you've posted this in a few threads, but i dont think i understand what the scenario it is used in would be?
every user of social media in florida now has to visit a third party (who?) that sets a cookie (private state token?) on their browser that verifies their age?
Correct - ISP requires you to visit Florida.gov (or realistically a company the government trusted to set up verification) to set your token if you’re an adult. Then each social media site checks whether a visitor is from Florida, and then if they have a valid token. If valid, load like normal. If not valid, don’t load the site.
And now the state of Florida has a receipt of every website you ever visit. That will surely never be an issue when the Governor's private law enforcement arm looks through it or the inevitable data leak happens.
The intention of the API is for that to not be possible.
> The privacy of this API relies on that fact: the issuer is unable to correlate its issuances on one site with redemptions on another site. If the issuer gives out N tokens each to M users, and later receives up to N*M requests for redemption on various sites, the issuer can't correlate those redemption requests to any user identity (unless M = 1). It learns only aggregate information about which sites users visit.
Someone has to hand the browser the token. And that token has to validated by someone's backend. You now have an issuer with knowledge of who a token belongs to and a visited with a record of where they were. They go over this on that very page:
> (unless M = 1)...
> If the server uses different values for their private keys for different clients, they can de-anonymize clients at redemption time and break the unlinkability property...
> If the issuer is able to use network-level fingerprinting or other side-channels to associate a browser at redemption time with the same browser at token issuance time, privacy is lost.
This is why Mozilla rejects the proposal. We just have to trust issuers to be good and then trust that neither issuers nor websites will "accidentally" log these tokens where a data leak creates a papertrail to real-world identities.
It would be pretty simple to determine if tokens are unique per person - I agree that for many listed use cases in their documentation its not amazing, but with specific government oversight and watchdogs for the specific Florida use case I think technically it makes sense. Morally, still not a fan.
every user of social media in florida now has to visit a third party (who?) that sets a cookie (private state token?) on their browser that verifies their age?