Hacker News new | ask | show | jobs
by svieira 666 days ago
> We conducted a user study with 30 Web users, recruited over social media, and presented them each with 20 pairs of websites. Website pairs were randomly selected from both the Related Website Sets list (i.e., sites Google designates as “related”, and so warranting reduced privacy protections), and the Tranco list of popular websites. Each user was presented with different pairs of websites, asked to view the sites, and then decide if they thought the two sites were operated by the same organization. This resulted in 430 determinations of whether unique pairs of websites were related.

> In our study, the large majority of users (~73%) made at least one incorrect determination of whether two sites were related to each other, and almost half (~42%) of the determinations made during the study (i.e., all determinations from all users) were incorrect. Most concerning, of the cases where both sites were related (according to the RWS feature), users guessed that the sites were unrelated ~37% of the time, meaning that users would have thought Chrome was protecting them when it was not.

> ... We conclude from this that the premise underlying RWS is fundamentally incorrect; Web users are (understandably, predictably) not able to accurately determine whether two sites are owned by the same organization. And as a result, RWS is reintroducing exactly the kinds of privacy harms that third-party cookies cause.

> Lest anyone judge the study participants for being uninformed, or not taking the study seriously, consider for yourself: which of the following pairs of sites are related?

1. hindustantimes.com and healthshots.com

2. vwo.com and wingify.com

3. economictimes.com and cricbuzz.com

4. indiatoday.in and timesofindia.com

> (For the above quiz, if you chose “4”, then, unfortunately that is incorrect. That is in fact the only pair of the four that isn’t considered “related” to each other.)
2 comments
nsagent 666 days ago
If anything it sounds like "related" is not what they are actually doing. Rather they are looking at ways to uniquely fingerprint users through optimizing how they split "related" sites.

Reminds me of the research that shows that 87% of people in the US can be uniquely identified with only three pieces of information: date of birth, gender, and zip code [1].

[1]: https://dataprivacylab.org/projects/identifiability/paper1.p...

link
dwighttk 666 days ago
That seems to be saying it is extremely likely that the only other person in my zip code that shares my birthdate is opposite gender
link
alwa 666 days ago
Only 50% of the time, but that’s 50% better of a guess than you’d make without knowing gender.

ZIP codes contain maybe 40K residents [0] (many contain fewer) and there have been around 25K days in the last 70 years. Sure births are not evenly distributed, but still...

[0] https://www.unitedstateszipcodes.org/images/comparison-of-po...

link
aftbit 666 days ago
That sounds like a pitch for one of those "singles near you" apps. Find hot women in your area who share your birthdate!
link
paulmd 666 days ago
statistically, 50% chance, innit?
link
dwighttk 666 days ago
OP seems to claim 13% same / 87% opposite
link
jsnell 666 days ago
I don't think you can make that conclusion.

I think you're making the assumption that all three data points are needed for all 87%. But obviously some people can be uniquely identified based on just {zip, date or birth}, such that gender isn't necessary.

So the distribution could e.g. be 8% same, 8% opposite, 5% both, 79% neither, and explain the original numbers without triggering the paradox.

link
dwighttk 665 days ago
Yeah I was off, but by their numbers

87% of the time, there are no others on my birthdate or there is one other and opposite gender.

13% of the time is 1 same gender or more of either or both.

link
Yawrehto 666 days ago
Really? That's odd. The typical zip code has a population of about ~9000. Dates of birth are about evenly distributed, so you'd still get about 24 people/birthday, or around 12 men or women per birthday per zip code.. I might be off by a fair amount in either direction, but I don't think I'd be twelve times off.
link
snowwrestler 666 days ago
Dates of birth are not evenly distributed.

To clarify: your date of birth includes the year. It’s more specific than your birthday, which we usually think of as just day & month.

link
Terr_ 666 days ago
Also, the difficulty of identifying someone probably looks like a power-law curve, meaning that most of the "total difficulty" is concentrated in a small group, the ~13% that can't be identified.

In other words, even if one person is extraordinarily tricky to find [0], their share of the total un-findable-ness does not diffuse outwards to help anybody else.

[0] http://tailsteak.com/archive.php?num=433

link
Yawrehto 664 days ago
Oh, ok, I didn't realize that the data included the year. Never mind, I don't know the US age distribution well enough to have any idea of how plausible it is; I withdraw my comment.
link
meindnoch 666 days ago
birthday != date of birth
link
tomschwiha 666 days ago
1) Shares the same company name in the About us 2 & 3) Same company name in the privacy declaration 4) timesofindia.com belongs to the 3) company

timesofindia.com also redirected me on tabbing out to a "you won a free Samsung phone". Shady.

link
tomschwiha 666 days ago
Tried also to ask ChatGPT (4o) and it got it right on first attempt.
link