-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide the true number of aggregatable reports #439
Comments
I'm having difficulty understanding the threat posed by including source site is, @csharrison could someone provide an illustrative example? |
Imagine you sign into shoes.com to buy shoes, so they know who you are. Now imagine shoes.com is malicious and wants to track you. They could do this in the current API by only registering triggers for you. If they do this, then shoes.com, can learn the noiseless count of your attributed conversions by simply counting the number of encrypted reports flowing through the API. |
I'm still not understanding the issue. When a signed-in user does something at shoes.com, shoes.com can make a detailed recording of the activity and it isn't clear what more they learn by knowing that some of those interactions is counted as a conversion by the API. |
I added this to our agenda today to explain this a bit deeper if it's helpful.
The new information is the relative publisher-side information that is embedded in an attribution report, since currently we only send an aggregatable report if there was a pending source registration that happened prior. The set of unattributed triggers and attribution reports are not the same size. |
This issue tracks the open question the aggregatable explainer:
https://github.com/WICG/conversion-measurement-api/blob/main/AGGREGATE.md#hide-the-true-number-of-attribution-reports
To solve this, I believe we will need to have a mechanism that allows us to either randomize the true number of attribution reports, or make it a function of non-sensitive information (e.g. the # of unattributed trigger pings).
The text was updated successfully, but these errors were encountered: