Clarifying my understanding of the Shared Storage API proposal

Thanks for the questions!

Question: How do you prevent domains stomping on one another's content? And what prevents a company from reading a different company's content?

Data is stored per origin. So if you're in and write to shared storage, then it will be stored in a.com's storage. Likewise, a worklet created from an a.com iframe can only access data from a.com's storage.</p> <blockquote> <p>Question: Why does N need to be so small? Is there room to scale larger if your base population is large enough? While a small number of bits can be identifying if you have a small number of users, it's possible to have large numbers that aren't identifying if there's a large number of users, as long as the numbers are evenly distributed. Given that this proposal already requires aggregated reporting, would it be feasible for someone to run more types of treatment and just wait longer until enough users are in each treatment group to safely generate the aggregate report?</p> </blockquote> <p>TLDR: The larger N is, the faster Shared Storage leaks cross-site data, such as bits of a user id.</p> <p>With N urls as input to choose from, one is selected. That's an output of an arbitrary log2(N) number of bits of cross-site entropy in the output. That output goes to a fenced frame, and when the fenced frame is clicked it gets to navigate, meaning that the embedder's 1p identifier for the user (which could be in the URL selected) is then combined with those log2(N) cross-site its and sent out on the network in the worst case.</p> <p>~33 bits is enough to uniquely identify every person on the planet. So we want N to be as small as possible so the cross-site data leaks as slowly as possible, so that reidentification of users takes as long as possible.</p> <blockquote> <p>Is there any way to support multiple independent treatments with different user splits? E.g. if one treatment coloured the website background red and another treatment changed the font, could the users be split into these experiments independently such that some arbitrary subset of users might be in both?</p> </blockquote> <p>Yes, but you're still limited in number of options by N.</p> <blockquote> <p>Anything the function calls or loads needs to be done via opaque URL. In the long term, everything loadable via opaque URL should be a blob that's downloaded ahead of time and available offline. Put otherwise, visiting this URL wouldn't result in a server call when the user's browser actually accesses it.</p> </blockquote> <p>We're still figuring this out. Downloading ahead of time leads to large waste of resources for all of those N-1 urls that aren't chosen. It also would make video ads prohibitively expensive (unless only the first few seconds play and a click is required for more). </p> <blockquote> <p>"Operations defined by one context are not invokable by any other contexts." -> I'm not sure what this means. Does it mean we couldn't rerun the same treatment on different domains?</p> </blockquote> <p>It just means that a worklet is scoped to the current document (e.g., top frame or iframe). Each worklet can run whatever code you like in it. You can certainly run the same treatment on different domains. </p> <blockquote> <p>Unclear how flexible these functions/worklets are aside from letting you pick between 1 of 5 opaque URLs. Can you actually change behaviour in these functions, or does the behaviour change need to be within the URL? If the former, can you apply different worklets to different situations, so that you get behaviour changes for some situations and URLs for others?</p> </blockquote> <p>The output is one of the input URLS verbatim, no changes allowed. You can choose which selection method within the worklet you want to run for the given list of URLs. Not sure if that answers your second question here.</p> <blockquote> <p>Seems like you can write as many metrics as you want as long as it's in key-value pairs, but you can only get aggregate results returned to your servers at some time interval.</p> </blockquote> <p>The aggregate reporting API is still being worked out. But this is the general idea, yes.</p> <blockquote> <p>Is there any built-in support for splitting the metrics by treatment groups, or do you have to manually write each group to a different metric key?</p> </blockquote> <p>There may be some amount of metadata associated with each report so that you can process only those reports that you are concerned with in a particular query. Still not quite worked out.</p> <blockquote> <p>Will the metrics include confidence intervals?</p> </blockquote> <p>This seems likely.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Thanks for all the answers! This definitely clarifies my understanding.