On the Differential Privacy and Interactivity of Privacy Sandbox Reports
Badih Ghazi, Charlie Harrison, Arpana Hosabettu, Pritish Kamath, Alexander Knop, Ravi Kumar, Ethan Leeman, Pasin Manurangsi, Mariana Raykova, Vikas Sahu, Phillipp Schoppmann
TL;DR
This work formalizes differential privacy guarantees for Google’s Privacy Sandbox measurement APIs, focusing on the Attribution Reporting API (ARA) and Private Aggregation API (PAA) under highly interactive workloads where queries and data can evolve based on prior outputs. It introduces a rigorous interactive mechanism model and proves that both summary reports and event-level reports satisfy $(\varepsilon, \delta)$-DP via an intermediate IDP (individual differential privacy) framework, even when features such as key discovery and requerying are enabled. The analysis hinges on noisy aggregation using discrete Laplace mechanisms and careful budgeting across sources, triggers, campaigns, and time windows, ensuring privacy budgets are respected while preserving useful aggregate statistics like reach and attributed conversions. The results provide a principled DP justification for cross-site ad measurement in practice, with implications for how budgets are allocated, how noise is calibrated, and how privacy guarantees extend to interactive and gradual-expiration settings. Overall, the paper advances the theoretical foundations of DP in real-world ad-tech privacy infrastructures, informing policymakers and engineers about the feasibility and limits of DP guarantees in privacy-preserving measurement ecosystems.
Abstract
The Privacy Sandbox initiative from Google includes APIs for enabling privacy-preserving advertising functionalities as part of the effort around limiting third-party cookies. In particular, the Private Aggregation API (PAA) and the Attribution Reporting API (ARA) can be used for ad measurement while providing different guardrails for safeguarding user privacy, including a framework for satisfying differential privacy (DP). In this work, we provide an abstract model for analyzing the privacy of these APIs and show that they satisfy a formal DP guarantee under certain assumptions. Our analysis handles the case where both the queries and database can change interactively based on previous responses from the API.