michaelkleber
commented
4 years ago It seems like in the flow you propose, the winning interest-group-targeted ad would be passed from the Gatekeeper back through the ad network and then back to the browser, allowing the ad network a chance to figure out what ad it was (and so what interest group a person is in).
Even if the ad response is encrypted, details like just the size of the encrypted ad might be enough to deduce which ad it was.
If the gatekeeper were to share a public key, then we could eliminate the communication between the browser and the gatekeeper. Instead, the browser could encrypt the interest group info using the public key and send it along with the contextual request to the ad network. The ad network could then get contextual bids as documented and request interest group bids in the same auction, by passing the encrypted info along with the request to the gatekeeper(s) (each requiring their own encrypted data for the advertisers they handle). Only the gatekeeper would be able to decrypt their interest group data. Even though the gatekeeper is trusted, this eliminates the ability of the gatekeeper to see the user's IP address or other identifying details, so an evil gatekeeper would need to work harder to associate the interest groups with an individual.