From 569536ab3c1c365ee815761420d35e37e7f78ab6 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 5 Sep 2024 17:14:22 +1000 Subject: [PATCH 1/2] End-User benefits This was surprisingly hard to do. Mostly because the indirect nature of the benefit, while broadly accepted, does not have a lot of research to back it. With help, I was able to find a few papers, but this could still stand to be improved. --- api.bs | 182 +++++++++++++++++++++++++++++++++++++++++++++-- images/value.svg | 68 ++++++++++++++++++ 2 files changed, 246 insertions(+), 4 deletions(-) create mode 100644 images/value.svg diff --git a/api.bs b/api.bs index 50cf15f..16f5b0e 100644 --- a/api.bs +++ b/api.bs @@ -65,14 +65,37 @@ with multiple purveyors of personal information that is traded for various purpo ## Goals ## {#goals} -The goal of this document is to define an means of performing attribution +The goal of this document is to define an means of performing [=attribution=] that does not enable tracking. +## Attribution ## {#s-attribution} + +Attribution is the process of identifying [=actions=] +that precede an [=outcome=] of interest, +and allocating value to those [=actions=]. + +For advertising, actions that are of interest +are primarily the showing of advertisements +(also referred to as impressions). +Other actions include ad clicks (or other interactions) +and opportunities to show ads that were not taken. + +Desired outcomes for advertising are more diverse, +as they include any result that an advertiser seeks to improve +through the showing of ads. +This might be sales, subscriptions, page visits, enquiries, +or any other event. + +For this API, [=actions=] and [=outcomes=] are both +events: things that happen once. +What is unique about attribution for advertising +is that these events might not occur on the same [=site=]. + The primary challenge with attribution is in maintaining privacy. Attribution involves connecting activity on different sites. If that information were directly revealed, it would enable unwanted -[[PRIVACY-PRINCIPLES#dfn-cross-context-recognition cross-context recognition]], +[[PRIVACY-PRINCIPLES#dfn-cross-context-recognition|cross-context recognition]], thereby enabling tracking. This document avoids cross context recognition by ensuring that @@ -90,7 +113,101 @@ The differential privacy design used is outlined in [[#dp]]. ## End-User Benefit ## {#user-benefit} -New additions to the +The measurement of advertising performance creates new cross-site flows of information. +That information flow creates a privacy risk or cost-- +of [[PRIVACY-PRINCIPLES#dfn-cross-context-recognition|cross-context recognition]]-- +that needs to be justified in terms of benefits to end users. + +Any benefits realized by end users through the use of [=attribution=] is indirect. + +End users that visit a website +pay for "free" content or services +primarily through their attention +to any advertisements the site shows them. +This "value" accrues to the advertiser, +who in turn pays the site. +The site is expected to use this money to +support the provision of their content or services. + +
+
+path:images/value.svg
+
+
Value exchange for advertising-supported content and services
+
+ +Participation in an [=attribution=] measurement system +would comprise a second cost element. + +Support for attribution enables more effective advertising, +largely by informing advertisers about what ads perform best, +and in what circumstances. +Those circumstances might include +the time and place that the ad is shown, +the person to whom the ad is presented, and +the details of the ad itself. + +Connecting that information to outcomes +allows an advertiser to learn what circumstances most often lead +to the outcomes they most value. +That allows advertisers to spend more on effective advertising +and less on ineffective advertising. +This lowers the overall cost of advertising +relative to the value obtained. [[ONLINE-ADVERTISING]] + +Sites that provide advertising inventory, +such as content publishers and service providers, +indirectly benefit from more efficient advertising. +Venues for advertising that are better able to +show ads that result in +the outcomes that advertisers seek +can charge more for ad placements. + +Sites that obtain support through the placement of advertisements +are better able to provide quality content or services. +Importantly, that support is derived unevenly from their audience. +This can be more equitable than other forms of financial support. +Those with a lower tendency or ability to spend on advertised goods +obtain the same ad-supported content and services +as those who can afford to pay. [[EU-AD]][[COPPACALYPSE]] + +The ability to supply "free" services +supported by advertising +has measurable economic benefit +that derives from the value of those