blog: Don Marti


leaked: a new surveillance browser?

01 March 2021

I just heard from a reader of this blog that a dictatorship is taking over in their country, and will be requiring all citizens to use their new web browser. The scary thing is that this new country-specific browser will have a built-in surveillance system in it. Excerpt from the top-secret document follows.

Today, citizens are categorized, governed, and provided with public services based on a variety of tracking techniques. It would be more efficient and less costly for the State if citizens could be assigned to priority groups, or cohorts, within the browser itself.

We plan to explore ways in which a browser can group together people with similar browsing habits, so that the State (and private entities regulated by the State) can use the habits of these cohorts, to:

  • prioritize assignment of surveillance personnel to individuals

  • allocate public services preferentially to favored religious and language groups

  • encourage self-reeducation by members of marginal groups

Browsers would need a way to form clusters that are both useful and efficient: Useful by collecting people with similar enough interests and producing labels suitable for machine learning, and efficient by cheaply forming large clusters that can be used to prioritize the assignment of costly individual surveillance technologies and of public-sector services such as education, business subsidies, and travel documents.

A Citizen's Omnipresent Law-Enforcement and Favoritism (COLF) cohort is a short name that is shared by a large number (thousands) of people, derived by the browser from its user’s browsing history. The browser updates the cohort over time as its user traverses the web. The value is made available to websites via a new JavaScript API.

The browser uses machine learning algorithms to develop a cohort based on the sites that an individual visits. The algorithms might be based on the URLs of the visited sites, on the content of those pages, or other factors. The central idea is that these input features to the algorithm, including the web history, are kept local on the browser—the browser only exposes the generated cohort. The browser ensures that cohorts are well distributed, so that each represents thousands of people.

Hiding or falsifying cohort membership

Some citizens who are members of less favored cohorts might configure or modify their browsers to send a blank, random, or deliberately chosen cohort. This behavior will be disincentivized by doing spot-checks that compare the observed cohort for a citizen to a set of likely cohorts calcuated from known PII for that citizen.

Cohorts do not eliminate the need for detailed State surveillance of a subset of citizens, just as a vehicle license plate does not eliminate the need for random checks of a driver's papers. However, license plates and cohorts are easily observable in large numbers, and appropriate penalties for falsification of either can be applied. Cohorts are a cost-saving complement to other surveillance technologies, and make more kinds of discrimination and surveillance practical and affordable.

Sensitive Categories

A cohort is designed to reveal sensitive information. A user might configure or modify the browser in an attempt to remove visits to sensitive sites from cohort data collection. But this does not mean sensitive information can’t be leaked. The State is aware of correlations between browser history and sensitive cohort membership that citizens are not aware of.

Citizens might attempt to evaluate their own cohort by measuring and limiting their deviation from population-level demographics with respect to the prevalence of sensitive categories, to prevent their use as proxies for a sensitive category. However, this evaluation would require knowing how many individual people in the cohort were in the sensitive categories, information which could be difficult or intrusive to obtain.

...all right, that's enough. This wasn't some new surveillance browser, it's a lightly edited version of the FLoC README. How much of a Bay Area big company employee filter bubble do you have to be in to see an idea for having the browser tell sites, "MY USER IS A MEMBER OF THIS GROUP" and think, wow, we can use this to sell sneakers! Anybody who wants sneakers, if you seriously have no idea how to get them, let me know, I'll drive you to the damn shoe store myself. Easier than dealing with all this labeling-people-with-group-identifiers creepy jibber-jabber.

Global Privacy Control Endorsed by California AG

Firefox's Latest Update Promises Complete Cookie Control—With Just A Few Caveats

Cheat sheet: What to expect in state and federal privacy regulation in 2021