patcg-individual-drafts / private-aggregation-api

Explainer for proposed web platform API
https://patcg-individual-drafts.github.io/private-aggregation-api/
44 stars 22 forks source link

Knowing the publisher domain for Fledge #14

Closed alois-bissuel closed 10 months ago

alois-bissuel commented 2 years ago

Hello,

We have two use cases which are hard to find in the current design of the Private Aggregation API, and they both need the publisher domain. The first one is to report to the marketer on which publishers its ads were displayed. For brand safety reason, an advertiser may wish to not have its ad displayed on publishers incompatible with its brand image (eg a website with a lot of offensive content). In some countries, adtechs are legally bound to report this information (see issue #14 in PATCG). The other is fraud detection (and prevention). An adtech should monitor for any fraudulent website set up specifically for siphoning money off legitimate publishers. Here reactivity is paramount to detect in a minimal amount of time this kind of fraud.

Encoding the publisher domain in the 128 bit space of the key is a tricky problem given its dynamic nature and the cardinality of this dimension. A particularly thorny point is the fact that the domain is never available in the clear in Fledge (if it is not made available in this API).

An issue with some discussion and proposed solutions (including adding back the publisher domain in the metadata with empty reports for plausible deniability as a DP mechanism) was posted in ARA (issue #583), as the Private Aggregation API uses the same aggregatable reports, but the use cases were slightly different.

alexmturner commented 1 year ago

Hi! Sorry I seem to have missed this issue.

One piece of complexity here is that the existence of a bidder in an auction on a particular publisher is cross-site information; so we need to be careful about revealing that link. One option could be to ensure a report is sent to each possible bidder origin (i.e. origin listed in interestGroupBuyers) even if that bidder origin doesn't end up participating in the auction, as discussed here. However, this may cause a large number of 'null' reports -- i.e. reports with no contributions -- to be sent.

On the question of having access to the domain at all within a Protected Audience, I'd recommend filing an issue on their repo if there isn't one already.

alexmturner commented 10 months ago

Closing for now, but as discussed, please feel free to file an issue in the Protected Audience repo. Thanks!