services. [[FREE-GDP]] + + +## Collective Privacy Effect ## {#collective} + +The use of aggregation-- +if properly implemented-- +ensures that information provided to sites is about groups and not individuals. + +The introduction of this mechanism therefore represents collective decision-making, +as described in [[PRIVACY-PRINCIPLES#collective-privacy]]. + +Participation in attribution measurement carries a lower privacy cost +when the group that participates is larger. +This is due to the effect of aggregation on +the ability of sites to +extract information about individuals from aggregates. +This is especially true for central [[#dp|differential privacy]], +which is the mathematical basis for the privacy design used +in this specification. + +Larger cohorts of participants also produce more representative-- +and therefore more useful-- +statistics about the advertising that is being measured. + +If attribution is justified, +both these factors motivate the enablement of attribution for all users. + +Acting to enable attribution measurement by user agents +will not be positively received by some people. +Different people perceive the costs and benefits +that come from engaging with advertising differently. +The proposed design allows people the option of appearing to participate in attribution +without revealing that choice to sites; see [[#opt-out]]. ## Attribution Using Histograms ## {#histograms} @@ -133,7 +250,7 @@ The aggregation service: from the provided inputs and that there are enough conversion reports, -2. adds the histograms including sufficient [[#dp noise]] +2. adds the histograms including sufficient [[#dp|noise]] to produce a differentially-private aggregate histogram, and 3. returns the aggregate to the site. @@ -181,6 +298,11 @@ which is a means of limiting the amount of privacy loss. TODO +## Optional Participation ## {#opt-out} + +TODO + + # Security # {#security} TODO @@ -195,6 +317,58 @@ The privacy architecture is courtesy of the authors of [[PPA-DP]]. 
 {
+  "coppacalypse": {
+    "authors": [
+      "Garrett Johnson",
+      "Tesary Lin",
+      "James C. Cooper",
+      "Liang Zhong"
+    ],
+    "title": "COPPAcalypse? The Youtube Settlement's Impact on Kids Content",
+    "href": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4430334",
+    "date": "2024-03-14"
+  },
+  "eu-ad": {
+    "authors": [
+      "Niklas FOURBERG",
+      "Serpil TAŞ",
+      "Lukas WIEWIORRA",
+      "Ilsa GODLOVITCH",
+      "Alexandre DE STREEL",
+      "Hervé JACQUEMIN",
+      "Jordan HILL",
+      "Madalina NUNU",
+      "Camille BOURGUIGON",
+      "Florian JACQUES",
+      "Michèle LEDGER",
+      "Michael LOGNOUL"
+    ],
+    "title": "Online advertising: the impact of targeted advertising on advertisers, market access and consumer choice",
+    "href": "https://www.europarl.europa.eu/thinktank/en/document/IPOL_STU(2021)662913",
+    "publisher": "European Parliament",
+    "date": "2021-06"
+  },
+  "free-gdp": {
+    "authors": [
+      "Leonard Nakamura",
+      "Jon D. Samuels",
+      "Rachel Soloveichik"
+    ],
+    "title": "Measuring the \"Free\" Digital Economy within the GDP and Productivity Accounts",
+    "href": "https://www.bea.gov/research/papers/2017/measuring-free-digital-economy-within-gdp-and-productivity-accounts",
+    "publisher": "Bureau of Economic Analysis",
+    "date": "2017-10"
+  },
+  "online-advertising": {
+    "authors": [
+      "Avi Goldfarb",
+      "Catherine Tucker"
+    ],
+    "title": "Online Advertising",
+    "href": "https://doi.org/10.1016/B978-0-12-385514-5.00006-9",
+    "edDraft": "http://www-2.rotman.utoronto.ca/~agoldfarb/OnlineAdvertising.pdf",
+    "publisher": "Elsevier"
+  },
   "ppa-dp": {
     "authors": [
       "Pierre Tholoniat",
diff --git a/images/value.svg b/images/value.svg
new file mode 100644
index 0000000..c4202c5
--- /dev/null
+++ b/images/value.svg
@@ -0,0 +1,68 @@
+
+
++-------------+            +------------+
+|             |            |            |
+|    User     +----------->| Advertiser |
+|             | Attention  |            |
++-------------+            +-----+------+
+      ^                          |
+      | Content and              | Money
+      | Services                 |
+      |                          v
+ .----+------.             +------------+
+|  Content    |            |            |
+| Production  | Investment |            |   Profit,
+|     /       |<-----------+  Website   +------->
+|  Service    |            |            |   Expenses,
+| Improvement |            |            |   etc...
+ '-----------'             +------------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+User
+Advertiser
+Attention
+Content and
+Money
+Services
+Content
+Production
+Investment
+Profit,
+/
+Website
+Service
+Expenses,
+Improvement
+etc...
+
+

