Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Per-reporting-site privacy budgeting #661

Closed
csharrison opened this issue Jan 6, 2023 · 3 comments · Fixed by #787
Closed

Per-reporting-site privacy budgeting #661

csharrison opened this issue Jan 6, 2023 · 3 comments · Fixed by #787

Comments

@csharrison
Copy link
Collaborator

csharrison commented Jan 6, 2023

I want to consider moving privacy budgeting in ARA to be per-site (eTLD+1), rather than a mix of per-site and per-origin budgeting. There are a few reasons to do this:

  • The site is typically a more natural unit of privacy than the origin
  • It avoids abuse potential for cases of things like wildcard domains which are (arguably) easier to mint than domains to exceed privacy limits

The relevant limits in the spec that consider origins are:

  1. Max destinations covered by unexpired sources: x unique destinations per (source site, reporting origin)
  2. Max attributions per rate-limit window: x attributions per (source site, attribution destination, reporting origin, time window)
  3. Max attribution reporting endpoints per rate-limit window: x reporting origins per (source site, attribution destination, time window) counted per attribution
  4. Max source reporting endpoints per rate-limit window: x reporting origins per (source site, attribution destination, time window) counted per source registration

If we just modify all origins to be sites, (1) and (2) are tightened and (3) and (4) are loosened. For this reason, I propose we keep (3) and (4) per-origin to avoid regressing privacy. Note that this change may have a negative utility impact, for cases where a given publisher / advertiser pair is using many reporting origins which share a site. In my mind, this isn’t a legitimate use-case to achieve more privacy budget, though we're certainly open to feedback if this change puts at risk legitimate use-cases.

cc @arturjanc

@bmayd
Copy link

bmayd commented Jan 9, 2023

Can you clarify what you mean when you refer to "site"?

@csharrison
Copy link
Collaborator Author

Updated the comment, I am referring to a site as an eTLD+1 matching this spec definition: https://html.spec.whatwg.org/multipage/browsers.html#site

@TATERNATRR

This comment was marked as spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants