Hi TAG,

I'm submitting this TAG design review of our IP Protection feature (largely as an FYI, if such a thing exists). This feature does not materially alter web platform APIs, but instead masks the client's IP using IETF defined CONNECT, CONNECT-UDP, and MASQUE, etc. But if TAG would like to provide input on our design choices, we welcome it.

IP Protection is a feature that limits availability of a user’s original IP address in third party contexts while in Incognito mode, enhancing Incognito's protections against cross-site tracking when users choose to browse in this mode.

• Explainer¹: https://github.com/GoogleChrome/ip-protection/blob/main/README.md

• User research: N/A

• Security and Privacy self-review²: https://github.com/GoogleChrome/ip-protection/blob/main/security-privacy-questionnaire.md

• GitHub repo: https://github.com/GoogleChrome/ip-protection

• Primary contacts:

  • @jhbradley, Google
  • @DavidSchinazi, Google,
  • @miketaylr, Google,

• Organization/project driving the design: Privacy Sandbox

• This work is being funded by: Google

• Incubation and standards groups that have discussed the design: N/A

• Standards group(s) that you expect to discuss and/or adopt this work when it's ready: N/A

• Multi-stakeholder feedback³:

  • Chromium comments: N/A
  • Mozilla comments: No Signal
  • WebKit comments: Apple has shipped a similar feature called iCloud Private Relay
  • Feedback and questions from users and developers can be found in various issues in the GitHub repo

• I have reviewed the TAG's Web Platform Design Principles