Never-Consent: Global Privacy Control

[chrmod]

The Global Privacy Control is an HTTP header that can be sent to website to let it know the user don't want to be tracked. It is legally binding in some regions like California.

We want Ghostery extension to send GPC on behalf of the user in case browsers are not doing that.

This functionality should be enabled by default.

UI:

• in Ghostery Settings, under "Privacy Protection" it is a deep switch for "Never-Consent"
  • title: "Enable Global Privacy Control"
  • description: "When enabled, your browser sends a signal to websites asking them not to sell or share your personal data for advertising, in line with privacy laws like those in California and the EU."
• in Ghostery Panel: In the Never-Consent feedback block, we want to mention that the signal was sent
  • when clicking on the "card" - it should mention if consent was managed and/or GPC was sent
• in WTM tab: add number of send GPC signal to the line chart (we have to count those)

Notes for developers:

• GPC may break some pages, so we want to add a remote config flag called disable-gpc which will prevent extension of sending the signal for given domains. It should be used as excludedInitiatorDomains and excludedRequestDomains of the DNR rule.
• DDG may be use as a reference implementation https://github.com/search?q=repo%3Aduckduckgo%2Fduckduckgo-privacy-extension%20GPC&type=code

[KyleZhang0118]

Curious: What if user IDs were ephemeral by design? I sketched a 20-line generator: https://github.com/kylezhang0118/ghost-id

Same user, two different IDs across sites. No tracking possible.

[kalinme]

first iteration: https://www.figma.com/design/0HIwg2OfZmw4hKyVl6f7kQ/Ghostery-Panel?node-id=4340-29786&t=YkZxdfykkjGhoaFm-1

[kalinme]

added next iteration: https://www.figma.com/design/0HIwg2OfZmw4hKyVl6f7kQ/Ghostery-Panel?node-id=4455-17001&t=Zk3pix1WudPNG7lg-1

[kalinme]

ready for development: https://www.figma.com/design/0HIwg2OfZmw4hKyVl6f7kQ/Ghostery-Panel?node-id=4455-17001&t=UAdG3L8xcc8a7SQe-1