OWD project: Update MDN Privacy docs

[dominiccooney]

https://developer.mozilla.org/en-US/docs/Web/Privacy is a draft and the sub pages are about Firefox. Since these were authored there has been a lot of spec and browser activity to document and consolidate, and the scope of this area continues to grow.

For example many pages on MDN mention fingerprinting, but I don't think there's a page explaining fingerprinting. Understanding a bit about entropy would help developers see the relationship between topics like fingerprinting, navigator.userAgent simplification, and various vendors' conversion tracking proposals, empowering them to productively engage with this important area. Entropy is just one example; another is many privacy-sensitive ad conversion proposals rely on crypto but applied in a way that may be unfamiliar to many web developers.

As well as conceptual material, we need practical material. @sideshowbarker mentioned that:

Stack Overflow is one place where I can say I’ve seen a lot of developer confusion/frustration about [privacy and tracking]. I read a lot of questions on Stack Overflow from developers having issues with cross-origin requests — many of which the developers tag with the cors tag, even though they’re not about CORS; in the minds of a lot of developers, “CORS” just means “cross-origin”. A while back I started seeing a lot of questions about SameSite stuff, so in April I updated the samesite tag guidance, at https://stackoverflow.com/tags/samesite, and re-tagged a few dozen questions with that tag. I notice the tag now has 404 questions — which I think is a lot more than it had at the time I did the re-tagging in April.

On the other hand, @foolip mentioned that:

I don't think different policies around cookies and storage came up much at all in surveys I've looked closely at. In https://insights.developer.mozilla.org/reports/mdn-browser-compatibility-report-2020.html you can search for "the new SameSite setting for cookies that will break some browsers no matter what you do and you have to resort to browser sniffing" so there's something, but not much. Of course that research was long ago in the context of ITP/Potassium.

[Elchi3]

Love it! Great proposal. https://developer.mozilla.org/en-US/docs/Web/Privacy definitely needs work.

I also noticed specifications these days have a "Privacy and security considerations" section and I think MDN docs should have a similar sections embedded within the API docs likely having a "Privacy concerns" sections, comparable to the "Accessibility concerns" sections that we started some time ago: https://developer.mozilla.org/en-US/docs/Web/API/Animation#accessibility_concerns

[dominiccooney]

Something mentioned in the steering committee meeting (I think by @dontcallmedom ?) was documenting the differences between storage policies (cookies, local storage, query parameter stripping, etc.) across different engines. This would be a practical place to start. It is more tightly scoped and useful than the conceptual material about entropy or crypto underpinning draft conversion tracking proposals (...although that might make sense later.)

[Elchi3]

In yesterday's planning call Lola mentioned that a lot is still being figured out in the Privacy CG right now. It might make sense to get deeper into this topic once the standardization efforts are a bit more stable. We think this project isn't ready to take on yet. Will revisit next time.

[wbamberg]

See also https://w3ctag.github.io/privacy-principles/.