From 54323ed5bac1949a8f997238399b41d5223e975e Mon Sep 17 00:00:00 2001
From: Martin Thomson 
Date: Thu, 12 Sep 2024 16:01:49 +1000
Subject: [PATCH 2/2] Rebase and dedupe

---
 api.bs | 49 ++++---------------------------------------------
 1 file changed, 4 insertions(+), 45 deletions(-)

diff --git a/api.bs b/api.bs
index 13205ed..7a97973 100644
--- a/api.bs
+++ b/api.bs
@@ -27,11 +27,11 @@ The primary goal of this API is to enable attribution for advertising.
 
 ## Attribution ## {#s-attribution}
 
-Attribution is the process of identifying [=actions=]
+In advertising, attribution is the process of identifying [=actions=]
 that precede an [=outcome=] of interest,
 and allocating value to those [=actions=].
 
-For advertising, actions that are of interest
+Actions that are of interest to advertisers
 are primarily the showing of advertisements
 (also referred to as impressions).
 Other actions include ad clicks (or other interactions)
@@ -118,50 +118,9 @@ with multiple purveyors of personal information that is traded for various purpo
 ## Goals ## {#goals}
 
 The goal of this document is to define an means of performing [=attribution=]
+for advertising
 that does not enable tracking.
 
-## Attribution ## {#s-attribution}
-
-Attribution is the process of identifying [=actions=]
-that precede an [=outcome=] of interest,
-and allocating value to those [=actions=].
-
-For advertising, actions that are of interest
-are primarily the showing of advertisements
-(also referred to as impressions).
-Other actions include ad clicks (or other interactions)
-and opportunities to show ads that were not taken.
-
-Desired outcomes for advertising are more diverse,
-as they include any result that an advertiser seeks to improve
-through the showing of ads.
-This might be sales, subscriptions, page visits, enquiries,
-or any other event.
-
-For this API, [=actions=] and [=outcomes=] are both
-events: things that happen once.
-What is unique about attribution for advertising
-is that these events might not occur on the same [=site=].
-
-The primary challenge with attribution is in maintaining privacy.
-Attribution involves connecting activity on different sites.
-If that information were directly revealed,
-it would enable unwanted
-[[PRIVACY-PRINCIPLES#dfn-cross-context-recognition|cross-context recognition]],
-thereby enabling tracking.
-
-This document avoids cross context recognition by ensuring that
-attribution information is aggregated using an [=aggregation service=].
-The aggregation service is trusted to compute an aggregate
-without revealing the values that each person contributes to that aggregate.
-
-Strict limits are placed on the amount of information that each browser instance
-contributes to the aggregates for a given site.
-Differential privacy is used to provide additional privacy protection for each contribution.
-
-Details of aggregation service operation is included in [[#aggregation]].
-The differential privacy design used is outlined in [[#dp]].
-
 
 ## End-User Benefit ## {#user-benefit}
 
@@ -189,7 +148,7 @@ path:images/value.svg
 
 
 Participation in an [=attribution=] measurement system
-would comprise a second cost element.
+would comprise a secondary cost to Web users.
 
 Support for attribution enables more effective advertising,
 largely by informing advertisers about what ads perform best,