Trust Tokens for advertising use cases

[lbdvt]

One of the main fraud mechanisms in web advertising is bots generating clicks on ads on "shady" sites. Those sites will get paid for selling their ad placements, diverting advertisers' campaigns budget from their legitimate use (displaying ads to users).

From what I understand, Trust Tokens is the proposal from the Privacy Sandbox meant to address that problem, with the following mechanism:

• Site A has the ability to ensure that a browser is run by a "trusted" user (i.e. a human) and would emit Trust Tokens stored in the browser
• Later on, an ad tech participant needing to check that an ad opportunity is for a human and not a bot, could redeem one of these tokens to do so

It raises a couple of questions:

• Why would a site become an issuer?
• What happens if the issuer discovers that tokens have been issued to bots? (it's not uncommon for large websites to discover fake accounts)

More generally, what's the view regarding Trust Token usage in the advertising ecosystem (number of issuers, of redeemers, scaling, traffic coverage)?

[dvorak42]

At least based on the OT and ecosystem feedback, we expect that primarily anti-fraud/bot detection services will become issuers, working with the sites they're embedded on to make the issuance decision.

To avoid tokens issued to bots from remaining in the ecosytem for a long time, issuers should rotate the keys they use to sign tokens regularly so that old tokens issued under potentially broken issuance logic expire and sites redeem newer tokens with updated issuance logic.