</p> <p>N being so small feels like it may really limit the usefulness of this design. I wonder if there's any possibility to build in k-anonymity in such a way that would allow someone to run more experiments? For example, it sounds like the current approach allows the domain owner to assign users to a URL any way they want. If there was an option to instead have the browser enforce the URLs are evenly but arbitrarily split between the users, and maybe even drop arbitrary URL parameters, could we support a higher N? I haven't fully thought through these ideas so let me know if they're way off base, but as a half-baked idea, perhaps one alternative might be adding an intermediate layer to check how often a URL has been used before allowing the domain owner to add more? E.g. one URL is allowed until the intermediate layer has seen at least k users using it, then a 2nd is allowed until both URLs have at least k users, then a third is allowed, etc. I'm guessing there'd probably be a lot of trade-offs with that approach and I'm sure there's other alternatives you've thought about, so I'm interested in hearing if there's more you can share about if there are any possibilities for achieving a higher N while still retaining k-anonymity and user privacy.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Gentle ping on this question.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Sorry for the slow response! I missed it over break. Your suggestions limit the 1p (embedder) from getting to add its identifier to the URL. But the log2(N) bits of cross-site data remain in the resulting fenced frame. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Okay, so to double-check my understanding, sounds like allowing the 1P to pass their 1P cookies to the 3P is considered a requirement of this design, and is considered a higher priority than increasing N? In which case would it be fair to say a privacy goal is to make sure that the 3P can't join cookies from different 1Ps to identify a user?</p> <p>I think I'm still having a bit of trouble wrapping my head around why the number of bits of entropy matter rather than k-anonymity. I'm not an expert so maybe I'm missing something obvious so if you have any examples of where the entropy would cause a problem, I'd appreciate it. </p> <p>As an example to demonstrate how I'm thinking about this, I usually see it as whether or not 1 bit or 10 bits is identifying depends on its population and distribution. If I have two users with bits 1 and 0 , then one bit is identifying. If I have 1000 users, 999 with bit=1 and one with bit=0, then bit=1 isn't identifying but bit=0 is. But if I have 1000 users, 500 with bit=1 and 500 with bit=0, then the bit is no longer identifying for k-anonymity of k=500. </p> <p>So my point here is if we were able to guarantee that there were at least k users for each unique bit combination for a given 3P, even if websites were still passing 1P cookies to the 3P, I'm having difficulty understanding why it would matter how many of those bit combinations existed if they all have k-anonymity. Even if a malicious actor were to try to join cookies across 1Ps, their unique bit combination would still have at least k users, and they won't know which of those k users for a given bit combination actually visited multiple websites or only one of them. Happy to learn more about what I might be missing here.</p> <p>Overall, N being so small really restricts the proposal's usability for, e.g. large ad networks that have a lot of developers who want to experiment on many different pieces of functionality. Instead I'm wondering if the design could be refocused around k-anonymity rather than bits of entropy, as long as we can guarantee that it still meets privacy needs. This would better allow for larger companies, that by nature have a lot of users, to reasonably experiment on their many, many pieces of functionality. The alternative for N=8 would be having to choose which 7 experiments and their shared control will be prioritized for the entire company, which isn't feasible. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Hi! I understand that the question here may take a while to consider - do you happen to have a rough ETA on when you think you'll have a reply by?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Hi! I understand that the question here may take a while to consider - do you happen to have a rough ETA on when you think you'll have a reply by?</p> </blockquote> <p>Last week was super busy for me, sorry again for the slowness.</p> <blockquote> <p>Okay, so to double-check my understanding, sounds like allowing the 1P to pass their 1P cookies to the 3P is considered a requirement of this design, and is considered a higher priority than increasing N? In which case would it be fair to say a privacy goal is to make sure that the 3P can't join cookies from different 1Ps to identify a user?</p> </blockquote> <p>I'm all for exploring ways in which we can limit the 1p from passing identifying information into the Fenced Frame. It's not a hard requirement that it be able to. And yes, it is a privacy goal to ensure that the 3P can't join cookies from different 1ps to identify a user.</p> <blockquote> <p>So my point here is if we were able to guarantee that there were at least k users for each unique bit combination for a given 3P, even if websites were still passing 1P cookies to the 3P, I'm having difficulty understanding why it would matter how many of those bit combinations existed if they all have k-anonymity. Even if a malicious actor were to try to join cookies across 1Ps, their unique bit combination would still have at least k users, and they won't know which of those k users for a given bit combination actually visited multiple websites or only one of them. Happy to learn more about what I might be missing here.