It’s better because PPA isn’t about targeting ads at all. It doesn’t share any browsing history, topics, or any information for ad targeting to advertisers at all. What it does do is provide a way for a website to tell your browser which ads are relevant to an action you take - for example on a checkout confirmation screen the site may tell your browser “here’s a list of ad IDs for the shop you just bought from”. Your browser then checks if it’s seen any of those ads, checking completely using local data that doesn’t leave the browser, then to an aggregator it reports which ads possibly led to your purchase. The aggregator increments a counter for each ad in its database and relays the totals to the advertiser. There are no unique identifiers or any information about your habits or interests involved.

When I initially heard about PPA I also thought it was related to FLoC / topics, but it has nothing to do with ad targeting or sharing information about habits / interests, it’s just a way to tell advertisers “Ad XYZ was effective and led to a sign up/purchase” without revealing who saw the ad or any personal information about them, just the total number of people.

Passkeys are like using a private key to log in. There are several ways it’s better:

• Passwords can be stored improperly by a website leading it to be leaked
  • Passkeys never leave the device so a website being breached can never leak your passkey
  • The website only stores the public portion of the key which is useless to an attacker
  • Passkeys can only be stolen by attacking and breaching the device or password manager that holds it
• Passwords can and often are reused across multiple sites so a single leaked password can compromise many sites
  • Passkeys are created for each site so an attacker would need to steal each one separately
• Passwords can be phished by fooling a user into entering the password
  • Passkeys can’t be phished easily since it’s designed not to leave the device - if such an attack was found it could be patched in the browser / password manager. You can’t patch all password forms to stop phishing in the same way

If you’re familiar with ssh keys, it’s similar to that and why the top security recommendation for new servers is to disable passwords and use keys instead.

This seems to be about android, meant just desktop, where I use Firefox and bitwarden. It works fine with GitHub where I created and use a passkey but PayPal’s faq says they only support chrome and safari.

Not only passkey managers but websites too. I tried to set up a passkey for PayPal but they don’t let you set it up unless you’re using chrome or safari