search

privacycg / private-click-measurement

Private Click Measurement
https://privacycg.github.io/private-click-measurement/
198 stars 8 forks source link

Processing of attribution reports by third-party vendors #22

Closed abebis closed 4 years ago

abebis commented 5 years ago

Given that

  1. publishers and advertisers may not have the capacity to process attribution reports sent by browsers

  2. advertisers will probably want/need to verify attribution reports provided by publishers (especially if the publisher and the ad network are controlled by the same entity, like Google search or Facebook),

it seems reasonable to provide a way for publishers or advertisers to specify a third-party vendor that would receive a copy of the attribution reports directly from the browser.

I am aware that this option is clearly excluded in the original Webkit blog post,

https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-for-the-web/

Only websites that users visit should be involved in measuring ad clicks and conversions. This means that opaque third-parties should not receive ad click attribution reports and we enforce it by requiring that the ad link is part of a first-party webpage and by only reporting on which first-party website a conversion happened.

but what are the concrete reasons, privacy or data-leakage concerns, behind this choice? Is the browser neutral enough (that may not be the case with Chrome) not to need any external verification?

Also, both proposals from the Web Advertising Business Group and Google Chrome seem to acknowledge the need for independent measurement and verification.

https://github.com/w3c/web-advertising/blob/master/admetrics.md

Browser providers may choose to add a reference to a controlled or externally recognized metrics server to act as an overall check of the validity of the aggregated metrics.

Without any option for permission delegation, I guess publishers and advertisers will rely more on CNAME records, which seems more opaque to the user and raise more security (cookie sharing?) issues than keeping domains separate?

abebis commented 4 years ago

This was later answered in #20

First, there are reasons for not sending attribution data to third parties:

The user perspective. Users need to have a reasonable chance of understanding to whom data is shared about their activities on the web, even if there are privacy preserving protections in place. Users don't know about the numerous third parties that are involved in online ads. What they do know is that they visited news.example or search.example and clicked/tapped an ad there to go to shop.example. First party control. We've already discussed in #7 that third parties should be able to provide the link metadata adDestination and adCampaignID. If we were also to send attribution data to third parties, first parties would have no control over who claims what on their website. Even worse, if third parties were abusing PCM, first parties wouldn't have a way to detect it. All the data would flow to other players. We want first parties to get in control of attribution. In addition, first parties should be able to make business deals to have their attribution data analyzed. If they never see the data, they can't.

Ongoing discussion in #31