</p> </blockquote> <p>Because over time you get to call the selection operation repeatedly. And each time you might learn that a user is a part of a different k-anonymous group, and you can combine the knowledge from each of those groups the user is a member of to form an identifier. e.g., being a member of group X might not be identifying, but being a member of X, Y, Z, F, and R is. This is why I talk about it in terms of information. Assuming the information is disjoint, then you can add the information from each call until you have enough bits for an identifier.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>I wanted to add that I do think there is value in making the input urls to runURLSelectionOperation k-anonymous. With this property, it is hard for the fenced frame to leak the cross-site information in a useful way to anyone, even if it has full network access, because there is no 1st party or third party identifier to tie the data to. Once the fenced frame receives a user gesture, and can navigate, at that point the cross-site data can be joined with the destination site's cookies. So we <em>do</em> still need to limit the number of total input urls to reduce the amount of information leaked on that click, but the k-anonymity does provide better privacy properties before click.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Thanks for the reply. So to check my understanding, is the concern you mentioned about intersection of groups and proposal #17 both about when a user changes groups for a given 3P over time? </p> <p>Example: a user starts in experiment X, then as the experiment configuration changes they get put in experiments Y, Z, F, and R consecutively. 3P initially just sees k users in experiment X, but if they have the user identifiers from the site, they can retain history for each ID. Once enough time passes, the 3P can examine the history and notice that the given 1P ID on site Foo has the exact same group history {X, Y, Z, F, R, ...} as a different 1P ID on site Bar, and are statistically likely to be the same user.</p> <p>I do agree with proposal #17 to make the URLs k-anonymous and michaelkleber's boot-strapping suggestion to help address this. Once the URLs are k-anonymous, would that be sufficient that we would no longer need to worry about bits of entropy? I.e. would we no longer need to have a hard limit N on the number of experiments, but could instead scale the number of experiments based on the quantity of traffic?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Thanks for the reply. So to check my understanding, is the concern you mentioned about intersection of groups and proposal <a href="https://github.com/pythagoraskitty/shared-storage/issues/17">https://github.com/pythagoraskitty/shared-storage/issues/17</a> both about when a user changes groups for a given 3P over time?</p> <p>Yes. If the same user can be correlated across fenced frames, then the data can be added together over time. Fenced Frames, on click, are allowed to navigate to a destination page. The destination page will have its 1p cookies and so it knows who the user is (from its perspective) and can collect the various groups that the user is in over time, eventually revealing their identity. We want this revelation to be slow, so we reduce the number of bits.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Thanks. Can you answer the final question as well?</p> <blockquote> <p>Once the URLs are k-anonymous, would that be sufficient that we would no longer need to worry about bits of entropy? I.e. would we no longer need to have a hard limit N on the number of experiments, but could instead scale the number of experiments based on the quantity of traffic?</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>The data flow into the FF is: embedder k-anon URL and log(n) bits of cross-site information.</p> <p>The data flow out of the FF on navigation is: whatever was input to the FF, which gets tied to the destination page's 1p cookie.</p> <p>The k-anon URL slows the rate at which the destination page can tie its 1p cookie to the embedder's 1p identity.</p> <p>The log(n) bits still get tied to the destination's 1p identity, which is bad. So we still want n to be small.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Thanks, the data flow explanation helps me understand the architecture here better. Just to double-check, the log(N) bits of cross-site information are not some extra data sent along with the URLs, but the outcome of the fact that we have N urls in the first place, correct? </p> <p>Apologies for taking up so much of your time, but I'm still struggling to understand why the number of URLs, N, matters if the URLs are each k-anonymous. Someone could use the URLs to derive log(N) bits of information about a particular group, but there still shouldn't be a way for them to meaningfully narrow down individuals within the group, is there? If I understand correctly, the 1P ID can't be passed on the URL since the URL is required to be k-anonymous, and there shouldn't be any additional data other than the URL that would allow the destination page to meaningfully join users across different groups?