates the Set-Cookie header in favor of in-browser history scanning. Basically, in a year or two they plan to incorporate Chrome into their adtech stack and have it report your history/behavior to Google (regardless of whether you save history or not). Here is some good info on that: https://github.com/WICG/floc

Instead they propose new standards, like HTML Imports or FLoC, and the W3C decides as a whole whether or not they become official standards.

With cross-site cookies, adnetwork.com has full information about what sites you've visited (among sites that incorporate their cookies). This isn't good either! But generally speaking, an individual site using adnetwork.com for advertising won't have or want access to that vector of your interests; many site operators don't even have visibility into what ads win real-time bidding, just that they're receiving money for providing their inventory. Certainly there are players that can provide demographic targeting metadata to site operators, but to my knowledge they are less widely known and certainly not cheap, and I imagine (or hope) any players with wide enough cookie reach would be discouraged from maintaining a database that could associate metadata with PII.

With FLoC, though, the idea was that the browser would provide document.interestCohort() and the individual site's JS could react accordingly: https://github.com/WICG/floc . This means that any site, regardless of its contracts with ad networks, could immediately identify your cohort and associate it with your activity. Web developers working in good faith would be encouraged to have user.cohort or user.topic fields from day one "just so you have it" - imagine all the ways someone could use this in bad faith. Inevitably this data would leak (or be intentionally leaked) and could trivially become a target list for doxxing closeted people. It's a dangerous, dangerous proposal.

You can't find any info about this because there isn't really any. Josh Karlin, who is the maintainer of the FLoC working document, said at an event that it might make sense to swap to topics. It's essentially just reducing the entropy of the cohorts and giving them a more comprehensible (and probably less useful) taxonomy. That's all the info there is.

https://github.com/WICG/floc explains the overall goals.

It's pretty complicated and my understanding could be wrong and definitely not an expert. All the stupid CIA-style names that keep changing don't help. Turtledove, fledge, sparrow lol.

But from what I think I know that's kind of right technically, but kind of not in terms of actual real privacy.

Yes, the actual browsing data, e.g. for the basic floc cohorts only what amazon product page you visited, is no longer 'sent' to ad networks (that's a pretty big oversimplification of how ad networks track you but for brevity). That data is parsed in your browser to generate a cohort ID for you.

But this cohort ID is exposed to the world document.interestCohort() and is what's used for targeting and tracking.

To me it seems that the cohorts are so small "thousands of people" + IP or UA it's basically the same as a semi-long lasting uuid.

Here's an image from google's site.

https://web-dev.imgix.net/image/80mq7dk16vVEg8BBhsVe42n6zn82...

It also seems like Chrome/google might be still defaulting browser settings to give themselves even more data just like they currently do?

https://github.com/WICG/floc#qualifying-users-for-whom-a-coh...

BUT when you layer on the other proposals (Fledge/Turtledove/Dovekey or whatever) - which I don't understand that much maybe someone else can explain - it seems like it basically collect this page/product level data and makes it available to DSP etc for tracking/ad serving (again if not technically 1:1 basically in consequence given the sizes of these groups).

Like one of the proposals talks about a 'trusted' key/value server which doesn't seem that different from what already happens? The original proposal wanted to move the entire ad bid/target/serve process into the browser.