</p> <p>Does it matter if the API leaks log(N) bits of info about a group, if the group is still k-anonymous and it's infeasible to narrow down individual users in the group? Are there some other trade-offs or aspects of how request processing works that I'm missing here?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jcma-google"><img src="https://avatars.githubusercontent.com/u/99992917?v=4" />jcma-google</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Hello! I want to piggyback on this open thread and chime in by stating that we're also interested in running cross-site experiments using this new API but a limit of 8 is too small to be feasible. Is it possible to drop this limitation? </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>What number would you consider to be reasonable? Why is 8 too limiting?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>My team's clients are different from jcma's, but speaking for myself, we have the following requirements:</p> <ul> <li>As mentioned in <a href="https://research.google/pubs/pub36500/">this research paper</a>, we want to be able to: <ul> <li>Run experiments with granularity of 0.1% or more of users to limit our risk exposure</li> <li>Run non-overlapping experiments within a single layer, to isolate behaviour changes from one another.</li> <li>Support overlapping experiments by hashing/redistributing users across layers, in order to allow simultaneous experimentation on independent features.</li> </ul></li> <li>In terms of <strong>scale</strong>, we need to be able to run at least O(hundreds) of overlapping experiments.</li> </ul> <p>Experiments are critical infrastructure that allow engineers to measure the impact of changes so we can detect outages and improve user, advertiser, and publisher experiences.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Hi Josh! I assume you've probably been busy recently and this scaling question may take some thought. Do you have an estimate for when you'll have an answer by?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jkarlin"><img src="https://avatars.githubusercontent.com/u/6920902?v=4" />jkarlin</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>I'm concerned that what you're describing doesn't mesh well with the input urls needing to be k-anonymous. A URL won't be selectable by SharedStorage until it meets the threshold (say 50-100) of unique clients that would have selected it.</p> <p>I'm interested in discussing a larger set of urls, since the privacy loss scales logarithmically, but I want to make sure we keep it as low (and useful) as possible.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jcma-google"><img src="https://avatars.githubusercontent.com/u/99992917?v=4" />jcma-google</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Sorry for the late reply. </p> <p>In reply to why 8 is too limiting and what number would be reasonable, Rachel said everything I wanted to say in this <a href="https://github.com/pythagoraskitty/shared-storage/issues/14#issuecomment-1049109396">comment</a> </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>As far as I'm aware a k-anonymous URL should still be compatible with our requirements, as long as we can scale to a much larger number of URLs (i.e. remove the limit of n URLs, and allow arbitrary number of URLs as long as k-anonymity is still met) . </p> <p>We don't necessarily need Chrome to handle the overlapping layer mechanics. We can set up the layer independence algorithms ourselves as long as Chrome provides a mechanism for making a large number of user-sticky k-anonymous groups (which I assume is the URLs in this case). We are also okay with a ramp-up period during which these URLs/groups are unavailable until the k-anonymity threshold is met.</p> <p>So to put it otherwise, if a group of sites had 1000 users and Chrome decides k-anonymity of k=100 is appropriate, then a naive single-layer implementation should allow a party to divide that traffic into 10 k-anonymous groups, i.e. 10 URLs. If Chrome allows us to scale based on the size of our user base rather than based on an arbitrary number of bits, I believe we can satisfy both privacy and scaling requirements.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rwiens"><img src="https://avatars.githubusercontent.com/u/17754967?v=4" />rwiens</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>After some more consideration, what we're asking for is sufficiently different from the existing API proposal that it's better suited to its own issue. I'll close this issue since I now understand the existing proposal better, and I've opened #22 to discuss the specifics of our feature request. Thanks so much for your time so far and the continued discussion!</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

WICG / shared-storage

Clarifying my understanding of the Shared Storage API proposal #14

Shared Storage

Worklets

Aggregated Reporting